Merge branch 'branch/v17' into tcsc/branch/v17/ic-rerun-import

Author: tcsc

.github/workflows/changelog-merge-queue.yaml

@@ -1,6 +1,6 @@
 # This check runs only on PRs that are in the merge queue.
 #
-# PRs in the merge queue have already been approved but the reviewers check
+# PRs in the merge queue have already passed changelog validation but the check
 # is still required so this workflow allows the required check to succeed,
 # otherwise PRs in the merge queue would be blocked indefinitely.
 #

.github/workflows/changelog.yaml

@@ -1,6 +1,7 @@
-# This changelog ensures that PR bodies include a `changelog: <changelog entry>` section,
-# or a `no-changelog` label set. If they do not, then a comment will be added to the PR
-# asking the developer to add one of the two.
+# The changelog workflow checks that a PR message has a line of the form
+# `changelog: <text>` or a `no-changelog` label. If neither are present,
+# the workflow run will fail, and as this workflow job is a required check,
+# the PR cannot be merged.
 name: Validate changelog entry
 on:
   pull_request:
@@ -16,11 +17,6 @@ on:
 permissions:
   pull-requests: write
 
-concurrency: 
-  cancel-in-progress: true
-  # This value is arbitrary as long as it includes the pull request number
-  group: 'limit to running one instance at a time for the pull request ${{ github.event.pull_request.number }}'
-
 jobs:
   validate-changelog:
     name: Validate the changelog entry

build.assets/Dockerfile-grpcbox

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM docker.io/golang:1.23.7
+FROM docker.io/golang:1.24.1
 
 # Image layers go from less likely to most likely to change.
 RUN apt-get update && \

build.assets/versions.mk

@@ -20,7 +20,7 @@ LIBPCSCLITE_VERSION ?= 1.9.9-teleport
 DEVTOOLSET ?= devtoolset-12
 
 # Protogen related versions.
-BUF_VERSION ?= v1.48.0
+BUF_VERSION ?= v1.50.1
 # Keep in sync with api/proto/buf.yaml (and buf.lock).
 GOGO_PROTO_TAG ?= v1.3.2
 NODE_GRPC_TOOLS_VERSION ?= 1.12.4

docs/.vale.ini

@@ -4,5 +4,6 @@ MinAlertLevel = suggestion
 [formats]
 mdx = md
 
-[*.md]
+[*.mdx]
 BasedOnStyles = messaging,examples,3rd-party-products,structure
+CommentDelimiters = "{/*,*/}"

docs/pages/admin-guides/deploy-a-cluster/license.mdx

@@ -71,7 +71,7 @@ Create a secret called "license" in the namespace you are using to deploy
 Teleport:
 
 ```code
-$ kubectl -n teleport create secret generic license --from-file=license.pem
+$ kubectl -n <Var name="teleport-namespace" /> create secret generic license --from-file=license.pem
 ```
 
 For the Teleport pod to load your license:
@@ -115,6 +115,30 @@ The Teleport Auth Service checks the expiration status of your license every
 hour. This means that, after you replace your license file and restart your Auth
 Service instances, it can take up to an hour to confirm the new license.
 
+If you are running a self-hosted Teleport Enterprise cluster on Kubernetes using
+the `teleport-cluster` Helm chart, complete the following steps to update your
+license:
+
+1. Download a new license file from your Teleport account using the instructions
+   we provide [earlier in this guide](#download-your-license-file). We assume
+   that the license file is called `license.pem`.
+
+1. Assign <Var name="teleport-namespace" /> to the Kubernetes namespace where
+   you manage Teleport-related resources.
+
+1. Replace the Kubernetes secret that stores your existing license. We assume
+   that the secret is called `license`, but there may be a different secret name
+   specified in the `licenseSecretName` field of the chart's values file.
+
+   The following command prints a secret resource manifest to stdout using a dry
+   run of `kubectl create secret` and pipes it to `kubectl replace`. This way,
+   you can update the license without destroying and recreating it, avoiding the
+   risk of an Auth Service instance looking up a nonexistent license file:
+
+   ```code
+   $ kubectl create secret generic license --from-file license.pem --dry-run=client -o yaml | kubectl replace -n <Var name="teleport-namespace" /> -f -   
+   ```
+
 ## When your license expires
 
