Merge branch 'master' into bernard/operator-trusted-cluster-guide

api/proto/teleport/workloadidentity/v1/resource.proto

@@ -38,12 +38,46 @@ message WorkloadIdentity {
   WorkloadIdentitySpec spec = 5;
 }
 
+// The attribute casted to a string must be equal to the value.
+message WorkloadIdentityConditionEq {
+  // The value to compare the attribute against.
+  string value = 1;
+}
+
+// The attribute casted to a string must not be equal to the value.
+message WorkloadIdentityConditionNotEq {
+  // The value to compare the attribute against.
+  string value = 1;
+}
+
+// The attribute casted to a string must be in the list of values.
+message WorkloadIdentityConditionIn {
+  // The list of values to compare the attribute against.
+  repeated string values = 1;
+}
+
+// The attribute casted to a string must not be in the list of values.
+message WorkloadIdentityConditionNotIn {
+  // The list of values to compare the attribute against.
+  repeated string values = 1;
+}
+
 // The individual conditions that make up a rule.
 message WorkloadIdentityCondition {
+  reserved 2;
+  reserved "equals";
   // The name of the attribute to evaluate the condition against.
   string attribute = 1;
-  // An exact string that the attribute must match.
-  string equals = 2;
+  oneof operator {
+    // The attribute casted to a string must be equal to the value.
+    WorkloadIdentityConditionEq eq = 3;
+    // The attribute casted to a string must not be equal to the value.
+    WorkloadIdentityConditionNotEq not_eq = 4;
+    // The attribute casted to a string must be in the list of values.
+    WorkloadIdentityConditionIn in = 5;
+    // The attribute casted to a string must not be in the list of values.
+    WorkloadIdentityConditionNotIn not_in = 6;
+  }
 }
 
 // An individual rule that is evaluated during the issuance of a WorkloadIdentity.

