Closed r0mant closed 1 year ago
Creating a Kubernetes join token returns no message: https://github.com/gravitational/teleport/issues/24733
~Web UI has no favicon: https://github.com/gravitational/teleport/issues/24773~
Fixed
Agentless/OpenSSH guide doesn't work: https://github.com/gravitational/teleport/issues/24778
~public_addr
no longer accepts https://
: https://github.com/gravitational/teleport/issues/24796~
Fixed
~Hardware Key support bug: https://github.com/gravitational/teleport/issues/24866~
And the fix: https://github.com/gravitational/teleport/pull/24867
Minor UX log entry issue for tsh db connect
https://github.com/gravitational/teleport/issues/24879 cc: @GavinFrazar
~Can't SSH to agentless nodes from Web UI: https://github.com/gravitational/teleport/issues/24922~
Fixed
Enhanced session recording does not capture disk events - looks like a known issue so I'm checking it as complete.
tsh proxy ssh
tries to prompt for password on invalid login when stdin is not a terminal: https://github.com/gravitational/teleport/issues/24925
~Forwarding SSH agent with OpenSSH to agentless node hangs on exit: https://github.com/gravitational/teleport/issues/24936~
Fixed
~Proxy is unable to join the cluster when using the default Kube join mechanism in the Helm chart: https://github.com/gravitational/teleport/issues/24941~
Fixed
~tsh attempts relogin for "ambiguous host" errors: https://github.com/gravitational/teleport/issues/24943~
Fixed
scp to agentless nodes allowed in spite of RBAC denial: #24949
Fixed
YubiHSM2 SDK version 2023.01 not supported: #25017
~Trusted cluster OpenSSH tsh config
incorrect config generation: #25018~
This is working as expected.
DynamoDB db access requires additional configuration which isn't mentioned in docs or handled by tsh
: https://github.com/gravitational/teleport/issues/25063
Can't openssh or Web SSH from root cluster to Agentless in leaf cluster (this request can be only executed by a proxy): https://github.com/gravitational/teleport/issues/25068
Fixed
~Web SSH connections to an Agentless node do not show the node name in the session recordings list: https://github.com/gravitational/teleport/issues/25072~
Fixed
Role impersonated certificates do not work with Agentless SSH proxy re-issuing https://github.com/gravitational/teleport/issues/25083
Fixed
agentless OpenSSH guide does not explain required permissions to create node
resources: https://github.com/gravitational/teleport/issues/25129
~Proxy can't connect to the Auth when installing Teleport with helm chart #25149~
Fixed
Several UI bugs in Discover for Desktop Access
~tsh ssh -J leaf.proxy.example.com leaf-node
only works when root auth/proxy is shut down - https://github.com/gravitational/teleport/issues/25178~
Fixed
Differences in docs pages between master
and v13
, including the git commits on master
that aren't present in v13
for each page (I can't just use git log
here because backport refs aren't identical to their source refs):
$ git diff --name-only origin/master origin/branch/v13 -- docs/pages | xargs -I{} bash -c '
git log --oneline origin/branch/v13..origin/master -- {}
'
59ebccb538 docs: Login Rule k8s operator docs (#23888)
59ebccb538 docs: Login Rule k8s operator docs (#23888)
bb1f9899c1 Alphabetize the GUI Client page (#25013)
3d17be5a1d docs: add information on viewing status and logs for systemd service (#25139)
59ebccb538 docs: Login Rule k8s operator docs (#23888)
Looks like these all have outstanding backports, so I think all is good.
@alexfornuto @avatus What do you think is the best way right now to ensure that the "Upcoming Releases" page only exists for the default docs version?
We could add a redirect from /preview/upcoming-releases/
to https://goteleport.com/docs/preview/upcoming-releases
in the non-default branches, but that will quickly become difficult to maintain (unless we change the test plan to be really specific about what we need to change with each release).
Another option is deleting this page for non-default versions and not adding a redirect, but that might lead to 404s.
