From fe3fc86943ba4f9418386249a2d7a85f9ed3d332 Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Tue, 4 Jun 2024 14:26:02 -0400 Subject: [PATCH] Use generated TOC pages for smaller sections (#42374) Sections included in this change: - docs/pages/agents/ - docs/pages/auto-discovery/ - docs/pages/choose-an-edition/ - docs/pages/desktop-access/ - docs/pages/includes/ - docs/pages/kubernetes-access/ Other changes: - Move Helm includes out of docs/pages/kubernetes-access to match the expectations of the TOC page generator. Also move "Connect your Client" includes to docs/pages/includes. - Some pages were at the expected location of a TOC page (i.e., with the same name as a subdirectory), but included explanatory information that didn't fit the format of this kind of page. This change moves these pages to other locations as overview pages. - Update config.json. --- docs/config.json | 322 +++++++++++++++++- docs/pages/agents.mdx | 21 ++ .../agents/join-services-to-your-cluster.mdx | 28 +- .../overview.mdx | 22 ++ docs/pages/api.mdx | 13 + docs/pages/architecture.mdx | 17 + docs/pages/auto-discovery.mdx | 47 +++ docs/pages/auto-discovery/introduction.mdx | 23 -- .../kubernetes-applications.mdx | 11 +- docs/pages/auto-discovery/kubernetes.mdx | 186 +--------- .../auto-discovery/kubernetes/overview.mdx | 183 ++++++++++ docs/pages/auto-discovery/servers.mdx | 8 +- docs/pages/choose-an-edition.mdx | 28 ++ .../introduction.mdx => teleport-cloud.mdx} | 14 +- .../choose-an-edition/teleport-enterprise.mdx | 12 + docs/pages/connect-your-client.mdx | 13 + docs/pages/desktop-access.mdx | 24 ++ docs/pages/desktop-access/reference.mdx | 15 +- .../connect-my-computer-prerequisites.mdx | 0 .../launch-connect-with-flags-macos.mdx | 0 .../kubernetes-access/helm}/helm-repo-add.mdx | 0 .../helm}/kubernetes-externaladdress.mdx | 0 .../helm}/teleport-cluster-cloud-warning.mdx | 0 .../helm}/teleport-cluster-install.mdx | 0 .../helm}/teleport-cluster-prereqs.mdx | 0 docs/pages/kubernetes-access.mdx | 21 ++ .../kubernetes-access/register-clusters.mdx | 13 +- package.json | 2 +- 28 files changed, 752 insertions(+), 271 deletions(-) create mode 100644 docs/pages/agents.mdx create mode 100644 docs/pages/agents/join-services-to-your-cluster/overview.mdx create mode 100644 docs/pages/api.mdx create mode 100644 docs/pages/architecture.mdx create mode 100644 docs/pages/auto-discovery.mdx delete mode 100644 docs/pages/auto-discovery/introduction.mdx create mode 100644 docs/pages/auto-discovery/kubernetes/overview.mdx create mode 100644 docs/pages/choose-an-edition.mdx rename docs/pages/choose-an-edition/{teleport-cloud/introduction.mdx => teleport-cloud.mdx} (63%) create mode 100644 docs/pages/choose-an-edition/teleport-enterprise.mdx create mode 100644 docs/pages/connect-your-client.mdx create mode 100644 docs/pages/desktop-access.mdx rename docs/pages/{connect-your-client/includes => includes/connect-your-client}/connect-my-computer-prerequisites.mdx (100%) rename docs/pages/{connect-your-client/includes => includes/connect-your-client}/launch-connect-with-flags-macos.mdx (100%) rename docs/pages/{kubernetes-access/helm/includes => includes/kubernetes-access/helm}/helm-repo-add.mdx (100%) rename docs/pages/{kubernetes-access/helm/includes => includes/kubernetes-access/helm}/kubernetes-externaladdress.mdx (100%) rename docs/pages/{kubernetes-access/helm/includes => includes/kubernetes-access/helm}/teleport-cluster-cloud-warning.mdx (100%) rename docs/pages/{kubernetes-access/helm/includes => includes/kubernetes-access/helm}/teleport-cluster-install.mdx (100%) rename docs/pages/{kubernetes-access/helm/includes => includes/kubernetes-access/helm}/teleport-cluster-prereqs.mdx (100%) create mode 100644 docs/pages/kubernetes-access.mdx diff --git a/docs/config.json b/docs/config.json index 709c020f96f83..d84b94cd6160f 100644 --- a/docs/config.json +++ b/docs/config.json @@ -88,7 +88,7 @@ }, { "title": "Teleport Enterprise Cloud", - "slug": "/choose-an-edition/teleport-cloud/introduction/", + "slug": "/choose-an-edition/teleport-cloud/", "forScopes": ["cloud"], "entries": [ { @@ -941,7 +941,7 @@ "entries": [ { "title": "Introduction", - "slug": "/auto-discovery/introduction/" + "slug": "/auto-discovery/" }, { "title": "Servers", @@ -2032,18 +2032,313 @@ "permanent": true }, { - "source": "/application-access/", - "destination": "/application-access/introduction/", + "source": "/kubernetes-access/guides/migration/", + "destination": "/kubernetes-access/introduction/", "permanent": true }, { - "source": "/desktop-access/", - "destination": "/desktop-access/introduction/", + "source": "/setup/guides/joining-nodes-aws/", + "destination": "/agents/join-services-to-your-cluster/aws-iam/", "permanent": true }, { - "source": "/kubernetes-access/", - "destination": "/kubernetes-access/introduction/", + "source": "/setup/reference/license/", + "destination": "/choose-an-edition/teleport-enterprise/license/", + "permanent": true + }, + { + "source": "/intro/", + "destination": "/", + "permanent": true + }, + { + "source": "/api-reference/", + "destination": "/api/getting-started/", + "permanent": true + }, + { + "source": "/server-access/guides/tsh/", + "destination": "/connect-your-client/tsh/", + "permanent": true + }, + { + "source": "/cluster/", + "destination": "/kubernetes-access/getting-started/", + "permanent": true + }, + { + "source": "/application-access/guides/jwt/", + "destination": "/application-access/jwt/", + "permanent": true + }, + { + "source": "/getting-started/digitalocean/", + "destination": "/", + "permanent": true + }, + { + "source": "/kubernetes-access/getting-started/agent/", + "destination": "/kubernetes-access/getting-started/", + "permanent": true + }, + { + "source": "/kubernetes-access/getting-started/cluster/", + "destination": "/deploy-a-cluster/helm-deployments/kubernetes-cluster/", + "permanent": true + }, + { + "source": "/kubernetes-access/getting-started/local/", + "destination": "/kubernetes-access/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/guides/", + "destination": "/deploy-a-cluster/helm-deployments/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/guides/aws/", + "destination": "/deploy-a-cluster/helm-deployments/aws/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/guides/custom/", + "destination": "/deploy-a-cluster/helm-deployments/custom/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/guides/digitalocean/", + "destination": "/deploy-a-cluster/helm-deployments/digitalocean/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/guides/gcp/", + "destination": "/deploy-a-cluster/helm-deployments/gcp/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/guides/migration/", + "destination": "/deploy-a-cluster/helm-deployments/migration-v12/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/reference/", + "destination": "/reference/helm-reference/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/reference/teleport-cluster/", + "destination": "/reference/helm-reference/teleport-cluster/", + "permanent": true + }, + { + "source": "/kubernetes-access/helm/reference/teleport-kube-agent/", + "destination": "/reference/helm-reference/teleport-kube-agent/", + "permanent": true + }, + { + "source": "/access-controls/guides/u2f/", + "destination": "/access-controls/guides/webauthn/", + "permanent": true + }, + { + "source": "/enterprise/workflow/", + "destination": "/access-controls/access-requests/", + "permanent": true + }, + { + "source": "/enterprise/workflow/ssh-approval-mattermost/", + "destination": "/access-controls/access-request-plugins/ssh-approval-mattermost/", + "permanent": true + }, + { + "source": "/enterprise/workflow/ssh-approval-pagerduty/", + "destination": "/access-controls/access-request-plugins/ssh-approval-pagerduty/", + "permanent": true + }, + { + "source": "/enterprise/workflow/ssh-approval-jira-server/", + "destination": "/access-controls/access-request-plugins/ssh-approval-jira/", + "permanent": true + }, + { + "source": "/enterprise/workflow/ssh-approval-jira-cloud/", + "destination": "/access-controls/access-request-plugins/ssh-approval-jira/", + "permanent": true + }, + { + "source": "/enterprise/workflow/ssh-approval-jira-cloud/", + "destination": "/access-controls/access-request-plugins/ssh-approval-jira/", + "permanent": true + }, + { + "source": "/enterprise/workflow/ssh-approval-slack/", + "destination": "/access-controls/access-request-plugins/ssh-approval-slack/", + "permanent": true + }, + { + "source": "/enterprise/workflow/resource-requests/", + "destination": "/access-controls/access-requests/resource-requests/", + "permanent": true + }, + { + "source": "/enterprise/workflow/role-requests/", + "destination": "/access-controls/access-requests/role-requests/", + "permanent": true + }, + { + "source": "/user-manual/", + "destination": "/", + "permanent": true + }, + { + "source": "/enterprise/fedramp/", + "destination": "/access-controls/compliance-frameworks/fedramp/", + "permanent": true + }, + { + "source": "/enterprise/soc2/", + "destination": "/access-controls/compliance-frameworks/soc2/", + "permanent": true + }, + { + "source": "/enterprise/sso/", + "destination": "/access-controls/sso/", + "permanent": true + }, + { + "source": "/enterprise/sso/adfs/", + "destination": "/access-controls/sso/adfs/", + "permanent": true + }, + { + "source": "/enterprise/sso/azuread/", + "destination": "/access-controls/sso/azuread/", + "permanent": true + }, + { + "source": "/setup/admin/github-sso/", + "destination": "/access-controls/sso/github-sso/", + "permanent": true + }, + { + "source": "/enterprise/sso/gitlab/", + "destination": "/access-controls/sso/gitlab/", + "permanent": true + }, + { + "source": "/enterprise/sso/google-workspace/", + "destination": "/access-controls/sso/google-workspace/", + "permanent": true + }, + { + "source": "/enterprise/sso/oidc/", + "destination": "/access-controls/sso/oidc/", + "permanent": true + }, + { + "source": "/enterprise/sso/okta/", + "destination": "/access-controls/sso/okta/", + "permanent": true + }, + { + "source": "/enterprise/sso/one-login/", + "destination": "/access-controls/sso/one-login/", + "permanent": true + }, + { + "source": "/database-access/guides/gui-clients/", + "destination": "/connect-your-client/gui-clients/", + "permanent": true + }, + { + "source": "/use-teleport/teleport-connect/", + "destination": "/connect-your-client/teleport-connect/", + "permanent": true + }, + { + "source": "/use-teleport/tsh/", + "destination": "/connect-your-client/tsh/", + "permanent": true + }, + { + "source": "/setup/deployments/", + "destination": "/deploy-a-cluster/deployments/", + "permanent": true + }, + { + "source": "/setup/deployments/aws-terraform/", + "destination": "/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform/", + "permanent": true + }, + { + "source": "/setup/deployments/digitalocean/", + "destination": "/", + "permanent": true + }, + { + "source": "/setup/deployments/gcp/", + "destination": "/deploy-a-cluster/deployments/gcp/", + "permanent": true + }, + { + "source": "/setup/deployments/ibm/", + "destination": "/deploy-a-cluster/deployments/ibm/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/", + "destination": "/deploy-a-cluster/helm-deployments/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/aws/", + "destination": "/deploy-a-cluster/helm-deployments/aws/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/custom/", + "destination": "/deploy-a-cluster/helm-deployments/custom/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/digitalocean/", + "destination": "/deploy-a-cluster/helm-deployments/digitalocean/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/gcp/", + "destination": "/deploy-a-cluster/helm-deployments/gcp/", + "permanent": true + }, + { + "source": "/getting-started/kubernetes-cluster/", + "destination": "/deploy-a-cluster/helm-deployments/kubernetes-cluster/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/migration/", + "destination": "/deploy-a-cluster/helm-deployments/migration-v12/", + "permanent": true + }, + { + "source": "/getting-started/linux-server/", + "destination": "/", + "permanent": true + }, + { + "source": "/cloud/architecture/", + "destination": "/choose-an-edition/teleport-cloud/architecture/", + "permanent": true + }, + { + "source": "/cloud/downloads/", + "destination": "/choose-an-edition/teleport-cloud/downloads/", + "permanent": true + }, + { + "source": "/cloud/faq/", + "destination": "/choose-an-edition/teleport-cloud/faq/", "permanent": true }, { @@ -2053,7 +2348,7 @@ }, { "source": "/cloud/introduction/", - "destination": "/choose-an-edition/teleport-cloud/introduction/", + "destination": "/choose-an-edition/teleport-cloud/", "permanent": true }, { @@ -2313,7 +2608,7 @@ }, { "source": "/deploy-a-cluster/teleport-cloud/introduction/", - "destination": "/choose-an-edition/teleport-cloud/introduction/", + "destination": "/choose-an-edition/teleport-cloud/", "permanent": true }, { @@ -2416,11 +2711,6 @@ "destination": "/", "permanent": true }, - { - "source": "/choose-an-edition/", - "destination": "/choose-an-edition/introduction/", - "permanent": true - }, { "source": "/deploy-a-cluster/", "destination": "/deploy-a-cluster/introduction/", @@ -2538,7 +2828,7 @@ }, { "source": "/choose-an-edition/teleport-cloud/", - "destination": "/choose-an-edition/teleport-cloud/introduction/", + "destination": "/choose-an-edition/teleport-cloud/", "permanent": true }, { diff --git a/docs/pages/agents.mdx b/docs/pages/agents.mdx new file mode 100644 index 0000000000000..5ca9e90047b33 --- /dev/null +++ b/docs/pages/agents.mdx @@ -0,0 +1,21 @@ +--- +title: Teleport Agents +description: How to use Teleport Agents, which enable users to connect to resources in your infrastructure. +--- + +{/*TOPICS*/} + +- [Deploy Teleport Agents with Terraform](agents/deploy-agents-terraform.mdx): In this guide, we will show you how to deploy a pool of Teleport agents so you can apply dynamic resources to enroll your infrastructure with Teleport. +- [Introduction to Teleport Agents](agents/introduction.mdx): Deploy agents to enroll resources in your infrastructure with Teleport. You can run multiple Teleport services per agent." + +## Join Agents to your Teleport Cluster + +Methods you can use to established trust between a newly deployed Teleport agent and your Teleport cluster so you can protect resources. ([more info](agents/join-services-to-your-cluster.mdx)) + +- [Join Methods for Teleport Agents](agents/join-services-to-your-cluster/overview.mdx): An overview of the available methods for registering the Proxy Service, Database Service, and other Teleport services with your cluster. +- [Join Services with GCP](agents/join-services-to-your-cluster/gcp.mdx): Use the GCP join method to add services to your Teleport cluster. +- [Join Services with a Secure Token](agents/join-services-to-your-cluster/join-token.mdx): This guide shows you how to join a Teleport instance to your cluster using a join token in order to proxy access to resources in your infrastructure. +- [Joining Services via AWS EC2 Identity Document](agents/join-services-to-your-cluster/aws-ec2.mdx): Use the EC2 join method to add services to your Teleport cluster on AWS +- [Joining Services via AWS IAM Role](agents/join-services-to-your-cluster/aws-iam.mdx): Use the IAM join method to add services to your Teleport cluster on AWS +- [Joining Services via Azure Managed