ami auto branch 1620236164 #6745

webvictim · 2021-05-05T17:37:30Z

Update CHANGELOG.md for 6.0.0-rc.1 (Update CHANGELOG.md for 6.0.0-rc.1 #5689)
Release 6.0.0-rc.1
Update docs file structure for v6 (Update docs file structure for v6 #5716)
Fix paths to included files (Fix paths to included files #5724)
Downgrades admin OSS role (Downgrades admin OSS role #5710)
utmp fix for symlinked path
[auto] Update webassets in branch/v6 (Backport(v6) [auto] Update webassets in branch/v6 #5739)
Update old proxy version detection algorithm ((v6) Update old proxy version #5709)
Sasha/newlines (Sasha/newlines #5738) (Sasha/newlines (#5738) #5740)
Adds public_addr when using ACME (Adds public_addr when using ACME #5734) (Adds public_addr when using ACME (#5734) #5743)
[tctl] Don't explicitly set value for config path and preserve backwards compatibility ([tctl] Don't explicitly set value for config path and preserve backwards compatibility #5731)
Correct label example and provide sample
fix last output timestamps on some systems
docs: clarify why etcd doesn't store audit events
Database access docs overhaul (Database access docs overhaul #5643)
release updates (release updates #5782)
Fix existence leak of label-restricted resources
Require initialized TLS config in utils.TLSDial
Fix CLI content spoofing through access request reason
Fix AAP headers injection
Add obfuscation to diagnostic metrics
Check CA expiration status when joining a cluster
Introduce utils.ReadAtMost to prevent resource exhaustion
Assemble safe FQDN values for AAP redirects
Set stricter HTTP Content-Security-Policy directives
Set cookies with '__Host-' prefix
Prevent AAP login CSRF with OAuth-style state tokens
[auto] Update webassets in andrej/v6/security-fixes
Propagate the mapped local user identity via auth.Context ([branch/v6] Propagate the mapped local user identity via auth.Context #5789)
fix utmp/wtmp support breaks macOS ssh node's web terminal #5783 utmp regression on macos
Fixed build failure for non-Linux platforms. (Backport of #5800 #5801)
Release 6.0.0-rc.2 (Release 6.0.0-rc.2 #5802)
Updated faq.mdx.
Update Admin Guide user section to mention roles (Update Admin Guide user section to mention roles #5810)
Fixed tctl get. Had delete instead of get (Fixed tctl get. Had delete instead of get #5814)
Backport of Fix scp regressions for 6.x #5729 to v6.
mfa: delete user MFA devices on account reset (backport: mfa: delete user MFA devices on account reset #5823)
Fix db server test data race ((6.0) Fix db server test data race #5829)
Updated CHANGELOG.md.
Release 6.0.
Adds md5 auth caveat to Self-Hosted Postgres Guide (Adds md5 auth caveat to Self-Hosted Postgres Guide #5834)
Fix a broken link and add permission grants to MySQL guides ((6.0) Minor db access docs updates #5835)
Fixes ACME default configuration (Fixes ACME default configuration #5839)
Fix ADFS provider and add debug message.
Lint markdown files syntax for v6.0 with the new linterLint docs (Lint markdown files syntax for v6.0 with the new linterLint docs #5855)
Update getting started to 6.0.1 (Update getting started to 6.0.1 #5890)
Fix --insecure-no-tls flag ((v6) Fix --insecure-no-tls flag #5922)
Update Kubernetes Access docs (Update Kubernetes Access docs #5865)
Update release table to 6.0.0 ((6.0) Update release table to 6.0.0 #5838)
Move redirects to docs config (Move redirects to docs config for branch/v6 #5945)
Add missing redirects (Add missing redirects to v6 branchs docs #5948)
Fix path to video in 6.0 docs (Fix video path in v6 docs #5954)
add support for encrypted saml assertions with a seperate x509 pair
Creates preset roles (Creates preset roles #5943)
getting started configure doc fix (getting started configure doc fix #5963)