> tsh bench --duration=30m ssh root@node-agents-6dcccfd8df-22rfr-01 ls
* Requests originated: 17998
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 195 ms
50 227 ms
75 284 ms
90 354 ms
95 403 ms
99 548 ms
100 1353 ms
> tsh bench --duration=30m ssh --random root@all ls
* Requests originated: 17998
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 229 ms
50 258 ms
75 301 ms
90 354 ms
95 397 ms
99 533 ms
100 2475 ms
> tsh bench --duration=30m ssh root@foo=bar ls
* Requests originated: 17982
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 719 ms
50 1294 ms
75 4591 ms
90 18735 ms
95 24047 ms
99 28415 ms
100 35935 ms
I've suggested some edits to the teleport-cluster
Helm guide in the course of testing it: https://github.com/gravitational/teleport/pull/25287
In the Teleport Enterprise Cloud Getting Started guide, v13 has some UI differences from v12 for adding servers (including light mode), but I'm not going to update the screenshots this week since I have some higher-priority items to take care of. The overall server registration flow shown in the guide still works as intended.
Outdated OneLogin screenshot: https://github.com/gravitational/teleport/pull/25290
Bucket ACL issues with terraform: https://github.com/gravitational/teleport/pull/25113
~tsh ssh
returns ambiguous EOF
error when devices are locked : https://github.com/gravitational/teleport.e/issues/1240~
Fixed
~tsh ssh
and tsh ls
not working when cluster is upgraded to alpha.2
: https://github.com/gravitational/teleport/issues/25365~
Fixed
Using OpenSSH ssh
to connect to leaf agentless nodes results in hostkey warning: https://github.com/gravitational/teleport/issues/25511
joining agentless moderated sessions doesn't work: https://github.com/gravitational/teleport/issues/25522
Working as expected
creating moderated sessions for a leaf node is not enforced: https://github.com/gravitational/teleport/issues/25557
note: Elevated CPU is presumed to be due to a cache bug that was causing frequent recents of the "remote proxy" cache, and will be fixed in the final v13 release.
Tunnel bench:
tsh bench ssh --duration=30m root@node-agents-77ff5cb7c7-zspkf-19 ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 118 ms
50 127 ms
75 136 ms
90 140 ms
95 143 ms
99 155 ms
100 6839 ms
Tunnel Random:
tsh bench ssh --duration=30m --random root@all ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 123 ms
50 130 ms
75 140 ms
90 150 ms
95 159 ms
99 187 ms
100 6823 ms
Label-Based:
tsh bench ssh --duration=30m root@fullname=node-agents-77ff5cb7c7-zxxg4-19 ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 164 ms
50 172 ms
75 179 ms
90 187 ms
95 192 ms
99 209 ms
100 6859 ms
Direct Dial:
tsh bench ssh --duration=30m root@node-agents-77ff5cb7c7-zsw4p-19 ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 108 ms
50 113 ms
75 116 ms
90 126 ms
95 133 ms
99 145 ms
100 6803 ms
Manual Testing Plan
Below are the items that should be manually tested with each release of Teleport. These tests should be run on both a fresh installation of the version to be released as well as an upgrade of the previous version of Teleport.
[x] Adding nodes to a cluster @atburke
[x] Labels @lxea
[x] Trusted Clusters @EdwardDowling
[x] RBAC @nklaassen
Make sure that invalid and valid attempts are reflected in audit log. Do this with both Teleport and Agentless nodes.
[x] Verify that custom PAM environment variables are available as expected. @nklaassen
[x] Users @codingllama
With every user combination, try to login and signup with invalid second factor, invalid password to see how the system reacts.