docs/pages/admin-guides/access-controls/sso/sso.mdx

@@ -213,7 +213,7 @@ spec:
       - '2001:db8::/96'
 ```
 
-## Configuring SSO
+## Configuring SSO for login
 
 Teleport works with SSO providers by relying on the concept of an
 **authentication connector**. An authentication connector is a configuration
@@ -411,6 +411,116 @@ values to match your identity provider:
 
 At this time, the `spec.provider` field should not be set for any other identity providers.
 
+## Configuring SSO for MFA checks
+
+Teleport administrators can configure Teleport to delegate MFA checks to an 
+SSO provider as an alternative to registering MFA devices directly with the Teleport cluster.
+This allows Teleport users to use MFA devices and custom flows configured in the SSO provider
+to carry out privileged actions in Teleport, such as:
+
+- [Per-session MFA](../guides/per-session-mfa.mdx)
+- [Moderated sessions](../guides/moderated-sessions.mdx)
+- [Admin actions](../guides/mfa-for-admin-actions.mdx)
+
+Administrators may want to consider enabling this feature in order to:
+
+- Make all authentication (login and MFA) go through the IDP, reducing administrative overhead
+- Make custom MFA flows, such as prompting for 2 distinct devices for a single MFA check
+- Integrate with non-webauthn devices supported directly by your IDP
+
+<Admonition type="note">
+  SSO MFA is an enterprise feature. Only OIDC and SAML auth connectors are supported.
+</Admonition>
+
+### Configure the IDP App / Client
+
+There is no standardized MFA flow unlike there is with SAML/OIDC 
+login, so each IDP may offer zero, one, or more ways to offer MFA checks. 
+
+Generally, these offerings will fall under one of the following cases:
+
+1. Use a separate IDP app for MFA:
+
+You can create a separate IDP app with a custom MFA flow. For example, with
+Auth0 (OIDC), you can create a separate app with a custom [Auth0 Action](https://auth0.com/docs/customize/actions)
+which prompts for MFA for an active OIDC session.
+
+2. Use the same IDP app for MFA:
+
+Some IDPs provide a way to fork to different flows using the same IDP app.
+For example, with Okta (OIDC), you can provide `acr_values: ["phr"]` to 
+[enforce phishing resistant authentication](https://developer.okta.com/docs/guides/step-up-authentication/main/#predefined-parameter-values).
+
+For a simpler approach, you could use the same IDP app for both login and MFA
+with no adjustments. For Teleport MFA checks, the user will be required to
+relogin through the IDP with username, password, and MFA if required.
+
+<Admonition type="warning">
+  While the customizability of SSO MFA presents multiple secure options previously
+  unavailable to administrators, it also presents the possibility of insecure
+  misconfigurations. Therefore, we strongly advice administrators to incorporate
+  strict, phishing-resistant checks with WebAuthn, Device Trust, or some similar
+  security features into their custom SSO MFA flow.
+</Admonition>
+
+### Updating your authentication connector to enable MFA checks
+
+Take the authentication connector file `connector.yaml` created in [Configuring SSO for login](#configuring-sso-for-login)
+and add MFA settings.
+
+<Tabs>
+<TabItem label="OIDC">
+
+```yaml
+(!examples/resources/oidc-connector-mfa.yaml!)
+```
+
+</TabItem>
+<TabItem label="SAML">
+
+```yaml
+(!examples/resources/saml-connector-mfa.yaml!)
+```
+
+You may use `entity_descriptor_url` in lieu of `entity_descriptor` to fetch
+the entity descriptor from your IDP. 
+
+We recommend "pinning" the entity descriptor by including the XML rather than
+fetching from a URL.
+
+</TabItem>
+</Tabs>
+
+Update the connector: 
+
+```code
+$ tctl create -f connector.yaml
+```
+
+### Allowing SSO as an MFA method in your cluster
+
+Before you can use the SSO MFA flow we created above, you need to enable SSO
+as a second factor in your cluster settings. Modify the dynamic config resource
+using the following command:
+
+```code
+$ tctl edit cluster_auth_preference
+```
+
+Make the following change:
+
+```diff
+kind: cluster_auth_preference
+version: v2
+metadata:
+  name: cluster-auth-preference
+spec:
+  # ...
+  second_factors:
+   - webauthn
++  - sso
+```
+
 ## Working with an external email identity
 
 Along with sending groups, an SSO provider will also provide a user's email address.

docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx

@@ -11,7 +11,10 @@ of the Teleport Kubernetes operator CRs.
 Some Teleport resources might contain sensitive values. Select CR fields can reference an existing
 Kubernetes secret and the operator will retrieve the value from the secret when reconciling.
 
-Currently only the GithubConnector and OIDCConnector `client_secret` field support secret lookup.
+Currently supported fields for secret lookup:
+- GithubConnector `client_secret`
+- OIDCConnector `client_secret`
+- TrustedClusterV2 `token`
 
 ## Prerequisites
 

docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx

@@ -26,16 +26,21 @@ could cause instability and non-deterministic behaviour.
 </Admonition>
 
 Currently supported Teleport resources are:
-- users (`TeleportUser`)
-- roles
+- Users (`TeleportUser`)
+- Roles
   - `TeleportRole` creates role v5
   - `TeleportRoleV6` creates role v6
   - `TeleportRoleV7` creates role v7
-- OIDC connectors (`TeleportOIDCConnector`)