backport branch/v6: Add google_service_account inline field option for Google Workspace/GSuite OIDC (backport branch/v6: Add google_service_account inline field option for Google Workspace/GSuite OIDC #5967)
misspellings in docs (misspellings in docs #5980)
Fix title for app access (Fix title for app access in 6 docs #5974)
Add "billing_information" RBAC resource (Add "billing_information" RBAC resource #5676) (Add "billing_information" RBAC resource (#5676) #5998)
Moves loadCredsFromProfile to OSS (Moves loadCredsFromProfile to OSS #5891) (Moves loadCredsFromProfile to OSS (#5891) #5997)
Add Billing Access to default admin role (Add Billing Access to default admin role #5925) (Add Billing Access to default admin role (#5925) #6002)
[auto] Update webassets in branch/v6 ([auto] Update webassets in branch/v6 #6006)
cherry pick rfd 18
adjust to v6
New getting started video (6.0 Docs port ~ New getting started video #6064)
Adds controls for impersonation requests. (Adds impersonation as a first class citizen #6009)
Fix app access websockets support ((v6) Fix app access websockets support #6028)
Fix error in docs (Fix error in docs #6070)
Fix an issue with impersonating SSO users ((6.1) Fix an issue with impersonating SSO users #6077)
App access cli flow ((6.1) App access cli flow #6089)
Add Postgres Cloud SQL support ((6.1) Add Postgres Cloud SQL support #6090)
Correct Port and Protocol (Typo Correct MySQL Port and Protocol #6102)
Properly marks k8s stream complete on error exit (Properly marks k8s stream complete on error exit #6068) (Backport #6068 onto branch/v6 #6104)
Backport Getting started with Kubernetes (Backport Getting started with Kubernetes #6044)
(6.1) Update application access docs ((6.1) Update application access docs #6055)
Backport tsh play with file arg (Backport tsh play with file arg #6162)
[v6] Backport: dronegen: drone config generator ([v6] Backport: dronegen: drone config generator #6142)
fix race in filelog
Fixed data race in Audit Log.
GitLab Instructions for SSO (GitLab Instructions for SSO #6190)
Follow along guide for Applications and Kubernetes ([v6] Follow along guide for Application Access and Kubernetes #6184)
Backport - gRPC conversions (Backport - gRPC conversions #6175)
mfa: audit events for adding/removing devices (mfa: audit events for adding/removing devices #5665)
mfa: add WithMFA to session-related audit events (mfa: add WithMFA to session-related audit events #5833)
mfa: reuse the same challenge for all U2F devices (mfa: reuse the same challenge for all U2F devices #5837)
mfa: per-session MFA certs for SSH and Kubernetes (mfa: per-session MFA certs for SSH and Kubernetes #5564)
mfa: unhide 'tsh mfa' commands and add docs (mfa: unhide 'tsh mfa' commands and add docs #5932)
mfa: add cluster-level require_session_mfa option (mfa: add cluster-level require_session_mfa option #5939)
mfa: handle older servers during IsMFARequired RPC from tsh (mfa: handle older servers during IsMFARequired RPC from tsh #6039)
u2f: add optional attestation cert validation (u2f: add optional attestation cert validation #6057)
mfa: don't check MFA for teleport services in UpsertKubeService (mfa: don't check MFA for teleport services in UpsertKubeService #6129)
mfa: per-session U2F challenge for web SSH (mfa: per-session U2F challenge for web SSH #6098)
Update webasserts submodule
custom approval conditions
ignore dangling tunnel conns
add special resource type for access plugin data
[6.1] Add empty token check for 2fa optional type for web logins ([Backport 6.1] Add empty token check for mfa optional type for web logins (#5995) #6202)
[6.1] Define cloud billing event types and codes (Define cloud billing event types and codes #6037) ([Backport 6.1] Define cloud billing event types and codes (#6037) #6203)
