Closed russjones closed 1 year ago
@mdwn I've added these points to the test plan, seemingly under your remit:
- [ ] Verify [Azure CLI access](https://goteleport.com/docs/ver/12.x/application-access/guides/azure/) with `tsh app login`.
- [ ] Can interact with Azure using `tsh az` commands.
- [ ] Can interact with Azure using a combination of `tsh proxy az` and `az` commands.
- [ ] Verify [GCP CLI access](https://github.com/gravitational/teleport/pull/19905) with `tsh app login`.
- [ ] Can interact with GCP using `tsh gcloud` commands.
- [ ] Can interact with Google Cloud Storage using `tsh gsutil` commands.
- [ ] Can interact with GCP/GCS using a combination of `tsh proxy gcloud` and `gcloud`/`gsutil` commands.
Both Azure and GCP integrations are on master and will be part of the cut tomorrow. The PR for the GCP docs is in review https://github.com/gravitational/teleport/pull/19905, but slightly out of sync with the implementation; this will be corrected early next week. Please don't hesitate to ask me for any clarifications or tips.
I'll send PR updating the test plan template too.
I've added/edited these points to the test plan (for discovery and connect via local/remote cluster):
- [ ] Azure single-server MySQL and Postgres
- [ ] Azure flexible-server MySQL and Postgres
Added them to connect test because flexible server integration required an update to the way we modify db username in the engine.
Forgot to update the test plan template in #19759 I'll open a PR to update that template now as well.
Added "Changing role map of existing Trusted Cluster" here and in #20325
Added in #20274
tctl does not default to local auth: https://github.com/gravitational/teleport/issues/20346
Regression in tsh breaks identity file loading (affects most tbot proxying features, including ssh/db access): https://github.com/gravitational/teleport/issues/20373
and another small issue where tbot's ssh_config
forgets nonstandard ports: https://github.com/gravitational/teleport/issues/20378
AWS console is inaccessible via the Teleport UI: https://github.com/gravitational/teleport/issues/20385
The default access
role misses permissions to list pods #20401
tsh login --auth=local
uses platform passwordless if it can (#20429). Not a huge deal, as it does respect other settings/flags, but I'll take a look.
Setting Azure identities doesn't work for all valid characters in an identity string: https://github.com/gravitational/teleport/issues/20434
Helm chart deadlock: https://github.com/gravitational/teleport/pull/20488
teleport db configure create --azure-sqlserver-discovery=$region
generates invalid config yaml. fix here: https://github.com/gravitational/teleport/pull/20496
I've found some issues with device trust, unusual verbs (create_enroll_token
and enroll
) and RoleAdmin. Pushing patches soon. (FYI @sfreiberg.)
I've found some issues with device trust, unusual verbs (
create_enroll_token
andenroll
) and RoleAdmin. Pushing patches soon. (FYI @sfreiberg.)
Promised patches: #20505 and https://github.com/gravitational/teleport.e/pull/724. We'll need an e/ bump on branch/v12 after all is done.
tctl devices rm
issue: #20506
Okta SSO documentation setup issue: https://github.com/gravitational/teleport/issues/20538
https://teleportcoreteam.grafana.net/goto/9JtLQdTVz?orgId=1
https://teleportcoreteam.grafana.net/goto/ss-CjOoVk?orgId=1
https://teleportcoreteam.grafana.net/goto/yNS_PHo4z?orgId=1
----Direct Dial Node Test----
tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m root@node-6f44d86564-lqmrg ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 150 ms
50 152 ms
75 156 ms
90 160 ms
95 165 ms
99 191 ms
100 455 ms
----Reverse Tunnel Node Test----
tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m root@iot-node-86b9c86bff-fgrxs ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 146 ms
50 150 ms
75 154 ms
90 162 ms
95 170 ms
99 191 ms
100 411 ms
https://teleportcoreteam.grafana.net/goto/5i-Am-T4z?orgId=1
https://teleportcoreteam.grafana.net/goto/cv55cFT4z?orgId=1
https://teleportcoreteam.grafana.net/goto/Oog2Abo4z?orgId=1
----Direct Dial Node Test----
tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m root@node-6f44d86564-frcnx ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 147 ms
50 149 ms
75 153 ms
90 156 ms
95 160 ms
99 188 ms
100 352 ms
----Reverse Tunnel Node Test----
tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m root@iot-node-86b9c86bff-x4pbr ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 164 ms
50 169 ms
75 176 ms
90 186 ms
95 191 ms
99 209 ms
100 439 ms
~teleport-ent macOS binaries are not signed.~ https://github.com/gravitational/teleport.e/issues/741
Edit: It turns out it's a known issue.