 At 90 days before your Teleport Enterprise license expires, users will see an

docs/pages/connect-your-client/tsh.mdx

@@ -686,6 +686,8 @@ $ tsh join <session_ID>
   Refer them to the [Moderated Sessions guide](../admin-guides/access-controls/guides/joining-sessions.mdx) for more information on configuring join permissions.
 </Admonition>
 
+You can also list active sessions with the `tsh sessions ls` command.
+
 <Admonition type="note" scope={["oss", "enterprise"]}>
   Joining sessions is not supported in recording proxy mode (where `session_recording` is set to `proxy`).
 </Admonition>

docs/pages/enroll-resources/auto-discovery/kubernetes/aws.mdx

@@ -137,7 +137,7 @@ subjects:
 
 ### IAM mapping
 
-If you cluster includes the `aws-auth` config map, edit the `configmap/aws-auth`
+If your cluster includes the `aws-auth` config map, edit the `configmap/aws-auth`
 in the `kube-system` namespace and append the following to `mapRoles`. Replace
 `{teleport_aws_iam_role}` with the appropriate IAM role that Teleport Kubernetes
 Service will use. This step will link the Teleport IAM role into the Kubernetes
@@ -245,7 +245,7 @@ $ aws eks create-access-entry \
 $ aws eks associate-access-policy \
   --cluster-name <Var name="eks-cluster" /> \
   --region <Var name="eu-west-1" /> \
-  --principal-arn <Var name="arn:aws:iam::222222222222:role/teleport-role" />
+  --principal-arn <Var name="arn:aws:iam::222222222222:role/teleport-role" /> \
   --policy-arn "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" \
   --access-scope type=cluster
 

docs/pages/enroll-resources/machine-id/faq.mdx

@@ -93,3 +93,18 @@ If your use case absolutely requires long-lived certificates,
 [`tctl auth sign`](../../reference/cli/tctl.mdx#tctl-auth-sign) can
 alternatively be used, however this loses the security benefits of Machine ID's
 short-lived renewable certificates.
+
+## Can Machine ID be used to connect to multiple Kubernetes clusters?
+
+This is possible in Teleport v17.2.7 or higher, using the new `kubernetes/v2`
+output type in `tbot`. This service can expose many clusters at once via
+contexts in the generated `kubeconfig.yaml`, and if label selectors are used,
+will dynamically add contexts as clusters are added and removed in Teleport.
+
+Note that both `tbot` and the Teleport Proxy need to be running v17.2.7 to take
+advantage of this functionality.
+
+Refer to the
+[CLI reference](../../reference/cli/tbot.mdx#tbot-start-kubernetesv2) and
+[config reference](../../reference/machine-id/configuration.mdx#kubernetesv2)
+for more information.

docs/pages/includes/provision-token/spacelift-spec.mdx

@@ -0,0 +1,29 @@
+```yaml
+kind: token
+version: v2
+metadata:
+  name: spacelift
+spec:
+  roles: [Bot]
+  join_method: spacelift
+
+  # This must match a bot name, created either with `tctl bots add` or by
+  # creating a `bot` resource.
+  bot_name: spacelift
+
+  spacelift:
+    # hostname should be the hostname of your Spacelift tenant.
+    hostname: example.app.spacelift.io
+    # allow specifies rules that control which Spacelift executions will be
+    # granted access. Those not matching any allow rule will be denied.
+    allow:
+      # space_id identifies the space that the module or stack resides within.
+    - space_id: root
+      # caller_type is the type of caller_id. This must be `stack` or `module`.
+      caller_type: stack
+      # caller_id is the id of the caller. e.g the name of the stack or module.
+      caller_id: my-stack
+      # scope is the scope of the token - either `read` or `write`.
+      # See https://docs.spacelift.io/integrations/cloud-providers/oidc/#about-scopes
+      scope: read
+```

docs/pages/installation.mdx

@@ -472,6 +472,12 @@ For Teleport Community Edition, check the
 [Downloads](https://goteleport.com/download/) page for the most up-to-date
 information.
 