Identity](agents/join-services-to-your-cluster/azure.mdx): Use the Azure join method to join Teleport services to your Teleport cluster on Azure +- [Joining Services via Kubernetes ServiceAccount Token](agents/join-services-to-your-cluster/kubernetes.mdx): Use Kubernetes ServiceAccount tokens to join services running in the same Kubernetes cluster as the Auth Service. diff --git a/docs/pages/agents/join-services-to-your-cluster.mdx b/docs/pages/agents/join-services-to-your-cluster.mdx index caa23b19d00d1..646866a67dbcd 100644 --- a/docs/pages/agents/join-services-to-your-cluster.mdx +++ b/docs/pages/agents/join-services-to-your-cluster.mdx @@ -1,22 +1,14 @@ --- -title: Join Services to your Teleport Cluster -description: How to register the Proxy Service, Database Service, and other Teleport services with your cluster. +title: Join Agents to your Teleport Cluster +description: Methods you can use to established trust between a newly deployed Teleport agent and your Teleport cluster so you can protect resources. --- -A **Teleport service** manages access to resources in your infrastructure, such -as Kubernetes clusters, Windows desktops, internal web applications, and -databases. A single **Teleport process** can run multiple Teleport services. - -There are multiple methods you can use to join a Teleport process to your -cluster in order to run Teleport services, including an instance of the Proxy -Service. Choose the method that best suits your infrastructure: - -|Method|Description|When to use| -|------|-----------|-----------| -|[EC2 Identity Document](./join-services-to-your-cluster/aws-ec2.mdx)|A Teleport process running on an EC2 instance authenticates to your cluster via a signed EC2 instance identity document.|Your Teleport process will run on EC2 and your Teleport cluster is self hosted.| -|[AWS IAM](./join-services-to-your-cluster/aws-iam.mdx)|A Teleport process uses AWS credentials to join the cluster, whether running on EC2 or not.|At least some of your infrastructure runs on AWS.| -|[Azure Managed Identity](./join-services-to-your-cluster/azure.mdx)|A Teleport process demonstrates that it runs in your Azure subscription by sending a signed attested data document and access token to the Teleport Auth Service.|Your Teleport process will run on Azure.| -|[Kubernetes ServiceAccount](./join-services-to-your-cluster/kubernetes.mdx)|A Teleport process uses a Kubernetes-signed proof to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on Kubernetes.| -|[GCP IAM](./join-services-to-your-cluster/gcp.mdx)|A Teleport process uses a GCP-signed token to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on a GCP VM.| -|[Join Token](./join-services-to-your-cluster/join-token.mdx)|A Teleport process presents a join token provided when starting the service.|There is no other supported method for your cloud provider.| +{/*TOPICS*/} +- [Join Methods for Teleport Agents](join-services-to-your-cluster/overview.mdx): An overview of the available methods for registering the Proxy Service, Database Service, and other Teleport services with your cluster. +- [Join Services with GCP](join-services-to-your-cluster/gcp.mdx): Use the GCP join method to add services to your Teleport cluster. +- [Join Services with a Secure Token](join-services-to-your-cluster/join-token.mdx): This guide shows you how to join a Teleport instance to your cluster using a join token in order to proxy access to resources in your infrastructure. +- [Joining Services via AWS EC2 Identity Document](join-services-to-your-cluster/aws-ec2.mdx): Use the EC2 join method to add services to your Teleport cluster on AWS +- [Joining Services via AWS IAM Role](join-services-to-your-cluster/aws-iam.mdx): Use the IAM join method to add services to your Teleport cluster on AWS +- [Joining Services via Azure Managed Identity](join-services-to-your-cluster/azure.mdx): Use the Azure join method to join Teleport services to your Teleport cluster on Azure +- [Joining Services via Kubernetes ServiceAccount Token](join-services-to-your-cluster/kubernetes.mdx): Use Kubernetes ServiceAccount tokens to join services running in the same Kubernetes cluster as the Auth Service. diff --git a/docs/pages/agents/join-services-to-your-cluster/overview.mdx b/docs/pages/agents/join-services-to-your-cluster/overview.mdx new file mode 100644 index 0000000000000..1f7c2b5c9bc9e --- /dev/null +++ b/docs/pages/agents/join-services-to-your-cluster/overview.mdx @@ -0,0 +1,22 @@ +--- +title: Join Methods for Teleport Agents +description: An overview of the available methods for registering the Proxy Service, Database Service, and other Teleport services with your cluster. +--- + +A **Teleport service** manages access to resources in your infrastructure, such +as Kubernetes clusters, Windows desktops, internal web applications, and +databases. A single **Teleport process** can run multiple Teleport services. + +There are multiple methods you can use to join a Teleport process to your +cluster in order to run Teleport services, including an instance of the Proxy +Service. Choose the method that best suits your infrastructure: + +|Method|Description|When to use| +|------|-----------|-----------| +|[EC2 Identity Document](./join-services-to-your-cluster/aws-ec2.mdx)|A Teleport process running on an EC2 instance authenticates to your cluster via a signed EC2 instance identity document.|Your Teleport process will run on EC2 and your Teleport cluster is self hosted.| +|[AWS IAM](./join-services-to-your-cluster/aws-iam.mdx)|A Teleport process uses AWS credentials to join the cluster, whether running on EC2 or not.|At least some of your infrastructure runs on AWS.| +|[Azure Managed Identity](./join-services-to-your-cluster/azure.mdx)|A Teleport process demonstrates that it runs in your Azure subscription by sending a signed attested data document and access token to the Teleport Auth Service.|Your Teleport process will run on Azure.| +|[Kubernetes ServiceAccount](./join-services-to-your-cluster/kubernetes.mdx)|A Teleport process uses a Kubernetes-signed proof to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on Kubernetes.| +|[GCP IAM](./join-services-to-your-cluster/gcp.mdx)|A Teleport process uses a GCP-signed token to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on a GCP VM.| +|[Join Token](./join-services-to-your-cluster/join-token.mdx)|A Teleport process presents a join token provided when starting the service.|There is no other supported method for your cloud provider.| + diff --git a/docs/pages/api.mdx b/docs/pages/api.mdx new file mode 100644 index 0000000000000..9c1f58cde3a73 --- /dev/null +++ b/docs/pages/api.mdx @@ -0,0 +1,13 @@ +--- +title: Teleport API Guides +description: How to use the Teleport gRPC API, which allows custom client tools to manage dynamic Teleport resources. +--- + +{/*TOPICS*/} + +- [API Architecture](api/architecture.mdx): Architectural overview of the Teleport gRPC API. +- [API Getting Started Guide](api/getting-started.mdx): Get started working with the Teleport API programmatically using Go. +- [Automatically Register Resources with Teleport](api/automatically-register-agents.mdx): Learn how to use the Teleport API to start agents automatically when you add resources to your infrastructure. +- [Generate Teleport Roles from an External RBAC System](api/rbac.mdx): Use Teleport's API to automatically generate Teleport roles based on third-party RBAC policies +- [How to Build an Access Request Plugin](api/access-plugin.mdx): Manage Access Requests using custom workflows with the Teleport API +- [Teleport API Introduction](api/introduction.mdx): Introduction to the Teleport gRPC API. diff --git a/docs/pages/architecture.mdx b/docs/pages/architecture.mdx new file