WebAuthn in the release
tsh
binary is implemented using libfido2 for linux/macOS. Ask for a statically built pre-release binary for realistic tests. (tsh fido2 diag
should work in our binary.) Webauthn in Windows build is implemented usingwebauthn.dll
. (tsh webauthn diag
with security key selected in dialog should work.)Touch ID requires a signed
tsh
, ask for a signed pre-release binary so you may run the tests.Windows Webauthn requires Windows 10 19H1 and device capable of Windows Hello.
tsh mfa add
tsh mfa add
tsh mfa add
tsh mfa ls
tsh mfa rm
tsh mfa rm
second_factor: on
inauth_service
, should failsecond_factor: optional
inauth_service
, should succeedtsh mfa add
U2F devices must be registered in a previous version of Teleport.
Using Teleport v9, set
auth_service.authentication.second_factor = u2f
, restart the server and then register an U2F device (tsh mfa add
). Upgrade the installation to the current Teleport version (one major at a time) and try to log in using the U2F device as your second factor - it should work.[x] Backends @timothyb89
[x] Session Recording @Joerger
[x] Enhanced Session Recording @Joerger
disk
,command
andnetwork
events are being logged.enhanced_recording
role option.[x] Restricted Session @Joerger
[x] Audit Log @atburke
server_id
is the ID of the node in "session_recording: node" modeserver_id
is the ID of the node in "session_recording: proxy" modeforwarded_by
is the ID of the proxy in "session_recording: proxy" modeNode/Proxy ID may be found at
/var/lib/teleport/host_uuid
in the corresponding machine.Node IDs may also be queried via
tctl nodes ls
.scp
commands are recordedSubsystem testing may be achieved using both Recording Proxy mode and OpenSSH integration.
Assuming the proxy is
proxy.example.com:3023
andnode1
is a node running OpenSSH/sshd, you may use the following command to trigger a subsystem audit log:[x] Interact with a cluster using
tsh
@capnspacehookThese commands should ideally be tested for recording and non-recording modes as they are implemented in a different ways.
[x] Interact with a cluster using
ssh
@capnspacehook Make sure to test both recording and regular proxy modes.[x] Verify proxy jump functionality @Joerger Log into leaf cluster via root, shut down the root proxy and verify proxy jump works.
[x] Interact with a cluster using the Web UI @EdwardDowling
[x]
tsh
CA loading @atburkeCreate a trusted cluster pair with a node in the leaf cluster. Log into the root cluster.
load_all_cas
on the root auth server isfalse
(default) -tsh ssh leaf.node.example.com
results in access denied.load_all_cas
on the root auth server istrue
-tsh ssh leaf.node.example.com
succeeds.[x] X11 Forwarding @Joerger
xeyes
andxclip
:apt install x11-apps xclip
xeyes
. Thenbrew install xclip
.ssh_service.x11.enabled = yes
tsh ssh -X user@node xeyes
tsh ssh -X root@node xeyes
tsh ssh -Y server01 "echo Hello World | xclip -sel c && xclip -sel c -o"
should print "Hello World"tsh ssh -X server01 "echo Hello World | xclip -sel c && xclip -sel c -o"
should fail with "BadAccess" X errorUser accounting @atburke
/var/run/utmp
on Linux./var/log/wtmp
on Linux.Combinations @strideynet
For some manual testing, many combinations need to be tested. For example, for interactive sessions the 12 combinations are below.
Teleport with EKS/GKE @tigrato
Teleport with multiple Kubernetes clusters @AntonAM
Note: you can use GKE or EKS or minikube to run Kubernetes clusters. Minikube is the only caveat - it's not reachable publicly so don't run a proxy there.