+On cloud-hosted Teleport Enterprise you can visit a download page in the Web UI. Select the user name
+in the upper right and select Downloads from the menu.
+
+Customers who self-host Teleport Enterprise can access Enterprise downloads and their license
+file from their [dedicated account dashboard](./admin-guides/deploy-a-cluster/license.mdx).
+
 ## Docker
 
 ### Images

docs/pages/reference/cli/tbot.mdx

@@ -427,6 +427,54 @@ command supports these additional flags:
 | `--reader-group`       | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
 | `--kubernetes-cluster` | The name of the Kubernetes cluster in Teleport for which to fetch credentials |
 
+## tbot start kubernetes/v2
+
+Starts the Machine ID client `tbot` with a Kubernetes V2 output, fetching and
+writing Kubernetes credentials to a `kubeconfig.yaml` at a regular interval to
+the output specified with `--destination`.
+
+Unlike the `kubernetes` output, `kubernetes/v2` allows fetching many Kubernetes
+clusters at once, as multiple contexts within the generated `kubeconfig.yaml`.
+If label selectors are used and clusters are added or removed, the list of
+clusters will be updated on the bot's next renewal. At least one selector -
+either name or label - is required.
+
+Note that as with human users using `tsh kube ls`, only clusters the bot user
+has permission to access will be matched. Additionally, note that label
+selectors do not currently support wildcards.
+
+### Flags
+
+In addition to the [common `tbot start` flags](#common-start-flags), this
+command supports these additional flags:
+
+| Flag                    | Description |
+|-------------------------|-------------|
+| `--destination`         | A destination URI, such as `file:///foo/bar`. See [Destination URIs](#destination-uris) for more info. Required. |
+| `--reader-user`         | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
+| `--reader-group`        | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux. |
+| `--name-selector`       | Selects a Kubernetes cluster by exact name match. Repeatable. |
+| `--label-selector`      | Selects many Kubernetes clusters by label match, e.g. `env=dev,role=ci`. Repeatable. |
+| `--disable-exec-plugin` | If set, disables the exec plugin. Allows credentials to be used without the `tbot` binary. |
+
+### Examples
+
+First, run `tbot` to generate credentials:
+
+```code
+$ tbot start kubernetes/v2 --proxy-server=example.teleport.sh:443 --destination=./example --label-selector env=dev --name-selector example --oneshot
+```
+
+This will fetch credentials for all clusters with the label `env: dev`, plus the
+cluster named `example`. You can then access the clusters using `kubectl`:
+
+```code
+$ kubectl --kubeconfig ./example/kubeconfig.yaml --context example.teleport.sh-example get pods
+```
+
+You can inspect the generated `kubeconfig.yaml` to see which clusters were
+matched by the label selector.
+
 ## tbot start application
 