mode 100644 index 0000000000000..9709d7b61edea --- /dev/null +++ b/docs/pages/architecture.mdx @@ -0,0 +1,17 @@ +--- +title: Teleport Architecture Guides +description: Guides to the inner workings of components within a Teleport cluster. +--- + +{/*TOPICS*/} + +- [Agent Update Management](architecture/agent-update-management.mdx): This chapter explains how Teleport agent automatic update is working. +- [Proxy Peering](architecture/proxy-peering.mdx): How Teleport implements more efficient networking with Proxy Peering. +- [TLS Routing](architecture/tls-routing.mdx): How Teleport implements a single-port setup with TLS routing +- [Teleport Architecture Guides](architecture/introduction.mdx): Get detailed information about how Teleport works +- [Teleport Authentication](architecture/authentication.mdx): This chapter explains how Teleport uses certificate authorities to authenticate users and services. +- [Teleport Authorization](architecture/authorization.mdx): This chapter explains how Teleport authorizes users and roles. +- [Teleport Proxy Service](architecture/proxy.mdx): Architecture of Teleport's identity-aware proxy service +- [Teleport SSH Nodes](architecture/nodes.mdx): This chapter explains the concept of a Teleport Node and how Teleport manages SSH. +- [Teleport Session Recording](architecture/session-recording.mdx): An overview of Teleport's session recording and its configuration +- [Trusted Clusters Architecture](architecture/trustedclusters.mdx): Deep dive into design of Teleport Trusted Clusters. diff --git a/docs/pages/auto-discovery.mdx b/docs/pages/auto-discovery.mdx new file mode 100644 index 0000000000000..562ba08158864 --- /dev/null +++ b/docs/pages/auto-discovery.mdx @@ -0,0 +1,47 @@ +--- +title: Teleport Auto-Discovery +description: "Learn how to use the Teleport Discovery Service, which automatically enrolls resources by query APIs" +--- + +The Teleport Discovery Service automatically detects resources in your +infrastructure and enrolls them in your Teleport cluster. When you deploy +servers, databases, and Kubernetes clusters, Teleport enables secure access to +these resources with no further configuration. This lets you decouple the need +to protect your infrastructure resources from the work of deploying and managing +them. + +The Discovery Service runs on [Teleport agents](../agents/introduction.mdx). It +periodically queries cloud provider APIs to list resources in your +infrastructure. It then reconciles these resources with Teleport resources +registered on the Auth Service backend. + +Set up Teleport auto-discovery for resources in your infrastructure: + +{/*TOPICS*/} + +- [AWS Database Auto-Discovery](auto-discovery/databases.mdx): How to configure Teleport to discover AWS-hosted databases. + +## Automatically Enroll Kubernetes Clusters + +Register Kubernetes clusters with your Teleport cluster by polling service discovery endpoints. ([more info](auto-discovery/kubernetes.mdx)) + +- [Kubernetes Clusters Discovery](auto-discovery/kubernetes/overview.mdx): Detailed guides for configuring Kubernetes Clusters Discovery. +- [Teleport AKS Auto-Discovery](auto-discovery/kubernetes/azure.mdx): Auto-Discovery of AKS clusters in Azure cloud. +- [Teleport EKS Auto-Discovery](auto-discovery/kubernetes/aws.mdx): How to configure auto-discovery of AWS EKS clusters in Teleport. +- [Teleport GKE Auto-Discovery](auto-discovery/kubernetes/google-cloud.mdx): How to configure auto-discovery of Google Kubernetes Engine clusters in Teleport. + +## Enroll Kubernetes Services as Teleport Applications + +Teleport can automatically detect applications running in your Kubernetes clusters and register them with Teleport for secure access. ([more info](auto-discovery/kubernetes-applications.mdx)) + +- [Get Started with Kubernetes Application Discovery](auto-discovery/kubernetes-applications/get-started.mdx): Detailed guide for configuring Kubernetes Application Discovery. +- [Kubernetes App Discovery Architecture](auto-discovery/kubernetes-applications/architecture.mdx): Learn how Teleport automatically discovers applications running on Kubernetes. +- [Kubernetes Application Discovery Reference](auto-discovery/kubernetes-applications/reference.mdx): This guide is a comprehensive reference of configuration options for automatically enrolling Kubernetes applications with Teleport. + +## Server Auto-Discovery + +You can set up the Teleport Discovery Service to automatically enroll servers in your infrastructure. ([more info](auto-discovery/servers.mdx)) + +- [Automatically Discover Azure Virtual Machines](auto-discovery/servers/azure-discovery.mdx): How to configure Teleport to automatically enroll Azure virtual machines. +- [Automatically Discover GCP Compute Instances](auto-discovery/servers/gcp-discovery.mdx): How to configure Teleport to automatically enroll GCP compute instances. +- [Configure Teleport to Automatically Enroll EC2 instances](auto-discovery/servers/ec2-discovery.mdx): How to configure Teleport to automatically enroll EC2 instances. diff --git a/docs/pages/auto-discovery/introduction.mdx b/docs/pages/auto-discovery/introduction.mdx deleted file mode 100644 index b110b1ede9613..0000000000000 --- a/docs/pages/auto-discovery/introduction.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: Teleport Auto-Discovery -description: "Learn how to use the Teleport Discovery Service, which automatically enrolls resources by query APIs" ---- - -The Teleport Discovery Service automatically detects resources in your -infrastructure and enrolls them in your Teleport cluster. When you deploy -servers, databases, and Kubernetes clusters, Teleport enables secure access to -these resources with no further configuration. This lets you decouple the need -to protect your infrastructure resources from the work of deploying and managing -them. - -The Discovery Service runs on [Teleport agents](../agents/introduction.mdx). It -periodically queries cloud provider APIs to list resources in your -infrastructure. It then reconciles these resources with Teleport resources -registered on the Auth Service backend. - -Set up Teleport auto-discovery for resources in your infrastructure: - -- [Servers](./servers.mdx) -- [Kubernetes clusters](./kubernetes.mdx) -- [Databases](./databases.mdx) -- [Applications deployed on Kubernetes](./kubernetes-applications.mdx) diff --git a/docs/pages/auto-discovery/kubernetes-applications.mdx b/docs/pages/auto-discovery/kubernetes-applications.mdx index e3c6487fc7cea..8f03427c4183b 100644 --- a/docs/pages/auto-discovery/kubernetes-applications.mdx +++ b/docs/pages/auto-discovery/kubernetes-applications.mdx @@ -16,11 +16,8 @@ applications, and registers these applications with your cluster. The Teleport Application Service then detects the new application resources and proxies user traffic to them. -- [Get started](./kubernetes-applications/get-started.mdx): Set up automatic - application discovery with the `teleport-kube-agent` Helm chart. -- [Architecture](./kubernetes-applications/architecture.mdx): Learn how - automatic application discovery works. -- [Reference](./kubernetes-applications/reference.mdx): Consult this guide - for options and Kubernetes annotations you can use to configure automatic - Kubernetes application discovery. +{/*TOPICS*/} +- [Get Started with Kubernetes Application Discovery](kubernetes-applications/get-started.mdx): Detailed guide for configuring Kubernetes Application Discovery. +- [Kubernetes App Discovery Architecture](kubernetes-applications/architecture.mdx): Learn how Teleport automatically discovers applications running on Kubernetes. +- [Kubernetes Application Discovery Reference](kubernetes-applications/reference.mdx): This guide is a