App Access and require_session_mfa issue: #20634.
~Docker tctl
command failure: https://github.com/gravitational/teleport/issues/20637.~ Resolved
Error connecting to leaf OpenSSH node: https://github.com/gravitational/teleport/issues/20703
App Access and require_session_mfa issue: #20634.
Just want to note that my only remaining unchecked task is to use require_session_mfa: hardware_key_touch
with app access, which also does not work (obviously)
App Access and require_session_mfa issue: #20634.
Just want to note that my only remaining unchecked task is to use
require_session_mfa: hardware_key_touch
with app access, which also does not work (obviously)
Isn't hardware_key_touch
functionally equivalent to no session MFA, due to the checks being client-side? Maybe chat with @Joerger to figure out if it's actually supposed to work.
Just want to note that my only remaining unchecked task is to use
require_session_mfa: hardware_key_touch
with app access, which also does not work (obviously)Isn't
hardware_key_touch
functionally equivalent to no session MFA, due to the checks being client-side? Maybe chat with @Joerger to figure out if it's actually supposed to work.
Yes, hardware_key_touch
does actually work in v12, but hardware_key
does not as it is functionally equivalent to require_session_mfa: yes
. I've tested it so I'll check it off on the test plan.
Edit: I was wrong on this and the test I performed was inadequate (tsh proxy app
does prompt for tap, but using the connection fails due to the app session using a different key on the server). This test should have been removed before as this lack of support was already discovered and documented.
tsh proxy aws --endpoint-url
not working in alpha.1 & alpha.2: https://github.com/gravitational/teleport/issues/20798
I think this broke when I did some refactoring work in app access.
tsh db connect
fails when PIV is enabled (not in all configurations): https://github.com/gravitational/teleport/issues/20799
I didn't notice this in my first pass through the test plan because I didn't trip on one of the configurations that has the issue.
$ tsh bench --duration=30m root@ip-172-31-8-224-us-west-2-compute-internal ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 156 ms
50 165 ms
75 178 ms
90 188 ms
95 194 ms
99 219 ms
100 2767 ms
$ tsh bench --interactive --duration=30m root@ip-172-31-8-224-us-west-2-compute-internal ps aux
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 164 ms
50 174 ms
75 186 ms
90 194 ms
95 201 ms
99 223 ms
100 1677 ms
$ tsh bench --duration=30m root@ip-172-31-8-224-us-west-2-compute-internal ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 176 ms
50 183 ms
75 192 ms
90 204 ms
95 212 ms
99 250 ms
100 2229 ms
$ tsh bench --interactive --duration=30m root@ip-172-31-8-224-us-west-2-compute-internal ps aux
* Requests originated: 17998
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 184 ms
50 191 ms
75 201 ms
90 213 ms
95 220 ms
99 260 ms
100 2805 ms
Note about ssh agent forwarding and ssh file copying RBAC tests: The RBAC section of the testplan mentions that we expect access denied to show up in the audit log for all items, but ssh agent forwarding and ssh file copying do not generate access denied events. I checked the code for these checks, and it appears that they aren't intended to emit events currently, so this doesn't seem to be a regression.
I've marked these sections as complete in the testplan because teleport seems to be working as intended, but it may be worth considering adding access denied events for these items.
Verify Teleport versions throughout documentation are correct and reflect upcoming release:
teleport-cluster
chart v12 breaks when used with etcd
backend: https://github.com/gravitational/teleport/issues/20960
Pod RBAC fails if the Kubernetes Vendor runs with compression enabled: #20980 - PR: #20981
@hugoShaka detected this issue when running a test in the IBM cloud
Issue and fix here: https://github.com/gravitational/teleport/pull/21009
Verify upcoming releases page is accurate:
This is under Documentation, but we don't have insight into what's being slated for the next release. I've prepped a page in #21283 for data to be added to, but maybe this should be considered part of #21317
Manual Testing Plan
Below are the items that should be manually tested with each release of Teleport. These tests should be run on both a fresh installation of the version to be released as well as an upgrade of the previous version of Teleport.
[x] Adding nodes to a cluster @codingllama
[x] Labels @nklaassen
[x] Trusted Clusters @espadolini
[x] RBAC @fspmarshall
Make sure that invalid and valid attempts are reflected in audit log.
