Merge branch 'master' into edwarddowling/path-style

gravitational · Jan 2, 2025 · 8a646b0 · 8a646b0
2 parents b5193ae + bb3010f
commit 8a646b0
Show file tree

Hide file tree

Showing 3,206 changed files with 118,932 additions and 50,351 deletions.
diff --git a/.eslintignore b/.eslintignore
diff --git a/.eslintrc.js b/.eslintrc.js
diff --git a/.github/ISSUE_TEMPLATE/webtestplan.md b/.github/ISSUE_TEMPLATE/webtestplan.md
@@ -230,15 +230,16 @@ spec:
 
 - [ ] Existing locks listing page.
   - [ ] It lists all of the existing locks in the system.
-  - [ ] Locks without a `Locked By` and `Start Date` are still shown with those fields empty.
+  - [ ] Locks without a `Message` are shown with this field as empty.
+  - [ ] Locks without an `Expiration` field are shown with this field as "Never".
   - [ ] Clicking the trash can deletes the lock with a spinner.
-  - [ ] Table columns are sortable.
+  - [ ] Table columns are sortable, except for the `Locked Items` column.
   - [ ] Table search field filters the results.
 - [ ] Adding a new lock. (+ Add New Lock).
   - [ ] Target switcher shows the locks for the various target types (User, Role, Login, Node, MFA Device, Windows Desktop, Access Request).
   - [ ] Target switcher has "Access Request" in E build but not in OSS.
   - [ ] You can add lock targets from multiple target types.
-  - [ ] Adding a target disables that "add button".
+  - [ ] Adding a target turnst the `Add Target` button into a `Remove` button.
   - [ ] You cannot proceed if you haven't selected targets to lock.
   - [ ] You can clear the selected targets prior to creating locks.
   - [ ] Proceeding to lock opens an animated slide panel from the right.

diff --git a/.github/workflows/build-ci-service-images.yaml b/.github/workflows/build-ci-service-images.yaml
@@ -38,13 +38,13 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build etcd image
         id: docker_build
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: ${{ github.workspace }}
           file: .github/services/Dockerfile.etcd

diff --git a/.github/workflows/build-usage-image.yaml b/.github/workflows/build-usage-image.yaml
@@ -24,7 +24,7 @@ jobs:
         with:
           registry-type: public
       # Build and publish container image on ECR.
-      - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+      - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: "examples/teleport-usage"
           tags: public.ecr.aws/gravitational/teleport-usage:${{ steps.version.outputs.version }}

diff --git a/.github/workflows/cla-assistant.yaml b/.github/workflows/cla-assistant.yaml
@@ -63,5 +63,5 @@ jobs:
           path-to-document: 'https://github.com/gravitational/teleport/blob/master/CLA.md'
           # branch should not be protected
           branch: 'main'
-          allowlist: '*[bot]'
+          allowlist: 'dependabot[bot],teleport-post-release-automation[bot]'
           lock-pullrequest-aftermerge: false
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -16,13 +16,41 @@ jobs:
       # but because of the replace, the dependency cannot find the correct
       # Teleport version.
       allow-ghsas: 'GHSA-6xf3-5hp7-xqqg'
+      # IronRDP uses MIT/Apache-2.0 but slashes are not recognized by dependency review action
       allow-dependencies-licenses: >-
+        pkg:cargo/ironrdp-core,
+        pkg:cargo/ironrdp-async,
+        pkg:cargo/ironrdp-connector,
+        pkg:cargo/ironrdp-pdu,
+        pkg:cargo/ironrdp-session,
+        pkg:cargo/ironrdp-svc,
+        pkg:cargo/ironrdp-tokio,
+        pkg:cargo/asn1-rs,
+        pkg:cargo/asn1-rs-derive,
+        pkg:cargo/asn1-rs-impl,
         pkg:cargo/curve25519-dalek-derive,
+        pkg:cargo/der-parser,
+        pkg:cargo/icu_collections,
+        pkg:cargo/icu_locid,
+        pkg:cargo/icu_locid_transform,
+        pkg:cargo/icu_locid_transform_data,
+        pkg:cargo/icu_normalizer,
+        pkg:cargo/icu_normalizer_data,
+        pkg:cargo/icu_properties,
+        pkg:cargo/icu_properties_data,
+        pkg:cargo/icu_provider,
+        pkg:cargo/icu_provider_macros,
+        pkg:cargo/litemap,
         pkg:cargo/ring,
         pkg:cargo/sspi,
         pkg:cargo/tokio-boring,
         pkg:cargo/tokio-rustls,
-        pkg:cargo/asn1-rs,
-        pkg:cargo/asn1-rs-derive,
-        pkg:cargo/asn1-rs-impl,
-        pkg:cargo/der-parser
+        pkg:cargo/writeable,
+        pkg:cargo/yoke,
+        pkg:cargo/yoke-derive,
+        pkg:cargo/zerofrom,
+        pkg:cargo/zerofrom-derive,
+        pkg:cargo/zerovec,
+        pkg:cargo/zerovec-derive,
+        pkg:npm/cspell/dict-en-common-misspellings,
+        pkg:npm/prettier
diff --git a/.github/workflows/doc-tests.yaml b/.github/workflows/doc-tests.yaml
@@ -50,7 +50,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          repository: 'gravitational/docs'
+          repository: 'gravitational/docs-website'
           path: 'docs'
 
