Merge branch 'branch/v17' into bot/backport-49122-branch/v17

.github/workflows/vercel-preview.yaml

@@ -61,5 +61,5 @@ jobs:
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `🤖 Vercel preview here: ${previewUrl}/docs/ver/preview`
+              body: `🤖 Vercel preview here: ${previewUrl}/docs`
             })

build.assets/macos/tsh/tsh.app/Contents/Library/LaunchDaemons/com.gravitational.teleport.tsh.vnetd.plist

@@ -22,5 +22,12 @@
 	<string>/var/log/vnet.log</string>
 	<key>ThrottleInterval</key>
 	<integer>5</integer>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<!-- Auto-updates are disabled because $HOME isn't available,
+		but let's also disable them explicitly anyway. -->
+		<key>TELEPORT_TOOLS_VERSION</key>
+		<string>off</string>
+	</dict>
 </dict>
 </plist>

build.assets/macos/tshdev/tsh.app/Contents/Library/LaunchDaemons/com.goteleport.tshdev.vnetd.plist

@@ -22,5 +22,12 @@
 	<string>/var/log/vnet.log</string>
 	<key>ThrottleInterval</key>
 	<integer>5</integer>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<!-- Auto-updates are disabled because $HOME isn't available,
+		but let's also disable them explicitly anyway. -->
+		<key>TELEPORT_TOOLS_VERSION</key>
+		<string>off</string>
+	</dict>
 </dict>
 </plist>

docs/pages/connect-your-client/gui-clients.mdx

@@ -10,9 +10,20 @@ work with Teleport.
 
 ### Prerequisites
 
-(!docs/pages/includes/edition-prereqs-tabs.mdx!)
+- A running Teleport cluster. If you want to get started with Teleport, [sign
+  up](https://goteleport.com/signup) for a free trial or [set up a demo
+  environment](../admin-guides/deploy-a-cluster/linux-demo.mdx).
+
+- The `tsh` client tool. Visit [Installation](../installation.mdx) for instructions on downloading
+  `tsh`. See the [Using Teleport Connect](./teleport-connect.mdx) guide for a graphical desktop client
+  that includes `tsh`.
+
+- To check that you can connect to your Teleport cluster, sign in with `tsh login`. For example:
+
+  ```code
+  $ tsh login --proxy=<Var name="teleport.example.com" /> --user=<Var name="email@example.com" />
+  ```
 
-- (!docs/pages/includes/tctl.mdx!)
 - The Teleport Database Service configured to access a database. See one of our
   [guides](../enroll-resources/database-access/guides/guides.mdx) for how to set up the Teleport
   Database Service for your database.