[6.1] Make SSO login failure event emit more specific errors (Make error messages specific #6108) ([Backport 6.1] Make SSO login failure event emit more specific errors (#6108) #6204)
Set suggested reviewers field to the UI user context struct (Retrieve and set suggested reviewer field to user context struct #5467) ([Backport 6.1] Set suggested reviewers field to the UI user context struct (#5467) #6207)
Open Sources Access Controls Docs (Open Sources Access Controls Docs #6188)
fix nil slice bug
add PAM environment with interpolation support
Fix href links (Fix href links #6230)
Backport - API Client Credential/Connection changes (Backport - API Client Credential/Connection changes #6131)
[auto] Update webassets in branch/v6 ([auto] Update webassets in branch/v6 #6235)
Remove ARM64 FIPS builds (Remove ARM64 FIPS builds #6236) (Backport "Remove ARM64 FIPS builds (#6236)" #6237)
mfa: fix gRPC unimplemented check in cert reissue
Cache per-cluster SSH certificates under ~/.tsh
tsh Profile SSH certs fix (tsh Profile SSH certs fix #6214)
ssh: fix relogin with jumphosts (ssh: fix relogin with jumphosts #6213)
Implement alternative reverse tunnel address support and add a test case.
Update Architecture Overview With Link To User Roles ([6.0-backport] Update Architecture Overview With Link To User Roles #6223)
Enable DynamoDB autoscaling on global secondary indices (Enable DynamoDB autoscaling on global secondary indices #6112) ([Backport 6.1] Enable DynamoDB autoscaling on global secondary indices (#6112) #6205)
Add Features and PublicAddrs to PingResponse (Add Features and PublicAddrs to PingResponse #5742) ([6.1] Backport - Add Features and PublicAddrs to PingResponse #6215)
Refactor ssh.ClientConfig used by tctl and API clients to use the first valid principal as User.
Release 6.1.0-beta.1.
kube: add kubernetes_labels to role JSON schema (Backport v6: kube: add kubernetes_labels to role JSON schema #6206)
Parse all CAs in CertPoolFromCertAuthorities (Backport: parse all CAs in CertPoolFromCertAuthorities #6253)
Adds encrypted token docs (Adds encrypted token docs #6266)
[v6] Don't use OpaqueAccessDenied with CheckAccessToRule ([v6] Don't use OpaqueAccessDenied with CheckAccessToRule #6247)
Delete obsolete stored keys in LocalKeyAgent.AddKey (Delete obsolete stored keys in LocalKeyAgent.AddKey #6251) (Backport: Delete obsolete stored keys in LocalKeyAgent.AddKey (#6251) #6280)
Close leaky direct client. (Close leaky directClient #6297) ([6.1] Backport - Close leaky directClient (#6297) #6298)
Fix regression bug for DynamoDB scaling policy names (Fix regression bug for DynamoDB scaling policy names #6259)
Removed * from roles and updated copyright (Backport branch/v6: Removed * from roles output in tsh #6260)
tsh: handle missing cluster name in profile (tsh: handle missing cluster name in profile #6257) (Backport: tsh: handle missing cluster name in profile (#6257) #6295)
[auto] Update webassets in branch/v6 ([auto] Update webassets in branch/v6 #6323)
add fix
Augment checking stream/streamer and AuditWriter with cluster name detail to automatically populate the field upon event emission.
Avoid data race in audit writer test by syncing close with shutdown of event processing goroutine
Address review feedback
v6.1 syntax update (v6.1 syntax update #6315)
Propogate user not found error from authenticater. ([6.1] Backport - Propogate user not found error from authenticater (#6304) #6321)
web: fix AccessRequest loading on user cert reissue (client: refactor and fix cluster cert reissue when using jumphosts #6264)
Always set an AuditLog ([branch/v6] Backport #6326 "Always set an AuditLog" #6338)