       # Cache node_modules. Unlike the example in the actions/cache repo, this
@@ -80,30 +80,35 @@ jobs:
         # use for the live docs site in that we only test a single version of
         # the content.
         #
-        # To do this, we replace the three submodules we use for building the
-        # live docs site with a single submodule, pointing to the
-        # gravitational/teleport branch we are linting.
-        #
+        # To do this, we delete the three submodules we use for building the
+        # live docs site and copy a gravitational/teleport clone into the
+        # content directory.
+        # 
         # The docs engine expects a config.json file at the root of the
         # gravitational/docs clone that associates directories with git
         # submodules. By default, these directories represent versioned branches
         # of gravitational/teleport. We override this in order to build only a
         # single version of the docs.
+        #
+        # We also replace data fetched from Sanity CMS with hardcoded JSON
+        # objects to remove the need to authenticate with Sanity. Each includes
+        # the minimal set of data required for docs builds to succeed.
         run: |
           echo "" > .gitmodules
           rm -rf content/*
-          cd content
           # Rather than using a submodule, copy the teleport source into the
           # content directory.
-          cp -r $GITHUB_WORKSPACE/teleport $GITHUB_WORKSPACE/docs/content
-          cd $GITHUB_WORKSPACE/docs
-          echo "{\"versions\": [{\"name\": \"teleport\", \"branch\": \"teleport\", \"deprecated\": false}]}" > $GITHUB_WORKSPACE/docs/config.json
-          cat <<< "$(jq '.scripts."git-update" = "echo Skipping submodule update"' package.json)" > package.json
-          yarn build-node
+          cp -r "$GITHUB_WORKSPACE/teleport" "$GITHUB_WORKSPACE/docs/content/current"
+          jq -nr --arg version "current" '{"versions": [{"name": $version,"branch": $version,"deprecated": false,"isDefault": true}]}' > config.json
+          NEW_PACKAGE_JSON=$(jq '.scripts."git-update" = "echo Skipping submodule update"' package.json);
+          NEW_PACKAGE_JSON=$(jq '.scripts."prepare-sanity-data" = "echo Using pre-populated Sanity data"' <<< "$NEW_PACKAGE_JSON");
+          echo "$NEW_PACKAGE_JSON" > package.json;
+          echo "{}" > data/events.json
+          echo '{"bannerButtons":{"second":{"title":"LOG IN","url":"https://teleport.sh"},"first":{"title":"Support","url":"https://goteleport.com/support/"}},"navbarData":{"rightSide":{},"logo":"/favicon.svg","menu":[]}}' > data/navbar.json
 
       - name: Check spelling
         working-directory: 'docs'
-        run: yarn spellcheck content/teleport
+        run: yarn spellcheck content/current
 
       - name: Lint docs formatting
         working-directory: 'docs'