comprehensive reference of configuration options for automatically enrolling Kubernetes applications with Teleport. diff --git a/docs/pages/auto-discovery/kubernetes.mdx b/docs/pages/auto-discovery/kubernetes.mdx index 94e7130cb68a4..5e79d5a70b67c 100644 --- a/docs/pages/auto-discovery/kubernetes.mdx +++ b/docs/pages/auto-discovery/kubernetes.mdx @@ -1,183 +1,11 @@ --- -title: Kubernetes Clusters Discovery -description: Detailed guides for configuring Kubernetes Clusters Discovery. +title: Automatically Enroll Kubernetes Clusters +description: Register Kubernetes clusters with your Teleport cluster by polling service discovery endpoints. --- -Kubernetes Clusters Discovery allows Kubernetes clusters -hosted on cloud providers to be discovered and enrolled automatically. +{/*TOPICS*/} -While discovering a new Kubernetes cluster, Teleport does not install any component -on the cluster. Instead, it requires direct access to the cluster's API and -minimal access permissions. - -## Supported clouds - -- [AWS](./kubernetes/aws.mdx): Discovery for AWS EKS clusters. -- [Azure](./kubernetes/azure.mdx): Discovery for Azure AKS clusters. -- [Google Cloud](./kubernetes/google-cloud.mdx): Discovery for - Google Kubernetes Engine clusters. - -## How Kubernetes Clusters Discovery works - -Kubernetes Clusters Discovery consists of two steps: - -### Polling cloud APIs - -The Teleport Discovery Service is responsible for scanning the configured cloud -providers and identifying if any Kubernetes clusters match a set of filtering labels. -When the process identifies a new Kubernetes cluster, it creates a dynamic -resource within Teleport. This resource includes information imported from the -cloud provider such as: - -- *Name*: Cluster name -- *Labels* - - Cluster tags. - - Cluster location. - - Identification of which cloud account the cluster belongs to — AWS Account ID / Azure Subscription ID. - - -You can import the cluster under a different name into Teleport's registry. -To achieve this, you must attach the following tag to the resources — EKS, AKS, GKE — in your cloud provider: - - ***key***: `TeleportKubernetesName` - - ***value***: desired name - -The Discovery Service will check if the cluster includes the tag and use its value -as the resource name in Teleport. - -You should use this feature whenever there are clusters in different regions/cloud providers -with the same name to prevent them from colliding in Teleport. - - - -In addition to detecting new Kubernetes clusters, the Discovery Service also removes -— from Teleport's registry — the Kubernetes clusters that have been deleted or whose tags -no longer meet the filtering labels. - -(!docs/pages/includes/discovery/discovery-group.mdx!) - -The following snippet describes the different configuration options for the Discovery Service -and their default values. - -```yaml -# This section configures the Discovery Service -discovery_service: - enabled: "yes" - # discovery_group is used to group discovered resources into different - # sets. This is useful when you have multiple Teleport Discovery services - # running in the same cluster but polling different cloud providers or cloud - # accounts. It prevents discovered services from colliding in Teleport when - # managing discovered resources. - discovery_group: "prod" - aws: - # AWS resource types. Valid options are: - # eks - discovers and registers AWS EKS clusters - # ec2 - discovers and registers AWS EC2 Machines - - types: ["eks"] - # AWS regions to search for resources from - regions: ["us-east-1", "us-west-1"] - # AWS resource tags to match when registering resources - # Optional section: Defaults to "*":"*" - tags: - "env": "prod" - # AWS role to assume when discovering resources in the AWS Account. - # This value is an optional AWS role ARN to assume when polling EKS clusters - assume_role_arn: arn:aws:iam::123456789012:role/iam-discovery-role - # External ID is an optional value that should be set when accessing - # your AWS account from a third-party service (delegated access). - external_id: "example-external-id" - # Specifies the role for which the Discovery Service should create the EKS access entry. - # This is an optional parameter. If not set, the Discovery Service will attempt to create - # the access entry using its own identity. - # If used, the role must match the role configured for the Kubernetes Service. - setup_access_for_arn: arn:aws:iam::123456789012:role/kube-service-role - # Matchers for discovering Azure-hosted resources. - azure: - # Azure resource types. Valid options are: - # 'aks' - discovers and registers Azure AKS Kubernetes Clusters. - - types: ["aks"] - # Azure regions to search for resources from. Valid options are: - # '*' - discovers resources in all regions (default). - # Any valid Azure region name. List all valid regions using the Azure "az" cli: `az account list-locations -o table` - regions: ["*"] - # Azure subscription IDs to search resources from. Valid options are: - # '*' - discovers resources in all subscriptions (default). - # Any subscription_id: `az account subscription list -o table` - subscriptions: ["*"] - # Azure resource groups to search resources from. Valid options are: - # '*' - discovers resources in all resource groups within configured subscription(s) (default). - # Any resource_groups: `az group list -o table` - resource_groups: ["*"] - # Azure resource tag filters used to match resources. - # Optional section: Defaults to "*":"*" - tags: - "env": "prod" - # Matchers for discovering GCP-hosted resources. - gcp: - # GCP resource types. Valid options are: - # 'gke' - discovers and registers GCP GKE Kubernetes Clusters. - - types: ["gke"] - # GCP location to search for resources from. Valid options are: - # '*' - discovers resources in all locations (default). - # Any valid GCP region or zone name. - locations: ["*"] - # GCP project ID - project_ids: ["myproject"] - # GCP resource tag filters used to match resources. - # Optional section: Defaults to "*":"*" - tags: - "*" : "*" -``` - -### Forwarding requests to the Kubernetes Cluster - -The Teleport Kubernetes Service is responsible for monitoring the dynamic resources created or -updated by the Discovery Service and forwarding requests to the Kubernetes clusters they represent. -To work correctly, it requires direct access to the target Kubernetes clusters and -permissions to forward requests. - -To turn on dynamic resource monitoring in the Kubernetes Service, you must configure -the `kubernetes_service.resources` section as shown in the following snippet: - -```yaml -## This section configures the Kubernetes Service -kubernetes_service: - enabled: "yes" - # Matchers for dynamic Kubernetes cluster resources created with the "tctl create" command or by Kubernetes auto-discovery. - resources: - - labels: - "*": "*" # can be configured to limit the clusters to watched by this service. - aws: - # AWS role to assume when accessing EKS clusters in the AWS Account. - # This value is an optional AWS role ARN to assume when forwarding requests - # to EKS clusters. - assume_role_arn: arn:aws:iam::123456789012:role/iam-discovery-role - # External ID is an optional value that should be set when accessing - # your AWS account from a third-party service (delegated access). - external_id: "example-external-id" -``` - - -When configuring the `kubernetes_service.resources` parameter, the Teleport -Kubernetes Service is set to monitor EKS clusters that are discovered by -the Teleport Discovery Service. The monitoring process involves a label -matching mechanism to identify and manage the EKS clusters. - -1. **Discovery and Label Matching:** The Discovery Service identifies available - EKS clusters within the AWS