docs/pages/enroll-resources/desktop-access/dynamic-registration.mdx

@@ -0,0 +1,147 @@
+---
+title: Dynamic Windows Desktop Registration
+description: Register/unregister Windows desktops without restarting Teleport.
+---
+
+Dynamic Windows desktop registration allows Teleport administrators to register
+new Windows desktops (or update/unregister existing ones) without having to
+update the static configuration files read by Teleport Windows Desktop Service
+instances.
+
+Windows Desktop Service instances watch for updates from the Teleport Auth
+Service for `dynamic_windows_desktop` resources, each of which includes the
+information that the Windows Desktop Service needs to connect to a Windows
+desktop.
+
+## Required permissions
+
+In order to interact with dynamically registered Windows desktops, a user must have
+a Teleport role with permissions to manage `dynamic_windows_desktop` resources.
+
+In the following example, a role allows a user to perform all possible
+operations against `dynamic_windows_desktop` resources:
+
+```yaml
+allow:
+  rules:
+    - resources: [dynamic_windows_desktop]
+      verbs: [list, create, read, update, delete]
+```
+
+## Enabling dynamic registration
+
+To enable dynamic registration, include a `resources` section in your Windows Desktop
+Service configuration with a list of resource label selectors you'd like this
+service to monitor for registering:
+
+```yaml
+windows_desktop_service:
+  enabled: "yes"
+  resources:
+  - labels:
+      "*": "*"
+```
+
+You can use a wildcard selector to register all dynamic Windows desktop resources in the cluster
+on the Windows Desktop Service or provide a specific set of labels for a subset:
+
+```yaml
+resources:
+- labels:
+    "env": "prod"
+- labels:
+    "env": "test"
+```
+
+## Creating a dynamic_windows_desktop resource
+
+Configure Teleport to register a Windows desktop dynamically by creating an `dynamic_windows_desktop`
+resource. The following example configures Teleport for connecting to Windows desktop
+called `example` at `host1.example.com:3089`.
+
+```yaml
+kind: dynamic_windows_desktop
+version: v1
+metadata:
+  name: example
+  description: "Example desktop"
+  labels:
+    env: test
+spec:
+  addr: host1.example.com:3089
+  # non_ad should be true for logging with local Windows user and false for Active Directory users
+  non_ad: true
+  # domain specifies domain used for AD-joined machines
+  domain: ""
+
+  # Optional - ensures that all sessions use the same screen size,
+  # no matter what the size of the browser window is.
+  # Leave blank to use the size of the browser window.
+  screen_size:
+    width: 1024
+    height: 768
+```
+
+The user creating the dynamic Windows desktop needs to have a role with access
+to the Windows desktop labels and the `dynamic_windows_desktop` resource. In
+this example role the user can only create and maintain dynamic Windows desktops
+labeled `env: test`.
+
+```yaml
+kind: role
+version: v7
+metadata:
+  name: example
+spec:
+  allow:
+    windows_desktop_labels:
+      env: test
+    rules:
+    - resources: [dynamic_windows_desktop]
+      verbs: [list, create, read, update, delete]
+```
+
+To create a dynamic Windows desktop resource, run:
+
+<Tabs>
+    <TabItem scope={["oss", "enterprise"]} label="Self-Hosted">
+
+        ```code
+        # Log in to your cluster with tsh so you can use tctl from your local machine.
+        # You can also run tctl on your Auth Service host without running "tsh login"
+        # first.
+        $ tsh login --proxy=teleport.example.com --user=myuser
+        $ tctl create dynamic_windows_desktop.yaml
+        ```
+
+    </TabItem>
+    <TabItem scope={["cloud"]} label="Teleport Enterprise (Cloud)">
+
+        ```code
+        # Log in to your Teleport cluster so you can use tctl remotely.
+        $ tsh login --proxy=mytenant.teleport.sh --user=myuser
+        $ tctl create dynamic_windows_desktop.yaml
+        ```
+
+    </TabItem>
+
+</Tabs>
+
+After the resource has been created, it will appear among the list of available
+Windows desktops (in the web UI) as long as at least one Windows Desktop Service
+instance picks it up according to its label selectors.
+
+To update an existing dynamic Windows desktop resource, run:
+
+```code
+$ tctl create -f dynamic_windows_desktop.yaml
+```
+
+If the updated resource's labels no longer match a particular Windows Desktop Service, it
+will unregister and stop routing traffic to it.
+
+To delete a dynamic Windows desktop resource, run:
+
+```code
+$ tctl rm dynamic_windows_desktop/example
+```

docs/pages/enroll-resources/desktop-access/introduction.mdx

@@ -76,6 +76,7 @@ Windows-specific configuration settings, role-based permissions, and audit event
 - [Role-Based Access Control for Desktops](./rbac.mdx)
 - [Clipboard Sharing](../../reference/agent-services/desktop-access-reference/clipboard.mdx)
 - [Directory Sharing](./directory-sharing.mdx)
+- [Dynamic Registration](./dynamic-registration.mdx)
 - [Session Recording and Playback](../../reference/agent-services/desktop-access-reference/sessions.mdx)
 - [Troubleshooting Desktop Access](./troubleshooting.mdx)
 - [Desktop Access Audit Events Reference](../../reference/agent-services/desktop-access-reference/audit.mdx)