[x] Verify that custom PAM environment variables are available as expected. @rosstimothy
[x] Users @tobiaszheller
With every user combination, try to login and signup with invalid second factor, invalid password to see how the system reacts.
WebAuthn in the release
tsh
binary is implemented using libfido2 for linux/macOS. Ask for a statically built pre-release binary for realistic tests. (tsh fido2 diag
should work in our binary.) Webauthn in Windows build is implemented usingwebauthn.dll
. (tsh webauthn diag
with security key selected in dialog should work.)Touch ID requires a signed
tsh
, ask for a signed pre-release binary so you may run the tests.Windows Webauthn requires Windows 10 19H1 and device capable of Windows Hello.
tsh mfa add
tsh mfa add
tsh mfa add
tsh mfa ls
tsh mfa rm
tsh mfa rm
second_factor: on
inauth_service
, should failsecond_factor: optional
inauth_service
, should succeedtsh mfa add
U2F devices must be registered in a previous version of Teleport.
Using Teleport v9, set
auth_service.authentication.second_factor = u2f
, restart the server and then register an U2F device (tsh mfa add
). Upgrade the installation to the current Teleport version (one major at a time) and try to log in using the U2F device as your second factor - it should work.[x] Backends @timothyb89
[x] Session Recording @strideynet
[x] Enhanced Session Recording @jakule
disk
,command
andnetwork
events are being logged.enhanced_recording
role option.[x] Restricted Session @jakule
[x] Audit Log @Joerger
server_id
is the ID of the node in "session_recording: node" modeserver_id
is the ID of the node in "session_recording: proxy" modeforwarded_by
is the ID of the proxy in "session_recording: proxy" modeNode/Proxy ID may be found at
/var/lib/teleport/host_uuid
in the corresponding machine.Node IDs may also be queried via
tctl nodes ls
.scp
commands are recordedSubsystem testing may be achieved using both Recording Proxy mode and OpenSSH integration.
Assuming the proxy is
proxy.example.com:3023
andnode1
is a node running OpenSSH/sshd, you may use the following command to trigger a subsystem audit log:[x] Interact with a cluster using
tsh
@capnspacehookThese commands should ideally be tested for recording and non-recording modes as they are implemented in a different ways.
[x] Interact with a cluster using
ssh
@capnspacehook Make sure to test both recording and regular proxy modes.[x] Verify proxy jump functionality @atburke Log into leaf cluster via root, shut down the root proxy and verify proxy jump works.
[x]
tsh
CA loading @lxeaCreate a trusted cluster pair with a node in the leaf cluster. Log into the root cluster.
load_all_cas
on the root auth server isfalse
(default) -tsh ssh leaf.node.example.com
results in access denied.load_all_cas
on the root auth server istrue
-tsh ssh leaf.node.example.com
succeeds.[x] X11 Forwarding @Joerger
xeyes
andxclip
:apt install x11-apps xclip
xeyes
. Thenbrew install xclip
.ssh_service.x11.enabled = yes
tsh ssh -X user@node xeyes
tsh ssh -X root@node xeyes
tsh ssh -Y server01 "echo Hello World | xclip -sel c && xclip -sel c -o"
should print "Hello World"tsh ssh -X server01 "echo Hello World | xclip -sel c && xclip -sel c -o"
should fail with "BadAccess" X errorUser accounting @tigrato
/var/run/utmp
on Linux./var/log/wtmp
on Linux.Combinations @capnspacehook
For some manual testing, many combinations need to be tested. For example, for interactive sessions the 12 combinations are below.
Teleport with EKS/GKE @AntonAM
Teleport with multiple Kubernetes clusters @AntonAM
Note: you can use GKE or EKS or minikube to run Kubernetes clusters. Minikube is the only caveat - it's not reachable publicly so don't run a proxy there.