environment. The Teleport Kubernetes Service - checks the labels of these clusters against the labels specified in the - `kubernetes_service.resources[].labels` configuration, which is the - **selector array**. -1. **Role Selection:** The first selector in the array that matches the labels - of an EKS cluster determines the role that the Kubernetes Service will - assume. This role is essential for the Teleport Kubernetes Service to - retrieve necessary cluster details from the AWS API. If no match is found, - the Kubernetes Service defaults to its own identity. -1. **Interaction with AWS and Kubernetes APIs:** Once a match is found and a - role is assumed, the Teleport Kubernetes Service uses this role to access the - AWS API. It retrieves information about the EKS cluster, such as - configuration and status. Subsequently, the Teleport Kubernetes Service - forwards requests to the Kubernetes API, enabling interaction with the - cluster. - -Both services — Discovery and Kubernetes — can be configured in the same -Teleport process or separate processes. \ No newline at end of file +- [Kubernetes Clusters Discovery](kubernetes/overview.mdx): Detailed guides for configuring Kubernetes Clusters Discovery. +- [Teleport AKS Auto-Discovery](kubernetes/azure.mdx): Auto-Discovery of AKS clusters in Azure cloud. +- [Teleport EKS Auto-Discovery](kubernetes/aws.mdx): How to configure auto-discovery of AWS EKS clusters in Teleport. +- [Teleport GKE Auto-Discovery](kubernetes/google-cloud.mdx): How to configure auto-discovery of Google Kubernetes Engine clusters in Teleport. diff --git a/docs/pages/auto-discovery/kubernetes/overview.mdx b/docs/pages/auto-discovery/kubernetes/overview.mdx new file mode 100644 index 0000000000000..94e7130cb68a4 --- /dev/null +++ b/docs/pages/auto-discovery/kubernetes/overview.mdx @@ -0,0 +1,183 @@ +--- +title: Kubernetes Clusters Discovery +description: Detailed guides for configuring Kubernetes Clusters Discovery. +--- + +Kubernetes Clusters Discovery allows Kubernetes clusters +hosted on cloud providers to be discovered and enrolled automatically. + +While discovering a new Kubernetes cluster, Teleport does not install any component +on the cluster. Instead, it requires direct access to the cluster's API and +minimal access permissions. + +## Supported clouds + +- [AWS](./kubernetes/aws.mdx): Discovery for AWS EKS clusters. +- [Azure](./kubernetes/azure.mdx): Discovery for Azure AKS clusters. +- [Google Cloud](./kubernetes/google-cloud.mdx): Discovery for + Google Kubernetes Engine clusters. + +## How Kubernetes Clusters Discovery works + +Kubernetes Clusters Discovery consists of two steps: + +### Polling cloud APIs + +The Teleport Discovery Service is responsible for scanning the configured cloud +providers and identifying if any Kubernetes clusters match a set of filtering labels. +When the process identifies a new Kubernetes cluster, it creates a dynamic +resource within Teleport. This resource includes information imported from the +cloud provider such as: + +- *Name*: Cluster name +- *Labels* + - Cluster tags. + - Cluster location. + - Identification of which cloud account the cluster belongs to — AWS Account ID / Azure Subscription ID. + + +You can import the cluster under a different name into Teleport's registry. +To achieve this, you must attach the following tag to the resources — EKS, AKS, GKE — in your cloud provider: + - ***key***: `TeleportKubernetesName` + - ***value***: desired name + +The Discovery Service will check if the cluster includes the tag and use its value +as the resource name in Teleport. + +You should use this feature whenever there are clusters in different regions/cloud providers +with the same name to prevent them from colliding in Teleport. + + + +In addition to detecting new Kubernetes clusters, the Discovery Service also removes +— from Teleport's registry — the Kubernetes clusters that have been deleted or whose tags +no longer meet the filtering labels. + +(!docs/pages/includes/discovery/discovery-group.mdx!) + +The following snippet describes the different configuration options for the Discovery Service +and their default values. + +```yaml +# This section configures the Discovery Service +discovery_service: + enabled: "yes" + # discovery_group is used to group discovered resources into different + # sets. This is useful when you have multiple Teleport Discovery services + # running in the same cluster but polling different cloud providers or cloud + # accounts. It prevents discovered services from colliding in Teleport when + # managing discovered resources. + discovery_group: "prod" + aws: + # AWS resource types. Valid options are: + # eks - discovers and registers AWS EKS clusters + # ec2 - discovers and registers AWS EC2 Machines + - types: ["eks"] + # AWS regions to search for resources from + regions: ["us-east-1", "us-west-1"] + # AWS resource tags to match when registering resources + # Optional section: Defaults to "*":"*" + tags: + "env": "prod" + # AWS role to assume when discovering resources in the AWS Account. + # This value is an optional AWS role ARN to assume when polling EKS clusters + assume_role_arn: arn:aws:iam::123456789012:role/iam-discovery-role + # External ID is an optional value that should be set when accessing + # your AWS account from a third-party service (delegated access). + external_id: "example-external-id" + # Specifies the role for which the Discovery Service should create the EKS access entry. + # This is an optional parameter. If not set, the Discovery Service will attempt to create + # the access entry using its own identity. + # If used, the role must match the role configured for the Kubernetes Service. + setup_access_for_arn: arn:aws:iam::123456789012:role/kube-service-role + # Matchers for discovering Azure-hosted resources. + azure: + # Azure resource types. Valid options are: + # 'aks' - discovers and registers Azure AKS Kubernetes Clusters. + - types: ["aks"] + # Azure regions to search for resources from. Valid options are: + # '*' - discovers resources in all regions (default). + # Any valid Azure region name. List all valid regions using the Azure "az" cli: `az account list-locations -o table` + regions: ["*"] + # Azure subscription IDs to search resources from. Valid options are: + # '*' - discovers resources in all subscriptions (default). + # Any subscription_id: `az account subscription list -o table` + subscriptions: ["*"] + # Azure resource groups to search resources from. Valid options are: + # '*' - discovers resources in all resource groups within configured subscription(s) (default). + # Any resource_groups: `az group list -o table` + resource_groups: ["*"] + # Azure resource tag filters used to match resources. + # Optional section: Defaults to "*":"*" + tags: + "env": "prod" + # Matchers for discovering GCP-hosted resources. + gcp: + # GCP resource types. Valid options are: + # 'gke' - discovers and registers GCP GKE Kubernetes Clusters. + - types: ["gke"] + # GCP location to search for resources from. Valid options are: + # '*' - discovers resources in all locations (default). + # Any valid GCP region or zone name. + locations: ["*"] + # GCP project ID + project_ids: ["myproject"] + # GCP resource tag filters used to match resources. + # Optional section: Defaults to "*":"*" + tags: + "*" : "*" +``` + +### Forwarding requests to the Kubernetes Cluster + +The Teleport Kubernetes Service is responsible for monitoring the dynamic resources created or +updated by the Discovery Service and forwarding requests to the Kubernetes clusters they represent. +To work correctly, it requires direct access to the target Kubernetes clusters and +permissions to forward requests. + +To turn on dynamic