Fix tctl profile loading logic by adding WithSSHCerts certOption. ([6.1] Backport - tctl profile loading fix (#6336) #6337)
Add DialOpts and CallOpts to API client. (Add DialOpts and CallOpts to API client. #6301) ([6.1] Backport - Add DialOpts and CallOpts to API client (#6301) #6312)
improve cert rotation periodics
Release 6.1.0-rc.1.
client: load all SSH certs when connecting to proxy
Documents impersonation (Documents impersonation #6293)
docs: document per-session MFA feature (docs: document per-session MFA feature #6285)
Update some variables and links (Update some variables and links #6366)
Update CHANGELOG.md (Update CHANGELOG.md #6385)
Release 6.1.0 (Release 6.1.0 #6386)
Documents dual authz with Mattermost (Documents dual authz with Mattermost #6399)
Sasha/backport content (Sasha/backport content #6402)
drone: allow ARM builds in reprepro config (drone: allow ARM builds in reprepro config #6392)
Release 6.1.1
[auto] Update webassets in branch/v6.1 ([auto] Update webassets in branch/v6.1 #6439)
correct Teleport version in access control examples (correct Teleport version in access control examples #6415)
Move introductions to the appropriate sections (Move introductions to the appropriate sections #6454)
add timestamp log option
[web] Check for cloud feature before setting billing access ([Backport v6.1] Check for cloud feature before setting billing access #6476)
[branch v6.1] cloud getting started updates ([branch v6.1] cloud getting started updates #6480)
Update docs on oidc prompt logic for 6.1+. ([6.1] Backport - Update docs on oidc prompt logic for 6.1+ (#6427) #6428)
Revert "[web] Check for cloud feature before setting billing access ([Backport v6.1] Check for cloud feature before setting billing access #6476)" (Revert "[web] Check for cloud feature before setting billing access" #6502)
Refactor process.newClient for better error handling and logging. ([6.1.2] Backport - Improve process connection error handling and logging (#6471) #6440)
Teleport Slackbot for latest slackbot (Teleport Slackbot for latest slackbot #6522) (Teleport Slackbot for latest slackbot (#6522) #6523)
correct install command (Missing $ in kube agent install example for variable #6464)
correct reference to slack dir in source instrs ([v6.1] correct reference to slack dir in plugin source instrs #6526)
Release 6.1.2
[v6.1] Editorial Pass/Review - Home ([v6.1] Editorial Pass/Review - Home #6544)
Adds releases preview (Adds releases preview #6533)
docs: fix typos in sample roles in MFA guide
[v6.1] edit pass - app + kub access ([v6.1] edit pass - app + kub access #6568)
[v6.1] Merge style guide into docs ([v6.1] Merge style guide into docs #6571)
[v6.1] Remaining edit pass ([v6.1] Remaining edit pass #6587)
[v6.1] access requests from workflows ([v6.1] access requests from workflows #6620)
[v.6.1] reword docs ([v.6.1] reword docs #6627)
[auto] Update webassets in branch/v6.1 ([auto] Update webassets in branch/v6.1 #6643)
Switch to tiles (Switch to tiles #6611) (Switch to tiles (#6611) #6659)
docs: bump 6.2 release date to May 21st (docs: bump 6.2 release date to May 21st #6652) (Backport v6.1: docs: bump 6.2 release date to May 21st #6663)
Correct Helm Chart (Correct Helm Chart #6616)
Proxy line support for mysql ((6.1) Proxy line support for mysql #6676)
Updated CHANGELOG.md.
Release 6.1.3.
set correct auditlog instead of discard
Remove proto-based ServerV2 implementation of DeepCopy in favor of the manual implementation to avoid issues with proto-based type merge panics.
Updated TLS handshake timeout.
Fix non-interactive ssh output in teleport log ([Backport 6.1] Fix non-interactive ssh output in teleport log #6732)
[auto] Update AMI IDs for 6.1.3