-- SAML connectors (`TeleportSAMLConnector`)
-- GitHub connectors (`TeleportGithubConnector`)
-- provision tokens (`TeleportProvisionToken`)
-- Login Rules (`TeleportLoginRules`)
+- OIDC Connectors (`TeleportOIDCConnector`)
+- SAML Connectors (`TeleportSAMLConnector`)
+- GitHub Connectors (`TeleportGithubConnector`)
+- Provision Tokens (`TeleportProvisionToken`)
+- Login Rules (`TeleportLoginRule`)
+- Access Lists (`TeleportAccessList`)
+- Okta Import Rules (`TeleportOktaImportRule`)
+- OpenSSHEICE Servers (`TeleportOpenSSHEICEServerV2`)
+- OpenSSH Servers (`TeleportOpenSSHServerV2`)
+- Trusted Clusters (`TeleportTrustedClusterV2`)
 
 ### Setting up the operator
 

docs/pages/reference/operator-resources/resources.teleport.dev_trustedclustersv2.mdx

@@ -0,0 +1,41 @@
+---
+title: TeleportTrustedClusterV2
+description: Provides a comprehensive list of fields in the TeleportTrustedClusterV2 resource available through the Teleport Kubernetes operator
+tocDepth: 3
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/operator and run "make crd-docs".*/}
+
+This guide is a comprehensive reference to the fields in the `TeleportTrustedClusterV2`
+resource, which you can apply after installing the Teleport Kubernetes operator.
+
+
+## resources.teleport.dev/v1
+
+**apiVersion:** resources.teleport.dev/v1
+
+|Field|Type|Description|
+|---|---|---|
+|apiVersion|string|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|
+|kind|string|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|
+|metadata|object||
+|spec|[object](#spec)|TrustedCluster resource definition v2 from Teleport|
+
+### spec
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean|Enabled is a bool that indicates if the TrustedCluster is enabled or disabled. Setting Enabled to false has a side effect of deleting the user and host certificate authority (CA).|
+|role_map|[][object](#specrole_map-items)|RoleMap specifies role mappings to remote roles.|
+|token|string|Token is the authorization token provided by another cluster needed by this cluster to join. This field supports secret lookup. See the operator documentation for more details.|
+|tunnel_addr|string|ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If not set, it is derived from `<metadata.name>:<default reverse tunnel port>`.|
+|web_proxy_addr|string|ProxyAddress is the address of the web proxy server of the cluster to join. If not set, it is derived from `<metadata.name>:<default web proxy server port>`.|
+
+### spec.role_map items
+
+|Field|Type|Description|
+|---|---|---|
+|local|[]string|Local specifies local roles to map to|
+|remote|string|Remote specifies remote role name to map from|
+

docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx

@@ -55,7 +55,38 @@ Optional:
 Optional:
 
 - `attribute` (String) The name of the attribute to evaluate the condition against.
-- `equals` (String) An exact string that the attribute must match.
+- `eq` (Attributes) The attribute casted to a string must be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionseq))
+- `in` (Attributes) The attribute casted to a string must be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsin))
+- `not_eq` (Attributes) The attribute casted to a string must not be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_eq))
+- `not_in` (Attributes) The attribute casted to a string must not be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_in))
+
+### Nested Schema for `spec.rules.allow.conditions.eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
 
 
 

docs/pages/reference/terraform-provider/resources/workload_identity.mdx

@@ -23,7 +23,9 @@ resource "teleport_workload_identity" "example" {
         {
           conditions = [{
             attribute = "user.name"
-            equals    = "noah"
+            eq = {
+              value = "my-user"
+            }
           }]
         }
       ]
@@ -80,7 +82,38 @@ Optional:
 Optional:
 
 - `attribute` (String) The name of the attribute to evaluate the condition against.
-- `equals` (String) An exact string that the attribute must match.
+- `eq` (Attributes) The attribute casted to a string must be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionseq))
+- `in` (Attributes) The attribute casted to a string must be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsin))
+- `not_eq` (Attributes) The attribute casted to a string must not be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_eq))
+- `not_in` (Attributes) The attribute casted to a string must not be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_in))
+
+### Nested Schema for `spec.rules.allow.conditions.eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_eq`
+
+Optional:
+
+- `value` (String) The value to compare the attribute against.
+
+
+### Nested Schema for `spec.rules.allow.conditions.not_in`
+
+Optional:
+
+- `values` (List of String) The list of values to compare the attribute against.
+
 
 
 

e2e/aws/fixtures_test.go

@@ -198,7 +198,6 @@ func newTeleportConfig(t *testing.T) *servicecfg.Config {
 	tconf := servicecfg.MakeDefaultConfig()
 	// Replace the default auth and proxy listeners with the ones so we can
 	// run multiple tests in parallel.
-	tconf.Console = nil
 	tconf.Proxy.DisableWebInterface = true
 	tconf.PollingPeriod = 500 * time.Millisecond
 	tconf.Testing.ClientTimeout = time.Second