tsh login
, check thattsh kube ls
has your clusterkubectl get nodes
,kubectl exec -it $SOME_POD -- sh
tsh login
, check thattsh kube ls
has your clusterkubectl get nodes
,kubectl exec -it $SOME_POD -- sh
tsh login
, check thattsh kube ls
has your clusterkubectl get nodes
,kubectl exec -it $SOME_POD -- sh
tsh login
, check thattsh kube ls
has both clusterstsh kube login
kubectl get nodes
,kubectl exec -it $SOME_POD -- sh
on the new clustertsh login
, check thattsh kube ls
has all clustersname
andlabels
Step 2
login value matching the rowsname
columnname
orlabels
in the search bar worksname
columKubernetes auto-discovery @tigrato
tctl create
.tctl create -f
.tctl rm
.Kubernetes Secret Storage @AntonAM
Statefulset
Kubernetes Pod RBAC @AntonAM
kubernetes_resources
:{"kind":"pod","name":"*","namespace":"*"}
- must allow access to every pod.{"kind":"pod","name":"<somename>","namespace":"*"}
- must allow access to pod<somename>
in every namespace.{"kind":"pod","name":"*","namespace":"<somenamespace>"}
- must allow access to any pod in<somenamespace>
namespace.*
wildcards -<some-name>-*
and regex forname
andnamespace
fields.go-client
.kubernetes_resources
:kubernetes_groups
that denies exec into a podsearch_as_roles
is not allowed.Kubernetes credentials forwarding @tigrato
Teleport with FIPS mode @atburke
ACME @marcoandredinis
Migrations @r0mant @zmb3
Command Templates
When interacting with a cluster, the following command templates are useful:
OpenSSH
Teleport
Teleport with SSO Providers
GitHub External SSO @Tener
tctl sso
family of commands @TenerFor help with setting up sso connectors, check out the Quick GitHub/SAML/OIDC Setup Tips
tctl sso configure
helps to construct a valid connector definition:tctl sso configure github ...
creates valid connector definitionstctl sso configure oidc ...
creates valid connector definitionstctl sso configure saml ...
creates valid connector definitionstctl sso test
test a provided connector definition, which can be loaded from file or piped in withtctl sso configure
ortctl get --with-secrets
. Valid connectors are accepted, invalid are rejected with sensible error messages.tctl sso test
. @TenerTeleport Plugins @EdwardDowling
AWS Node Joining @nklaassen
Docs
ec2:DescribeInstances
permissions for local account:TELEPORT_TEST_EC2=1 go test ./integration -run TestEC2NodeJoin
TELEPORT_TEST_EC2=1 go test ./integration -run TestIAMNodeJoin
Kubernetes Node Joining @hugoShaka
Azure Node Joining @atburke
Docs
Cloud Labels @atburke
foo
:bar
. Verify that a node running on the instance has labelaws/foo=bar
.foo
:bar
. Verify that a node running on the instance has labelazure/foo=bar
.Passwordless @codingllama
This feature has additional build requirements, so it should be tested with a pre-release build from Drone (eg:
https://get.gravitational.com/teleport-v10.0.0-alpha.2-linux-amd64-bin.tar.gz
).This sections complements "Users -> Managing MFA devices".
tsh
binaries for each operating system (Linux, macOS and Windows) must be tested separately for FIDO2 items.[x] Diagnostics
Commands should pass all tests.
tsh fido2 diag
(macOS/Linux)tsh touchid diag
(macOS only)tsh webauthnwin diag
(Windows only)[x] Registration
tsh mfa add
, choose WEBAUTHN and passwordless)tsh mfa add
, choose TOUCHID)tsh mfa add
, choose WEBAUTHN and passwordless)[x] Login
tsh login --auth=passwordless
)tsh login --auth=passwordless
)tsh login --auth=passwordless --mfa-mode=cross-platform
uses FIDO2tsh login --auth=passwordless --mfa-mode=platform
uses platform authenticatortsh login --auth=passwordless --mfa-mode=auto
prefers platform authenticatorauth_service.authentication.passwordless = false
)auth_service.authentication.connector_name = passwordless
)tsh login --auth=local
)[x] Touch ID support commands
tsh touchid ls
workstsh touchid rm
works (careful, may lock you out!)Device Trust @sshahcodes
Device Trust requires Teleport Enterprise.
This feature has additional build requirements, so it should be tested with a pre-release build from Drone (eg:
https://get.gravitational.com/teleport-v10.0.0-alpha.2-linux-amd64-bin.tar.gz
).Client-side enrollment requires a signed
tsh
for macOS, make sure to use thetsh
binary fromtsh.app
.A simple formula for testing device authorization is:
[x] Inventory management
tctl devices add
)tctl devices add --enroll
)tctl devices ls
)tctl devices rm
)tctl devices rm
)tctl devices enroll
)tctl devices enroll
)[x] Device enrollment
tsh device enroll
)Note that different accesses have different certificates (Database, Kube, etc).