tsh login
, check thattsh kube ls
has your clusterkubectl get nodes
,kubectl exec -it $SOME_POD -- sh
tsh login
, check thattsh kube ls
has your clusterkubectl get nodes
,kubectl exec -it $SOME_POD -- sh
tsh login
, check thattsh kube ls
has your clusterkubectl get nodes
,kubectl exec -it $SOME_POD -- sh
tsh login
, check thattsh kube ls
has both clusterstsh kube login
kubectl get nodes
,kubectl exec -it $SOME_POD -- sh
on the new clustertsh login
, check thattsh kube ls
has all clustersname
andlabels
Step 2
login value matching the rowsname
columnname
orlabels
in the search bar worksname
columKubernetes auto-discovery @tigrato
tctl create
.tctl create -f
.tctl rm
.Kubernetes Secret Storage @tigrato
Statefulset
Kubernetes Pod RBAC @tigrato
v6
are allowed to access all pods.kubernetes_resources
:{"kind":"pod","name":"*","namespace":"*"}
- must allow access to every pod.{"kind":"pod","name":"<somename>","namespace":"*"}
- must allow access to pod<somename>
in every namespace.{"kind":"pod","name":"*","namespace":"<somenamespace>"}
- must allow access to any pod in<somenamespace>
namespace.*
wildcards -<some-name>-*
and regex forname
andnamespace
fields.go-client
.kubernetes_resources
:kubernetes_groups
that denies exec into a podsearch_as_roles
is not allowed.Teleport with FIPS mode @r0mant
ACME @mdwn
Migrations @r0mant @zmb3
Command Templates
When interacting with a cluster, the following command templates are useful:
OpenSSH
Teleport
Teleport with SSO Providers @camscale
GitHub External SSO @Tener
tctl sso
family of commands @TenerFor help with setting up sso connectors, check out the Quick GitHub/SAML/OIDC Setup Tips
tctl sso configure
helps to construct a valid connector definition:tctl sso configure github ...
creates valid connector definitionstctl sso configure oidc ...
creates valid connector definitionstctl sso configure saml ...
creates valid connector definitionstctl sso test
test a provided connector definition, which can be loaded from file or piped in withtctl sso configure
ortctl get --with-secrets
. Valid connectors are accepted, invalid are rejected with sensible error messages.tctl sso test
.Teleport Plugins @greedy52
AWS Node Joining @gabrielcorado
Docs
ec2:DescribeInstances
permissions for local account:TELEPORT_TEST_EC2=1 go test ./integration -run TestEC2NodeJoin
TELEPORT_TEST_EC2=1 go test ./integration -run TestIAMNodeJoin
Kubernetes Node Joining @gabrielcorado
Cloud Labels @GavinFrazar
foo
:bar
. Verify that a node running on the instance has labelaws/foo=bar
.foo
:bar
. Verify that a node running on the instance has labelazure/foo=bar
.Passwordless @codingllama
This feature has additional build requirements, so it should be tested with a pre-release build from Drone (eg:
https://get.gravitational.com/teleport-v10.0.0-alpha.2-linux-amd64-bin.tar.gz
).This sections complements "Users -> Managing MFA devices".
tsh
binaries for each operating system (Linux, macOS and Windows) must be tested separately for FIDO2 items.[x] Diagnostics
Commands should pass all tests.
tsh fido2 diag
(macOS/Linux)tsh touchid diag
(macOS only)tsh webauthnwin diag
(Windows only)[x] Registration
tsh mfa add
, choose WEBAUTHN and passwordless)tsh mfa add
, choose TOUCHID)tsh mfa add
, choose WEBAUTHN and passwordless)[x] Login
tsh login --auth=passwordless
)tsh login --auth=passwordless
)tsh login --auth=passwordless --mfa-mode=cross-platform
uses FIDO2tsh login --auth=passwordless --mfa-mode=platform
uses platform authenticatortsh login --auth=passwordless --mfa-mode=auto
prefers platform authenticatorauth_service.authentication.passwordless = false
)auth_service.authentication.connector_name = passwordless
)tsh login --auth=local
)[x] Touch ID support commands
tsh touchid ls
workstsh touchid rm
works (careful, may lock you out!)Device Trust @sfreiberg
Device Trust requires Teleport Enterprise.
This feature has additional build requirements, so it should be tested with a pre-release build from Drone (eg:
https://get.gravitational.com/teleport-v10.0.0-alpha.2-linux-amd64-bin.tar.gz
).Client-side enrollment requires a signed
tsh
for macOS, make sure to use thetsh
binary fromtsh.app
.A simple formula for testing device authorization is:
[ ] Inventory management
tctl devices add
)tctl devices add --enroll
)tctl devices ls
)tctl devices rm
)tctl devices rm
)tctl devices enroll
)tctl devices enroll
)[x] Device enrollment
tsh device enroll
)Note that different accesses have different certificates (Database, Kube, etc).