* Delete old docs * Move docs to parent folder

Fixes #5708 OSS users loose connection to leaf clusters after upgrade of the root cluster (but not leaf clusters). Teleport 6.0 switches users to ossuser role, this breaks implicit cluster mapping of admin to admin users. The fix downgrades admin role to be less privileged in OSS.

e61e2b2 Backport(v6): Fix cn dialog err handling and disable ace web workers (#234) gravitational/webapps@e61e2b2 [source: -w teleport-v6] [target: -t branch/v6]

* Improves CLI error reporting Escapes control characters, while allowing newlines. Removes tabs in output.

Fixes #5711 Adds required public_addr when using ACME mode.

…rds compatibility (#5731)

c01b39b Implement OAuth-style state token for AAP auth flow gravitational/webapps@c01b39b [source: -w teleport-v6] [target: -t andrej/v6/security-fixes]

In `auth.Context`, the `Identity` field used to contain the original caller identity and `User` field contained the mapped local user. These are different, if the request comes from a remote trusted cluster. Lots of code assumed that `auth.Context.Identity` contained the local identity and used roles/traits from there. To prevent this confusion, populate `auth.Context.Identity` with the *mapped* identity, and add `auth.Context.UnmappedIdentity` for callers that actually need it. One caller that needs `UnmappedIdentity` is the k8s proxy. It uses that identity to generate an ephemeral user cert. Using the local mapped identity in that case would make the downstream server (e.g. kubernetes_service) to treat it like a real local user, which doesn't exist in the backend and causes trouble. `ProcessKubeCSR` endpoint on the auth server was also updated to understand the unmapped remote identities. Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>

* docs: correct footnote * docs: consistent 2fa * docs: consistent sentence header casing * docs: port tics * docs: correct proper noun * docs: slightly improve prereqs * docs: reword limitations * docs: correct wording, typos * docs: improve getting started page * docs: improve user manual * docs: casing in adopters page * docs: oxford commas * docs: improved faq * docs: tsh in tic marks * docs: admin and prod guide

* docs: couple more tics * docs: few more tics * docs: improve kub and app access

* docs: best practices * docs: requested changes * docs: slight rewording * docs: make changes

* docs: improve enterprise rbac * docs: correct links and editions * docs: correct links and editions * docs: correct editions * docs: database access * docs: database access * docs: access controls * docs: more edits * docs: infra guides * docs: enterprise guides * docs: enterprise guides * docs: correct session tables * docs: cloud * docs: reference * docs: architecture * docs: linting fixes * docs: corrected * docs: improved score for 6.1 * docs: improve scores * docs: few more improvements

* docs: rename workflows * docs: updated supported features * docs: slight rewording * docs: requested changes

* docs: reword * docs: reword * docs: correct typo

627ef3f Update e-ref on billing chart ytick formatting fix (#291) gravitational/webapps@627ef3f [source: -w teleport-v6.1] [target: -t branch/v6.1]

Switch to tiles from bullet lists. Focus user attention on products, remove extra text. List popular use-cases for developers and security teams.

Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>

manual implementation to avoid issues with proto-based type merge panics. Fixes #5691.

Updated TLS handshake timeout. During some operations, Teleport can flood the network with traffic which causes the TLS handshake to occur slower than 1 second. One example is during SSO login. The initial connection is an unauthenticated connection, and upon successful SSO login a "types.User" is created and replicated to all nodes. For large clusters this can mean 10k+ "types.User" objects getting replicated at the same time the user attempts to re-establishing another connection to Auth this time with valid identity credentials. This connection sometimes can take longer than the original 1 second timeout.

This commit removes copying of stdout and stderr from non-interactive ssh commands to stdout and stderr of the teleport server process. This was introduced in e65eac5 and appears to have been put in for debugging.

webvictim · 2021-05-05T17:38:35Z

Whoops!

webvictim and others added 30 commits February 24, 2021 14:00

Update CHANGELOG.md for 6.0.0-rc.1 (#5689)

ab89c54

Release 6.0.0-rc.1

5470bb9

Update docs file structure for v6 (#5716)

c5698c4

* Delete old docs * Move docs to parent folder

Fix paths to included files (#5724)

0e4dbd7

utmp fix for symlinked path

b07c3db

[auto] Update webassets in branch/v6 (#5739)

508d49f

e61e2b2 Backport(v6): Fix cn dialog err handling and disable ace web workers (#234) gravitational/webapps@e61e2b2 [source: -w teleport-v6] [target: -t branch/v6]

Update old proxy version detection algorithm (#5709)

df0468a

Sasha/newlines (#5738) (#5740)

bcebebe

* Improves CLI error reporting Escapes control characters, while allowing newlines. Removes tabs in output.

Adds public_addr when using ACME (#5734) (#5743)

bc8fb9f

Fixes #5711 Adds required public_addr when using ACME mode.