[x] Device authorization
Testing this requires issuing a certificate without device extensions (mode="off"), then changing the cluster configuration to mode="required" and attempting to access a process directly, without a login attempt.
[x] Role-based authz enforces enrolled devices (device_trust.mode="off" or "optional", role.spec.options.device_trust_mode="required")
[x] Device authorization works correctly for both require_session_mfa=false and require_session_mfa=true
[x] Device authorization applies to SSH access (all items above)
[x] Device authorization applies to Trusted Clusters (root with mode="optional" and leaf with mode="required")
[x] Device authorization applies to Database access (all items above)
[x] Device authorization applies to Kubernetes access (all items above)
[x] Device authorization does not apply to App access (both cluster-wide and role)
[x] Device authorization does not apply to Windows Desktop access (both cluster-wide and role)
[x] Device audit (see lib/events/codes.go)
[x] Binary support
tsh
for macOS gives a sane error message fortsh device enroll
attempts.Hardware Key Support @Joerger
Hardware Key Support is an Enterprise feature and is not available for OSS.
You will need a YubiKey 4.3+ to test this feature.
This feature has additional build requirements, so it should be tested with a pre-release build from Drone (eg:
https://get.gravitational.com/teleport-ent-v11.0.0-alpha.2-linux-amd64-bin.tar.gz
).Server Access
These tests should be carried out sequentially.
tsh
tests should be carried out on Linux, MacOS, and Windows.tsh login
as user with Webauthn login and no hardware key requirement.role.role_options.require_session_mfa: hardware_key
-tsh login --request-roles=hardware_key_required
tsh ssh
role.role_options.require_session_mfa: hardware_key_touch
-tsh login --request-roles=hardware_key_touch_required
tsh ssh
tsh logout
andtsh login
as the user with no hardware key requirement.auth_service.authentication.require_session_mfa: hardware_key
tsh ls
) should force automatic re-login with yubikeytsh ssh
auth_service.authentication.require_session_mfa: hardware_key_touch
tsh ls
) should force automatic re-login with yubikeytsh ssh
Other
Set
auth_service.authentication.require_session_mfa: hardware_key_touch
in your cluster auth settings.tsh proxy db --tunnel
HSM Support @nklaassen
Docs
Moderated session @marcoandredinis
Using
tsh
join an SSH session as two moderators (two separate terminals, role requires one moderator).Ctrl+C
in the #1 terminal should disconnect the moderator.Ctrl+C
in the #2 terminal should disconnect the moderator and terminate the session as session has no moderator.Using
tsh
join an SSH session as two moderators (two separate terminals, role requires one moderator).t
in any terminal should terminate the session for all participants.Performance @rosstimothy @fspmarshall @espadolini
Scaling Test
Scale up the number of nodes/clusters a few times for each configuration below.
1) Verify that there are no memory/goroutine/file descriptor leaks 2) Compare the baseline metrics with the previous release to determine if resource usage has increased 3) Restart all Auth instances and verify that all nodes/clusters reconnect
Perform reverse tunnel node scaling tests for all backend configurations:
[x] Firestore - 10k
Perform the following additional scaling tests on DynamoDB:
Soak Test
Run 30 minute soak test directly against direct and tunnel nodes and via label based matching. Tests should be run against a Cloud tenant.
Concurrent Session Test
Run a concurrent session test that will spawn 5 interactive sessions per node in the cluster:
Robustness
Connectivity Issues:
[x] Verify that a lack of connectivity to Auth does not prevent access to resources which do not require a moderated session and in async recording mode from an already issued certificate.
[x] Verify that a lack of connectivity to Auth prevents access to resources which require a moderated session and in async recording mode from an already issued certificate.