[x] Device authorization
Testing this requires issuing a certificate without device extensions (mode="off"), then changing the cluster configuration to mode="required" and attempting to access a process directly, without a login attempt.
[x] Device authorization works correctly for both require_session_mfa=false and require_session_mfa=true
[x] Device authorization applies to SSH access (all items above)
[x] Device authorization applies to Trusted Clusters (root with mode="optional" and leaf with mode="required")
[x] Device authorization applies to Database access (all items above) @smallinsky
[x] Device authorization applies to Kubernetes access (all items above) @tigrato
[x] Device audit (see lib/events/codes.go)
Hardware Key Support @Joerger
Hardware Key Support is an Enterprise feature and is not available for OSS.
You will need a YubiKey 4.3+ to test this feature.
This feature has additional build requirements, so it should be tested with a pre-release build from Drone (eg:
https://get.gravitational.com/teleport-ent-v11.0.0-alpha.2-linux-amd64-bin.tar.gz
).Server Access @Joerger
These tests should be carried out sequentially.
tsh
tests should be carried out on Linux, MacOS, and Windows.tsh login
as user with Webauthn login and no hardware key requirement.role.role_options.require_session_mfa: hardware_key
-tsh login --request-roles=hardware_key_required
tsh ssh
role.role_options.require_session_mfa: hardware_key_touch
-tsh login --request-roles=hardware_key_touch_required
tsh ssh
tsh logout
andtsh login
as the user with no hardware key requirement.auth_service.authentication.require_session_mfa: hardware_key
tsh ls
) should force automatic re-login with yubikeytsh ssh
auth_service.authentication.require_session_mfa: hardware_key_touch
tsh ls
) should force automatic re-login with yubikeytsh ssh
Other @GavinFrazar
Set
auth_service.authentication.require_session_mfa: hardware_key_touch
in your cluster auth settings.tsh proxy db
tsh login app && tsh proxy app
Performance @rosstimothy @fspmarshall
Perform all tests on the following configurations:
[x] With default networking configuration
[x] With Proxy Peering Enabled
[ ] With TLS Routing Enabled
Cluster with 10K direct dial nodes:
Cluster with 10K reverse tunnel nodes:
Cluster with 500 trusted clusters:
[x] etcd
[x] DynamoDB
[ ] Firestore
Soak Test @rosstimothy @fspmarshall
Run 30 minute soak test with a mix of interactive/non-interactive sessions for both direct and reverse tunnel nodes:
Observe prometheus metrics for goroutines, open files, RAM, CPU, Timers and make sure there are no leaks
Concurrent Session Test
Run a concurrent session test that will spawn 5 interactive sessions per node in the cluster:
Robustness @rosstimothy @fspmarshall
Connectivity Issues:
[x] Verify that a lack of connectivity to Auth does not prevent access to resources which do not require a moderated session and in async recording mode from an already issued certificate.
[x] Verify that a lack of connectivity to Auth prevents access to resources which require a moderated session and in async recording mode from an already issued certificate.
Teleport with Cloud Providers @hugoShaka
AWS @hugoShaka
GCP @hugoShaka
IBM @hugoShaka
Application Access @mdwn
debug_app: true
works.name.rootProxyPublicAddr
and well aspublicAddr
.name.rootProxyPublicAddr
.app.session.start
andapp.session.chunk
events are created in the Audit Log.app.session.chunk
points to a 5 minute session archive with multipleapp.session.request
events inside.tsh play <chunk-id>
can fetch and print a session chunk archive.tsh app login
.tsh aws
commands.tsh app login
.tsh az
commands.tsh proxy az
andaz
commands.tsh app login
.tsh gcloud
commands.tsh gsutil
commands.tsh proxy gcloud
andgcloud
/gsutil
commands.tctl create
.tctl create -f
.tctl rm
.Add Application
dialogue works (refresh app screen to see it registered)Database Access @smallinsky
db.session.start
is emitted when you connect.db.session.end
is emitted when you disconnect.db.session.query
is emitted when you execute a SQL query.tsh db ls
shows only databases matching role'sdb_labels
.db_users
.db_names
.db.session.start
is emitted when connection attempt is denied.db_names
.db.session.query
is emitted when command fails due to permissions.tsh db connect
.tctl create
.tctl create -f
.tctl rm
.name
,description
,type
, andlabels
Step 2
login value matching the rowsname
columnlabels
TLS Routing @smallinsky
multiplex