diff --git a/.github/workflows/docs-amplify.yaml b/.github/workflows/docs-amplify.yaml
@@ -0,0 +1,42 @@
+name: Docs Preview
+on:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - .github/workflows/docs-amplify.yaml
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  id-token: write
+
+jobs:
+  amplify-preview:
+    name: Prepare Amplify preview URL
+    runs-on: ubuntu-22.04-2core-arm64
+    environment: docs-amplify
+    steps:    
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
+      with:
+        aws-region: us-west-2
+        role-to-assume: ${{ vars.IAM_ROLE }}
+
+    - name: Create Amplify preview environment
+      uses: gravitational/shared-workflows/tools/amplify-preview@tools/amplify-preview/v0.0.1
+      continue-on-error: true
+      with:
+        app_ids: ${{ vars.AMPLIFY_APP_IDS }}
+        create_branches: "true"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        wait: "true"
+
+    - name: Print failure message
+      if: failure()
+      env:
+        ERR_TITLE: Teleport Docs preview build failed
+        ERR_MESSAGE: >-
+          Please refer to the following documentation for help: https://www.notion.so/goteleport/How-to-Amplify-deployments-162fdd3830be8096ba72efa1a49ee7bc?pvs=4
+      run: |
+        echo ::error title=$ERR_TITLE::$ERR_MESSAGE
+        exit 1
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -16,6 +16,7 @@ jobs:
       has_go: ${{ steps.changes.outputs.has_go }}
       has_rust: ${{ steps.changes.outputs.has_rust }}
       has_proto: ${{ steps.changes.outputs.has_proto }}
+      has_rfd: ${{ steps.changes.outputs.has_rfd }}
     steps:
       - name: Checkout
         if: ${{ github.event_name == 'merge_group' }}
@@ -26,6 +27,10 @@ jobs:
           base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}
           ref: ${{ github.event.pull_request.head.ref || github.event.merge_group.head_ref }}
           filters: |
+            has_rfd:
+              - '.github/workflows/lint.yaml'
+              - 'rfd/**.md'
+              - 'rfd/cspell.json'
             has_go:
               - '.github/workflows/lint.yaml'
               - '**.go'
@@ -88,7 +93,7 @@ jobs:
           find . -path ./e -prune -o -name go.mod -print | while read f; do
             echo "checking $f"
             pushd $(dirname "$f") > /dev/null;
-            go mod tidy -diff;
+            go mod tidy -diff || (echo "Run 'make go-mod-tidy-all' to resolve" && exit 1);
             popd > /dev/null;
           done
 
@@ -203,7 +208,7 @@ jobs:
       - name: Print linter versions
         run: |
           echo "BUF_VERSION=$BUF_VERSION"
-      - uses: bufbuild/buf-setup-action@5d38b66514ec5b6b7b753e133245555ea664d0ac # v1.46.0
+      - uses: bufbuild/buf-setup-action@9672cee01808979ea1249f81d6d321217b9a10f6 # v1.47.2
         with:
           github_token: ${{ github.token }}
           version: ${{ env.BUF_VERSION }}
@@ -231,3 +236,25 @@ jobs:
         # We have to add the current directory as a safe directory or else git commands will not work as expected.
         # The protoc-gen-terraform version must match the version in integrations/terraform/Makefile
         run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform@c91cc3ef4d7d0046c36cb96b1cd337e466c61225 && make terraform-resources-up-to-date
+
+  lint-rfd:
+    name: Lint (RFD)
+    needs: changes
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') && needs.changes.outputs.has_rfd == 'true' }}
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+
+    container:
+      image: ghcr.io/gravitational/teleport-buildbox:teleport17
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install JS dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Check spelling
+        run: pnpm cspell -c ./rfd/cspell.json rfd
diff --git a/.github/workflows/post-release.yaml b/.github/workflows/post-release.yaml
@@ -94,8 +94,8 @@ jobs:
           git config --global user.email "[email protected]"
           git config --global user.name "GitHub"
 
-          # get Go version from go.mod
-          GO_VERSION=$(go mod edit -json | jq -r .Go)
+          # get Go version from go.mod (preferring the toolchain directive if it's present)
+          GO_VERSION=$(go mod edit -json | jq -r 'if has("Toolchain") then .Toolchain | sub("go"; "") else .Go end')
 
           # update versions in docs/config.json
           # for docker images replace version number after <docker image name>:

diff --git a/.github/workflows/update-docs-webhook.yaml b/.github/workflows/update-docs-webhook.yaml
@@ -15,18 +15,11 @@ jobs:
     environment: update-docs
     strategy:
       fail-fast: false
-      matrix:
-        webhooks:
-        - url_secret_name: DOCS_DEPLOY_HOOK
-          http_method: GET
-        - url_secret_name: AMPLIFY_DOCS_DEPLOY_HOOK
-          http_method: POST
     steps:
       - name: Call deployment webhook
         env:
-          WEBHOOK_URL: ${{ secrets[matrix.webhooks.url_secret_name] }}
-          HTTP_METHOD: ${{ matrix.webhooks.http_method }}
+          WEBHOOK_URL: ${{ secrets[AMPLIFY_DOCS_DEPLOY_HOOK] }}
         run: |
-          if curl -X "$HTTP_METHOD" --silent --fail --show-error "$WEBHOOK_URL" > /dev/null; then
+          if curl -X POST --silent --fail --show-error "$WEBHOOK_URL" > /dev/null; then
             echo "Triggered successfully"
           fi
diff --git a/.github/workflows/vercel-preview.yaml b/.github/workflows/vercel-preview.yaml