[x] Verify that an open session is not terminated when all Auth instances are restarted.
Teleport with Cloud Providers
AWS @tcsc
GCP @tcsc
IBM @hugoShaka
Application Access @mdwn
debug_app: true
works.name.rootProxyPublicAddr
and well aspublicAddr
.name.rootProxyPublicAddr
.app.session.start
andapp.session.chunk
events are created in the Audit Log.app.session.chunk
points to a 5 minute session archive with multipleapp.session.request
events inside.tsh play <chunk-id>
can fetch and print a session chunk archive.tsh apps login
.tsh
commands.tsh aws
tsh aws --endpoint-url
(this is a hidden flag)tsh apps login
.tsh az
commands.tsh proxy az
andaz
commands.tsh apps login
.tsh gcloud
commands.tsh gsutil
commands.tsh proxy gcloud
andgcloud
/gsutil
commands.tctl create
.tctl create -f
.tctl rm
.Add Application
dialogue works (refresh app screen to see it registered)Database Access @smallinsky
select pg_sleep(10)
followed by ctrl-c is a good query to test.)assume_role_arn: ""
andexternal_id: "<id>"
assume_role_arn: ""
andexternal_id: "<id>"
assume_role_arn: ""
andexternal_id: "<id>"
db.session.start
is emitted when you connect.db.session.end
is emitted when you disconnect.db.session.query
is emitted when you execute a SQL query.tsh db ls
shows only databases matching role'sdb_labels
.db_users
.db_names
. @smallinskydb.session.start
is emitted when connection attempt is denied.db_names
. @Tenerdb.session.query
is emitted when command fails due to permissions.tsh db connect
.tctl create
.tctl create -f
.tctl rm
.assume_role_arn
andexternal_id
is set.name
,description
,type
, andlabels
Step 2
login value matching the rowsname
columnlabels
TLS Routing @smallinsky
[x] Verify that teleport proxy
v2
configuration starts only a single listener for proxy service, in contrast withv1
configuration. @GavinFrazar Given configuration:There should be total of three listeners, with only
*:3080
for proxy service. Given the configuration above, 3022 and 3025 will be opened for other services.In contrast for the same configuration with version
v1
, there should be additional ports 3023 and 3024.[x] Run Teleport Proxy in
multiplex
modeauth_service.proxy_listener_mode: "multiplex"
@GavinFrazarweb_proxy_addr == tunnel_addr
[x] Database Access
tsh db connect
works through proxy running inmultiplex
modetsh db proxy
with a GUI client. @smallinsky @GavinFrazar @Tener @greedy52[x] Application Access @smallinsky
multiplex
mode[x] SSH Access @GavinFrazar
ssh -o "ForwardAgent yes" -o "ProxyCommand tsh proxy ssh" user@host.example.com
ssh -o "ForwardAgent yes" -o "ProxyCommand tsh proxy ssh --user=%r --cluster=leaf-cluster %h:%p" user@node.foo.com
tsh ssh
access through proxy running in multiplex mode[x] Kubernetes access: @gabrielcorado
multiplex
mode[x] Teleport Proxy single port
multiplex
mode behind L7 load balancertsh login
andtctl
@smallinskytsh ssh
andtsh config
@gabrielcoradotsh proxy db
andtsh db connect
@gabrielcoradotsh proxy app
andtsh aws
@gabrielcoradotsh proxy kube
@smallinskyDesktop Access @ibeckermayer
Direct mode (set
listen_addr
):hosts
section.IoT mode (reverse tunnel through proxy):
hosts
section.[x] Connect multiple
windows_desktop_service
s to the same Teleport cluster, verify that connections to desktops on different AD domains works. (Attempt to connect several times to verify that you are routed to the correctwindows_desktop_service
)Verify user input
Locking
Labeling
client_idle_timeout
to a small value and verify that idle sessions are terminated (the session should end and an audit event will confirm it was due to idle connection)teleport.dev/origin
label.teleport.dev
labels for OS, OS Version, DNS hostname.RBAC
Clipboard Support
Directory Sharing
desktop_directory_sharing: false
) and confirm that the option to share a directory doesn't appear in the menuPer-Session MFA (try webauthn on each of Chrome, Safari, and Firefox; u2f only works with Firefox)