 Starts the Machine ID client `tbot` with an application output, fetching and

docs/pages/reference/cli/tsh.mdx

@@ -1130,6 +1130,36 @@ $ tsh ssh -o AddKeysToAgent=yes root@grav-00
 $ tsh ssh root@env=aws hostname
 ```
 
+## tsh sessions ls
+
+List active sessions. The resulting list includes only the sessions that the
+caller has permission to join, unless they have a role with explicit `list`
+access on the `session_tracker` resource.
+
+```code
+$ tsh sessions ls
+```
+
+### Flags
+
+| Name | Default Value(s) | Allowed Value(s) | Description |
+| - | - | - | - |
+| `-f, --format` | text | text, json, yaml | Format for output |
+| `--kind` | none | ssh, k8s, db, app, desktop | Optionally filter by session kind(s) |
+
+### Examples
+
+```code
+# list all active sessions
+$ tsh sessions ls
+
+# list all SSH and desktop sessions
+$ tsh sessions ls --kind=ssh --kind=desktop
+
+# list all Kubernetes sessions in JSON format
+$ tsh sessions ls --kind=k8s --format=json
+```
+
 ## tsh status
 
 Display the list of proxy servers and retrieved certificates:

docs/pages/reference/join-methods.mdx

@@ -440,6 +440,18 @@ Support for self-hosted Terraform Enterprise requires Teleport Enterprise.
 - [Run the Teleport Terraform Provider on Terraform Cloud](../admin-guides/infrastructure-as-code/terraform-provider/terraform-cloud.mdx)
 </Admonition>
 
+### Spacelift: `spacelift`
+
+This join method is used to authenticate using Spacelift. It is typically used
+by the Teleport Terraform provider on Spacelift (including self-hosted
+deployments).
+
+(!docs/pages/includes/provision-token/spacelift-spec.mdx!)
+
+<Admonition type="note" title="See Also">
+    - [Run the Teleport Terraform Provider on Spacelift](../admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx)
+</Admonition>
+
 ### Bitbucket Pipelines: `bitbucket`
 
 This join method is used to authenticate using Bitbucket's support for OpenID

docs/pages/reference/machine-id/configuration.mdx

@@ -294,6 +294,58 @@ kubernetes_cluster: my-cluster
 (!docs/pages/includes/machine-id/common-output-config.yaml!)
 ```
 
+### `kubernetes/v2`
+
+The `kubernetes/v2` output type can be used to access many Kubernetes clusters
+as individual contexts within the same `kubeconfig.yaml`.
+
+```yaml
+type: kubernetes/v2
+
+# selectors include one or more matching Kubernetes clusters. Each match will be
+# included in the resulting `kubeconfig.yaml`, assuming the bot has permission
+# to access the cluster.
+selectors:
+  # name includes an exact match by name. Note that wildcards are not currently
+  # supported. Multiple name selectors can be specified if desired.
+  - name: foo
+  # labels include all clusters matching all of these labels. Multiple label
+  # selectors can be provided if needed.
+  - labels:
+      env: dev
+
+# The following configuration fields are available across most output types.
+# Note that `roles` are not supported for this output type.
+
+destination:
+  type: directory
+  path: /opt/machine-id
+
+# credential_ttl and renewal_interval override the credential TTL and renewal
+# interval for this specific output, so that you can make its certificates valid
+# for shorter than `tbot`'s internal certificates.
+#
+# This is particularly useful when using `tbot` in one-shot as part of a cron job
+# where you need `tbot`'s internal certificate to live long enough to be renewed
+# on the next invocation, but don't want long-lived workload certificates on-disk.
+credential_ttl: 30m
+renewal_interval: 15m
+```
+
+Each Kubernetes cluster matching a selector will result in a new context in the
+generated `kubeconfig.yaml`. This can be consumed like so:
+
+```code
+$ kubectl --kubeconfig /opt/machine-id/kubeconfig.yaml --context=example.teleport.sh-foo get pods
+```
+
+The context name is `[Teleport cluster name]-[Kubernetes cluster name]`, so the
+command above runs `kubectl get pods` on the `foo` cluster.
+
+If clusters are added or removed over time, the `kubeconfig.yaml` will be
+updated at the bot's normal renewal interval. You can trigger an early renewal
+by restarting `tbot`, or signaling it with `pkill -usr1 tbot`.
+
 ### `ssh_host`
 
 The `ssh_host` output is used to generate the artifacts required to configure