docs/pages/includes/config-reference/desktop-config.yaml

@@ -109,7 +109,15 @@ windows_desktop_service:
     # The key of the label will be "ldap/" + the value of the attribute.
     label_attributes:
     - location
-  # Rules for applying labels to Windows hosts based on regular expressions
+
+  # (optional) configure a set of label selectors for dynamic registration.
+  # If specified, this service will monitor the cluster for dynamic_windows_desktop
+  # and automatically proxy connections for desktops with matching labels.
+  resources:
+  - labels:
+      "env": "dev"
+
+  # (optional) rules for applying labels to Windows hosts based on regular expressions
   # matched against the host name. If multiple rules match, the desktop will
   # get the union of all matching labels.
   host_labels:

docs/pages/includes/helm-reference/zz_generated.tbot.mdx

@@ -121,7 +121,7 @@ Ignored if `customConfig` is set.
 | `string` | `"kubernetes"` |
 
 `joinMethod` describes how tbot joins the Teleport cluster.
-See [the join method reference](../../join-methods.mdx) for a list fo supported values and detailed explanations.
+See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
 Ignored if `customConfig` is set.
 
 ## `token`

docs/pages/includes/role-spec.mdx

@@ -397,7 +397,7 @@ spec:
           # generates a role name from the value capture
           roles: ['$1-admin']
 
-      # Teleport can attach annotations to pending Access Requests. these
+      # Teleport can attach annotations to pending Access Requests. These
       # annotations may be literals, or be variable interpolation expressions,
       # effectively creating a means for propagating selected claims from an
       # external identity provider to the plugin system.
@@ -435,7 +435,7 @@ spec:
         # The different session kinds this policy applies to.
         kinds: ['k8s', 'ssh']
         # The list of session participant modes the role may join the session as.
-        modes: ['moderator', 'observer']
+        modes: ['moderator', 'observer', 'peer']
 
     # spiffe is a list of SPIFFE IDs that the role holder is allowed to request
     # SVIDs for. As long as the request matches one of the blocks within the

docs/pages/reference/cli/tctl.mdx

@@ -1730,11 +1730,9 @@ These flags are available for all commands `--debug, --config`. Run
 ### Examples
 
 ```code
-# Adds teleport user "joe" with mappings to
-# OS users and {{ internal.logins }} to "joe" and "ubuntu"
-$ tctl users add joe --roles=access,requester joe,ubuntu
-# Adds Teleport user "joe" with mappings to the editor role
-$ tctl users add joe --roles=editor,reviewer
+# Adds Teleport user "joe" with the "access" and "requester" roles and
+# permissions to assume the "joe" and "ubuntu" logins
+$ tctl users add joe --roles=access,requester --logins=joe,ubuntu
 ```
 
 ## tctl users ls

docs/pages/reference/helm-reference/helm-reference.mdx

@@ -15,6 +15,7 @@ layout: tocless-doc
   Teleport Kubernetes Operator.
 - [teleport-access-graph](teleport-access-graph.mdx): Deploy the
   Teleport Policy Access Graph service.
+- [tbot](tbot.mdx): Deploy an instance of TBot, the [MachineID](../../enroll-resources/machine-id/introduction.mdx) agent.
 - [teleport-plugin-event-handler](teleport-plugin-event-handler.mdx):
   Deploy the Teleport Event Handler plugin which sends events and session logs
   to Fluentd.

docs/pages/reference/helm-reference/tbot.mdx

@@ -0,0 +1,35 @@
+---
+title: tbot Chart Reference
+description: Values that can be set using the tbot Helm chart
+---
+
+This chart deploys an instance of the [MachineID](../../enroll-resources/machine-id/introduction.mdx) agent,
+TBot, into your Kubernetes cluster.
+
+To use it, you will need to know:
+
+- The address of your Teleport Proxy Service or Auth Service
+- The name of your Teleport cluster
+- The name of a join token configured for Machine ID and your Kubernetes cluster
+  as described in the [Machine ID on Kubernetes guide](../../enroll-resources/machine-id/deployment/kubernetes.mdx)
+
+By default, this chart is designed to use the `kubernetes` join method but it
+can be customized to use any delegated join method. We do not recommend that
+you use the `token` join method with this chart.
+
+## Minimal configuration
+
+This basic configuration will write a Teleport identity file to a secret in
+the deployment namespace called `test-output`.
+
+```yaml
+clusterName: "test.teleport.sh"
+teleportProxyAddress: "test.teleport.sh:443"
+defaultOutput:
+  secretName: "test-output"
+token: "my-token"
+```
+
+## Full reference
+
+(!docs/pages/includes/helm-reference/zz_generated.tbot.mdx!)