resource monitoring in the Kubernetes Service, you must configure +the `kubernetes_service.resources` section as shown in the following snippet: + +```yaml +## This section configures the Kubernetes Service +kubernetes_service: + enabled: "yes" + # Matchers for dynamic Kubernetes cluster resources created with the "tctl create" command or by Kubernetes auto-discovery. + resources: + - labels: + "*": "*" # can be configured to limit the clusters to watched by this service. + aws: + # AWS role to assume when accessing EKS clusters in the AWS Account. + # This value is an optional AWS role ARN to assume when forwarding requests + # to EKS clusters. + assume_role_arn: arn:aws:iam::123456789012:role/iam-discovery-role + # External ID is an optional value that should be set when accessing + # your AWS account from a third-party service (delegated access). + external_id: "example-external-id" +``` + + +When configuring the `kubernetes_service.resources` parameter, the Teleport +Kubernetes Service is set to monitor EKS clusters that are discovered by +the Teleport Discovery Service. The monitoring process involves a label +matching mechanism to identify and manage the EKS clusters. + +1. **Discovery and Label Matching:** The Discovery Service identifies available + EKS clusters within the AWS environment. The Teleport Kubernetes Service + checks the labels of these clusters against the labels specified in the + `kubernetes_service.resources[].labels` configuration, which is the + **selector array**. +1. **Role Selection:** The first selector in the array that matches the labels + of an EKS cluster determines the role that the Kubernetes Service will + assume. This role is essential for the Teleport Kubernetes Service to + retrieve necessary cluster details from the AWS API. If no match is found, + the Kubernetes Service defaults to its own identity. +1. **Interaction with AWS and Kubernetes APIs:** Once a match is found and a + role is assumed, the Teleport Kubernetes Service uses this role to access the + AWS API. It retrieves information about the EKS cluster, such as + configuration and status. Subsequently, the Teleport Kubernetes Service + forwards requests to the Kubernetes API, enabling interaction with the + cluster. + +Both services — Discovery and Kubernetes — can be configured in the same +Teleport process or separate processes. \ No newline at end of file diff --git a/docs/pages/auto-discovery/servers.mdx b/docs/pages/auto-discovery/servers.mdx index 1ad2228ae76bb..3722550fcbcc3 100644 --- a/docs/pages/auto-discovery/servers.mdx +++ b/docs/pages/auto-discovery/servers.mdx @@ -10,6 +10,8 @@ Teleport, start it and join the cluster. Learn how to set up auto-discovery for servers in your cloud: -- [Amazon EC2](./servers/ec2-discovery.mdx) -- [Google Compute Engine](./servers/gcp-discovery.mdx) -- [Azure Virtual Machines](./servers/azure-discovery.mdx) +{/*TOPICS*/} + +- [Automatically Discover Azure Virtual Machines](servers/azure-discovery.mdx): How to configure Teleport to automatically enroll Azure virtual machines. +- [Automatically Discover GCP Compute Instances](servers/gcp-discovery.mdx): How to configure Teleport to automatically enroll GCP compute instances. +- [Configure Teleport to Automatically Enroll EC2 instances](servers/ec2-discovery.mdx): How to configure Teleport to automatically enroll EC2 instances. diff --git a/docs/pages/choose-an-edition.mdx b/docs/pages/choose-an-edition.mdx new file mode 100644 index 0000000000000..d18e0a517c6d9 --- /dev/null +++ b/docs/pages/choose-an-edition.mdx @@ -0,0 +1,28 @@ +--- +title: Choose a Teleport Edition +description: How to choose between managed and self-hosted editions of Teleport Enterprise +--- + +{/*TOPICS*/} + +- [How to Choose a Teleport Edition](choose-an-edition/introduction.mdx): Read this guide to determine whether to deploy Teleport Enterprise, Teleport Cloud, or Teleport Community Edition. + +## Self-Hosted Teleport Enterprise + +How to get started with self-hosted Teleport Enterprise, which allows for full control of your Teleport cluster for situations with specific security requirements. ([more info](choose-an-edition/teleport-enterprise.mdx)) + +- [AWS KMS](choose-an-edition/teleport-enterprise/aws-kms.mdx): Configure Teleport to store CA private keys in the AWS Key Management Service +- [Enterprise License File](choose-an-edition/teleport-enterprise/license.mdx): How to manage your Teleport Enterprise license file. +- [Google Cloud KMS](choose-an-edition/teleport-enterprise/gcp-kms.mdx): Configure Teleport to store CA private keys in the Google Cloud Key Management Service +- [HSM Support](choose-an-edition/teleport-enterprise/hsm.mdx): How to configure Hardware Security Modules to manage your Teleport CA private keys +- [Teleport Enterprise](choose-an-edition/teleport-enterprise/introduction.mdx): Introduction to features and benefits of using Teleport Enterprise. Why upgrade to Teleport Enterprise? + +## Teleport Enterprise Cloud + +Teleport Enterprise Cloud is a managed service to provide access to secure infrastructure all over the world without passwords or shared secrets. ([more info](choose-an-edition/teleport-cloud.mdx)) + +- [External Audit Storage](choose-an-edition/teleport-cloud/external-audit-storage.mdx): Store audit logs and session recordings on your own infrastructure with Teleport Enterprise Cloud. +- [Get Started with Teleport Enterprise Cloud](choose-an-edition/teleport-cloud/get-started.mdx): Shows you how to set up a Teleport Enterprise Cloud account and protect your first resource with Teleport. +- [Teleport Enterprise Cloud Architecture](choose-an-edition/teleport-cloud/architecture.mdx): Cloud security, availability, and networking details. +- [Teleport Enterprise Cloud Downloads](choose-an-edition/teleport-cloud/downloads.mdx): Cloud Downloads +- [Teleport Enterprise Cloud FAQ](choose-an-edition/teleport-cloud/faq.mdx): Teleport cloud frequently asked questions. diff --git a/docs/pages/choose-an-edition/teleport-cloud/introduction.mdx b/docs/pages/choose-an-edition/teleport-cloud.mdx similarity index 63% rename from docs/pages/choose-an-edition/teleport-cloud/introduction.mdx rename to docs/pages/choose-an-edition/teleport-cloud.mdx index a2477cb3d3110..076b2c82e2c48 100644 --- a/docs/pages/choose-an-edition/teleport-cloud/introduction.mdx +++ b/docs/pages/choose-an-edition/teleport-cloud.mdx @@ -26,12 +26,10 @@ define roles, register SSO providers, and start connecting all of your infrastructure, including servers, databases, Kubernetes clusters, applications, Windows desktops, and service accounts. -## Next steps +{/*TOPICS*/} -- [Download Teleport binaries](./downloads.mdx): Download Teleport binaries for - your agents and clients - -## Learn more - -- [Architecture](./architecture.mdx): Learn more about how Teleport Enterprise Cloud works -- [FAQ](./faq.mdx): Get answers to frequently asked questions about Teleport Enterprise Cloud +- [External Audit Storage](teleport-cloud/external-audit-storage.mdx): Store audit logs and session recordings on your own infrastructure with Teleport Enterprise Cloud. +- [Get Started with Teleport Enterprise Cloud](teleport-cloud/get-started.mdx): Shows you how to set up a Teleport Enterprise Cloud account and protect your first resource with Teleport. +- [Teleport Enterprise Cloud Architecture](teleport-cloud/architecture.mdx): Cloud security, availability, and networking details. +- [Teleport Enterprise Cloud Downloads](teleport-cloud/downloads.mdx): Cloud Downloads +- [Teleport Enterprise Cloud FAQ](teleport-cloud/faq.mdx): Teleport cloud frequently asked questions. diff --git a/docs/pages/choose-an-edition/teleport-enterprise.mdx