Session Recording
mode: node-sync
ormode: proxy-sync
)mode: node
ormode: proxy
)Audit Events (check these after performing the above tests)
windows.desktop.session.start
(TDP00I
) emitted on startwindows.desktop.session.start
(TDP00W
) emitted when session fails to start (due to RBAC, for example)client.disconnect
(T3006I
) emitted when session is terminated by or fails to start due to lockwindows.desktop.session.end
(TDP01I
) emitted on enddesktop.clipboard.send
(TDP02I
) emitted for local copy -> remote pastedesktop.clipboard.receive
(TDP03I
) emitted for remote copy -> local pastedesktop.directory.share
(TDP04I
) emitted when Teleport starts sharing a directorydesktop.directory.read
(TDP05I
) emitted when a file is read over the shared directorydesktop.directory.write
(TDP06I
) emitted when a file is written to over the shared directoryWarnings/Errors
Trusted Cluster / Tunneling
Binaries compatibility @fheinecke
tsh
runs on:Machine ID
SSH @strideynet
With a default Teleport instance configured with a SSH node:
tctl bots add robot --roles=access
. Follow the instructions provided in the output to starttbot
ssh_config
in the destination directorySIGUSR1
andSIGHUP
to a running tbot process causes a renewal and new certificates to be generatedssh_config
provided bytbot
after each phase of a manual CA rotation.Ensure the above tests are completed for both:
DB Access @timothyb89
With a default Postgres DB instance, a Teleport instance configured with DB access and a bot user configured:
tbot db
whiletbot start
is runningHost users creation @lxea
Host users creation docs Host users creation RFD
teleport-system
groupdisable_create_host_user: true
stops user creation from occurringCA rotations @espadolini
tctl get cert_authority
)standby
phase: onlyactive_keys
, noadditional_trusted_keys
init
phase:active_keys
andadditional_trusted_keys
update_clients
andupdate_servers
phases: the certs from theinit
phase are swappedstandby
phase: only the new certs remain inactive_keys
, nothing inadditional_trusted_keys
rollback
phase (second pass, after completing a regular rotation): same content as in theinit
phasestandby
phase afterrollback
: same content as in the previousstandby
phasetsh apps login
kubectl get po
aftertsh kube login
EC2 Discovery @lxea
EC2 Discovery docs
IP Pinning
Add a role with
pin_source_ip: true
(requires Enterprise) to test IP pinning. Testing will require changing your IP (that Teleport Proxy sees). Docs: IP Pinningtsh ssh
on root clustertsh ssh
on root clustertsh ssh
on leaf clustertsh ssh
on leaf clusterDocumentation @ptgott @alexfornuto
Checks should be performed on the version of documentation corresponding to the major release we're testing for. For example, for Teleport 12 release use
branch/v12
branch and make sure to select "Version 12.0" in the documentation version switcher.[x] Verify installation instructions are accurate:
[x] #25211
[ ] Verify upcoming releases page is accurate:
[x] Verify Teleport versions throughout documentation are correct and reflect upcoming release: ptgott
In progress in this PR: https://github.com/gravitational/teleport/pull/25230
[x] Verify that all necessary documentation for the release was backported to release branch ptgott:
[x] Verify deprecated Teleport versions are added to the older versions page ptgott
[x] Verify
gravitational/docs
version configuration: ptgott:gravitational/docs/config.json
: in progress in this PR: https://github.com/gravitational/docs/pull/270gravitational/docs/.gitmodules
contains latest release In progress in this PR: https://github.com/gravitational/docs/pull/277[x] Verify changelog is up-to-date and complete for the default docs version:
[x] Verify supported versions table in FAQ ptgott:
Resources
Quick GitHub/SAML/OIDC Setup Tips