docs/pages/reference/resources.mdx

@@ -138,51 +138,26 @@ are required.*/}
 | <pre>kubernetes_groups: <br/>  - "system:masters" <br/>kubernetes_labels: <br/>  env: ["dev"] <br/>kubernetes_resources: <br/>  - kind: "namespace" <br/>    name: "foo"</pre>                                                                                            | ⚠️ not supported                                                                                                  | ⚠️ not supported                                                                                                  | ✅ full access in namespace `foo` <br/>❌ cannot access other namespaces                                                                                                                                |
 
 
-## Windows desktop
+## Windows desktops
 
 In most cases, Teleport will register `windows_desktop` resources automatically
 based on static hosts in your configuration file or via LDAP-based discovery.
 
-However, you can also manage `windows_desktop` resources manually with `tctl`.
-This can be useful for managing inventories of hosts that are not joined to
-an Active Directory domain.
+You can also use [dynamic
+registration](../enroll-resources/desktop-access/dynamic-registration.mdx) using
+`dynamic_windows_desktop` resources. This can be useful for managing inventories
+of hosts that are not joined to an Active Directory domain.
 
 There are a few important considerations to keep in mind when registering
 desktops this way:
 
 1. The desktop's `addr` can be a hostname or IP address, and should include
    the RDP port (typically 3389).
-1. The desktop's `host_id` should be set to the name of a
-   `windows_desktop_service` that is capable of proxying remote desktop
-   connections to the host. If you have multiple such services, you can create
-   multiple `windows_desktop` resources with different `host_id` values.
 1. If you intend to log in to the desktop with local Windows users you must set
    `non_ad: true`. If you intend to log in with Active Directory users, leave
    `non_ad` unset (or false), and specify the Active Directory domain in the
    `domain` field.
 
-```yaml
-kind: windows_desktop
-metadata:
-  name: desktop-without-ad
-  labels:
-    foo: bar
-    baz: quux
-spec:
-  host_id: 307e091b-7f6b-42e0-b78d-3362ad10b55d
-  addr: 192.168.1.153:3389
-  domain: ""
-  non_ad: true
-
-  # Optional - ensures that all sessions use the same screen size,
-  # no matter what the size of the browser window is.
-  # Leave blank to use the size of the browser window.
-  screen_size:
-    width: 1024
-    height: 768
-version: v3
-```
-
 ## Login Rules
 
 Login rules contain logic to transform SSO user traits during login.
@@ -191,7 +166,7 @@ Login rules contain logic to transform SSO user traits during login.
 
 ## Database object import rule
 
-Database object import rule define the labels to be applied to database objects imported into Teleport. 
+Database object import rule define the labels to be applied to database objects imported into Teleport.
 
 See [Database Access Controls](../enroll-resources/database-access/rbac.mdx) for more details.
 

examples/chart/tbot/values.yaml

@@ -70,7 +70,7 @@ outputs: []
 services: []
 
 # joinMethod(string) -- describes how tbot joins the Teleport cluster.
-# See [the join method reference](../../join-methods.mdx) for a list fo supported values and detailed explanations.
+# See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
 # Ignored if `customConfig` is set.
 joinMethod: "kubernetes"
 
@@ -226,4 +226,4 @@ extraArgs: []
 #   - name: HTTPS_PROXY
 #     value: "http://username:password@my.proxy.host:3128"
 # ```
-extraEnv: []
+extraEnv: []