modeauth_service.proxy_listener_mode: "multiplex"
@Tenerweb_proxy_addr == tunnel_addr
tsh db connect
works through proxy running inmultiplex
modetsh db proxy
with a GUI client. @greedy52 @GavinFrazar @smallinsky @Tenermultiplex
modessh -o "ForwardAgent yes" -o "ProxyCommand tsh proxy ssh" user@host.example.com
ssh -o "ForwardAgent yes" -o "ProxyCommand tsh proxy ssh --user=%r --cluster=leaf-cluster %h:%p" user@node.foo.com
tsh ssh
access through proxy running in multiplex modemultiplex
modeDesktop Access @ibeckermayer
listen_addr
):hosts
section.hosts
section.windows_desktop_service
s to the same Teleport cluster, verify that connections to desktops on different AD domains works. (Attempt to connect several times to verify that you are routed to the correctwindows_desktop_service
)client_idle_timeout
to a small value and verify that idle sessions are terminated (the session should end and an audit event will confirm it was due to idle connection)teleport.dev/origin
label.teleport.dev
labels for OS, OS Version, DNS hostname.desktop_directory_sharing: false
) and confirm that the option to share a directory doesn't appear in the menumode: node-sync
ormode: proxy-sync
)mode: node
ormode: proxy
)windows.desktop.session.start
(TDP00I
) emitted on startwindows.desktop.session.start
(TDP00W
) emitted when session fails to start (due to RBAC, for example)client.disconnect
(T3006I
) emitted when session is terminated by or fails to start due to lockwindows.desktop.session.end
(TDP01I
) emitted on enddesktop.clipboard.send
(TDP02I
) emitted for local copy -> remote pastedesktop.clipboard.receive
(TDP03I
) emitted for remote copy -> local pastedesktop.directory.share
(TDP04I
) emitted when Teleport starts sharing a directorydesktop.directory.read
(TDP05I
) emitted when a file is read over the shared directorydesktop.directory.write
(TDP06I
) emitted when a file is written to over the shared directoryBinaries compatibility @tobiaszheller
tsh
runs on:Machine ID @timothyb89
SSH
With a default Teleport instance configured with a SSH node:
tctl bots add robot --roles=access
. Follow the instructions provided in the output to starttbot
ssh_config
in the destination directorySIGUSR1
andSIGHUP
to a running tbot process causes a renewal and new certificates to be generatedssh_config
provided bytbot
after each phase of a manual CA rotation.Ensure the above tests are completed for both:
DB Access
With a default Postgres DB instance, a Teleport instance configured with DB access and a bot user configured:
tbot db
whiletbot start
is runningHost users creation @lxea
Host users creation docs Host users creation RFD
teleport-system
groupdisable_create_host_user: true
stops user creation from occurringCA rotations @espadolini
tctl get cert_authority
)standby
phase: onlyactive_keys
, noadditional_trusted_keys
init
phase:active_keys
andadditional_trusted_keys
update_clients
andupdate_servers
phases: the certs from theinit
phase are swappedstandby
phase: only the new certs remain inactive_keys
, nothing inadditional_trusted_keys
rollback
phase (second pass, after completing a regular rotation): same content as in theinit
phasestandby
phase afterrollback
: same content as in the previousstandby
phasetsh app login
kubectl get po
aftertsh kube login
EC2 Discovery @lxea
EC2 Discovery docs
Documentation @ptgott @alexfornuto
Checks should be performed on the version of documentation corresponding to the major release we're testing for. For example, for Teleport 12 release use
branch/v12
branch and make sure to select "Version 12.0" in the documentation version switcher.[x] Verify installation instructions are accurate:
[x] Verify getting started instructions are accurate:
[ ] Verify upcoming releases page is accurate:
[ ] Verify Teleport versions throughout documentation are correct and reflect upcoming release: (@alexfornuto )
[x] Verify that all necessary documentation for the release was backported to release branch: (@alexfornuto )
[x] Verify deprecated Teleport versions are added to the older versions page: See gravitational/docs#222
[x] Verify
gravitational/docs
version configuration (@ptgott ): See gravitational/docs#222gravitational/docs/config.json
gravitational/docs/.gitmodules
contains latest release[ ] Verify changelog is up-to-date and complete for the default docs version (@alexfornuto ):
[ ] Verify supported versions table in FAQ: https://github.com/gravitational/teleport/pull/20632
Resources
Quick GitHub/SAML/OIDC Setup Tips