[tctl] Don't explicitly set value for config path and preserve backwa…

3f53461

…rds compatibility (#5731)

Correct label example and provide sample

83001a4

fix last output timestamps on some systems

e63fc57

docs: clarify why etcd doesn't store audit events

be8739a

Database access docs overhaul (#5643)

3ed729e

release updates (#5782)

fb74a64

Fix existence leak of label-restricted resources

2f77bc2

Require initialized TLS config in utils.TLSDial

9b4c094

Fix CLI content spoofing through access request reason

91bedb0

Fix AAP headers injection

b64a09a

Add obfuscation to diagnostic metrics

4535f06

Check CA expiration status when joining a cluster

54bcfe7

Introduce utils.ReadAtMost to prevent resource exhaustion

51a6ae8

Assemble safe FQDN values for AAP redirects

03bf924

Set stricter HTTP Content-Security-Policy directives

f029d08

Set cookies with '__Host-' prefix

e761851

Prevent AAP login CSRF with OAuth-style state tokens

d69e894

[auto] Update webassets in andrej/v6/security-fixes

0e94f8a

c01b39b Implement OAuth-style state token for AAP auth flow gravitational/webapps@c01b39b [source: -w teleport-v6] [target: -t andrej/v6/security-fixes]

fix #5783 utmp regression on macos

9813af2

quinqu and others added 21 commits April 22, 2021 09:52

Release 6.1.2

23ab88c

Adds releases preview (#6533)

b6fd2c3

docs: fix typos in sample roles in MFA guide

e87bd81

[v6.1] edit pass - app + kub access (#6568)

f0d3067

* docs: couple more tics * docs: few more tics * docs: improve kub and app access

[v6.1] Merge style guide into docs (#6571)

a39bfef

* docs: best practices * docs: requested changes * docs: slight rewording * docs: make changes

[v6.1] access requests from workflows (#6620)

a6a0840

* docs: rename workflows * docs: updated supported features * docs: slight rewording * docs: requested changes

[v.6.1] reword docs (#6627)

d7287d0

* docs: reword * docs: reword * docs: correct typo

[auto] Update webassets in branch/v6.1 (#6643)

5a27105

627ef3f Update e-ref on billing chart ytick formatting fix (#291) gravitational/webapps@627ef3f [source: -w teleport-v6.1] [target: -t branch/v6.1]

Switch to tiles (#6611) (#6659)

b85864d

Switch to tiles from bullet lists. Focus user attention on products, remove extra text. List popular use-cases for developers and security teams.

docs: bump 6.2 release date to May 21st (#6652) (#6663)

bb404e4

Correct Helm Chart (#6616)

328baeb

Co-authored-by: Alexander Klizhentas <klizhentas@gmail.com>

Proxy line support for mysql (#6676)

8b7e54f

Updated CHANGELOG.md.

f547a9a

Release 6.1.3.

16f4ea3

set correct auditlog instead of discard

a6e3675

Remove proto-based ServerV2 implementation of DeepCopy in favor of the

b462f39

manual implementation to avoid issues with proto-based type merge panics. Fixes #5691.

Fix non-interactive ssh output in teleport log (#6732)

4d542c4

This commit removes copying of stdout and stderr from non-interactive ssh commands to stdout and stderr of the teleport server process. This was introduced in e65eac5 and appears to have been put in for debugging.

[auto] Update AMI IDs for 6.1.3

c255620

webvictim requested review from alex-kovoy, klizhentas, r0mant and russjones as code owners May 5, 2021 17:37

webvictim added automated PRs raised by automation terraform-deployment-examples Issues relating to Terraform deployment examples under examples/aws/terraform labels May 5, 2021

webvictim closed this May 5, 2021

webvictim deleted the ami-auto-branch-1620236164 branch May 5, 2021 17:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ami auto branch 1620236164 #6745

ami auto branch 1620236164 #6745

webvictim commented May 5, 2021

webvictim commented May 5, 2021

ami auto branch 1620236164 #6745

ami auto branch 1620236164 #6745

Conversation

webvictim commented May 5, 2021

webvictim commented May 5, 2021