b/docs/pages/choose-an-edition/teleport-enterprise.mdx new file mode 100644 index 0000000000000..2aec09e15c869 --- /dev/null +++ b/docs/pages/choose-an-edition/teleport-enterprise.mdx @@ -0,0 +1,12 @@ +--- +title: Self-Hosted Teleport Enterprise +description: How to get started with self-hosted Teleport Enterprise, which allows for full control of your Teleport cluster for situations with specific security requirements. +--- + +{/*TOPICS*/} + +- [AWS KMS](teleport-enterprise/aws-kms.mdx): Configure Teleport to store CA private keys in the AWS Key Management Service +- [Enterprise License File](teleport-enterprise/license.mdx): How to manage your Teleport Enterprise license file. +- [Google Cloud KMS](teleport-enterprise/gcp-kms.mdx): Configure Teleport to store CA private keys in the Google Cloud Key Management Service +- [HSM Support](teleport-enterprise/hsm.mdx): How to configure Hardware Security Modules to manage your Teleport CA private keys +- [Teleport Enterprise](teleport-enterprise/introduction.mdx): Introduction to features and benefits of using Teleport Enterprise. Why upgrade to Teleport Enterprise? diff --git a/docs/pages/connect-your-client.mdx b/docs/pages/connect-your-client.mdx new file mode 100644 index 0000000000000..3268808ad4df2 --- /dev/null +++ b/docs/pages/connect-your-client.mdx @@ -0,0 +1,13 @@ +--- +title: Connect your Client +description: Guides to connecting to infrastructure resources with Teleport. +--- + +{/*TOPICS*/} + +- [Database Access GUI Clients](connect-your-client/gui-clients.mdx): How to configure graphical database clients for Teleport database access. +- [Introduction to Teleport Clients](connect-your-client/introduction.mdx): The basics of connecting to resources with Teleport +- [Using PuTTY and WinSCP with Teleport](connect-your-client/putty-winscp.mdx): This reference shows you how to use PuTTY to connect to SSH nodes and WinSCP to transfer files through Teleport +- [Using Teleport Connect](connect-your-client/teleport-connect.mdx): Using Teleport Connect +- [Using the Web UI](connect-your-client/web-ui.mdx): Using the Teleport Web UI +- [Using the tsh Command Line Tool](connect-your-client/tsh.mdx): This reference shows you how to use Teleport's tsh tool to authenticate to a cluster, explore your infrastructure, and connect to a resource. diff --git a/docs/pages/desktop-access.mdx b/docs/pages/desktop-access.mdx new file mode 100644 index 0000000000000..e473d82d0eff1 --- /dev/null +++ b/docs/pages/desktop-access.mdx @@ -0,0 +1,24 @@ +--- +title: Teleport Desktop Access +description: How to proctect Windows Desktops with Teleport +--- + +{/*TOPICS*/} + +- [Configure access for Active Directory manually](desktop-access/active-directory-manual.mdx): Explains how to manually connect Teleport to an Active Directory domain. +- [Configure access for local Windows users](desktop-access/getting-started.mdx): Use Teleport to configure passwordless access for local Windows users. +- [Directory Sharing](desktop-access/directory-sharing.mdx): Teleport desktop Directory Sharing lets you easily send files to a remote desktop. +- [Manage Access to Windows Resources](desktop-access/introduction.mdx): Demonstrates how you can manage access to Windows desktops with Teleport. +- [Role-Based Access Control for Desktops](desktop-access/rbac.mdx): Role-based access control (RBAC) for desktops protected by Teleport. +- [Troubleshooting Desktop Access](desktop-access/troubleshooting.mdx): Common issues and resolutions for Teleport's desktop access + +## Desktop Access Reference + +Comprehensive guides to configuring and auditing desktop access. ([more info](desktop-access/reference.mdx)) + +- [Automatic User Creation](desktop-access/reference/user-creation.mdx): Using Automatic User Creation with Teleport desktop access. +- [Clipboard Sharing](desktop-access/reference/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access. +- [Desktop Access Audit Events Reference](desktop-access/reference/audit.mdx): Audit events reference for Teleport desktop access. +- [Desktop Access CLI Reference](desktop-access/reference/cli.mdx): CLI reference for Teleport desktop access. +- [Desktop Access Configuration Reference](desktop-access/reference/configuration.mdx): Configuration reference for Teleport desktop access. +- [Session Recording and Playback](desktop-access/reference/sessions.mdx): Recording and playing back Teleport desktop access sessions. diff --git a/docs/pages/desktop-access/reference.mdx b/docs/pages/desktop-access/reference.mdx index b062444977b9f..1b203b73119c0 100644 --- a/docs/pages/desktop-access/reference.mdx +++ b/docs/pages/desktop-access/reference.mdx @@ -4,10 +4,11 @@ description: Comprehensive guides to configuring and auditing desktop access. layout: tocless-doc --- -- [Configuration](./reference/configuration.mdx): Configure Teleport desktop access. -- [Audit](./reference/audit.mdx): Desktop access audit events. -- [Clipboard](./reference/clipboard.mdx): Share your clipboard with a remote desktop. -- [Session Recording](./reference/sessions.mdx): Desktop session recording and playback -- [CLI](./reference/cli.mdx): Relevant `tctl` commands -- [Scaling](../management/operations/scaling.mdx#windows-desktop-service): Tips on scaling to many concurrent users. -- [User creation](./reference/user-creation.mdx): Automatic user creation \ No newline at end of file +{/*TOPICS*/} + +- [Automatic User Creation](reference/user-creation.mdx): Using Automatic User Creation with Teleport desktop access. +- [Clipboard Sharing](reference/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access. +- [Desktop Access Audit Events Reference](reference/audit.mdx): Audit events reference for Teleport desktop access. +- [Desktop Access CLI Reference](reference/cli.mdx): CLI reference for Teleport desktop access. +- [Desktop Access Configuration Reference](reference/configuration.mdx): Configuration reference for Teleport desktop access. +- [Session Recording and Playback](reference/sessions.mdx): Recording and playing back Teleport desktop access sessions. diff --git a/docs/pages/connect-your-client/includes/connect-my-computer-prerequisites.mdx b/docs/pages/includes/connect-your-client/connect-my-computer-prerequisites.mdx similarity index 100% rename from docs/pages/connect-your-client/includes/connect-my-computer-prerequisites.mdx rename to docs/pages/includes/connect-your-client/connect-my-computer-prerequisites.mdx diff --git a/docs/pages/connect-your-client/includes/launch-connect-with-flags-macos.mdx b/docs/pages/includes/connect-your-client/launch-connect-with-flags-macos.mdx similarity index 100% rename from docs/pages/connect-your-client/includes/launch-connect-with-flags-macos.mdx rename to docs/pages/includes/connect-your-client/launch-connect-with-flags-macos.mdx diff --git a/docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx b/docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx similarity index 100% rename from docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx rename to docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx diff --git a/docs/pages/kubernetes-access/helm/includes/kubernetes-externaladdress.mdx b/docs/pages/includes/kubernetes-access/helm/kubernetes-externaladdress.mdx similarity index 100% rename from docs/pages/kubernetes-access/helm/includes/kubernetes-externaladdress.mdx rename to docs/pages/includes/kubernetes-access/helm/kubernetes-externaladdress.mdx diff --git a/docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx b/docs/pages/includes/kubernetes-access/helm/teleport-cluster-cloud-warning.mdx similarity index 100% rename from docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx rename to docs/pages/includes/kubernetes-access/helm/teleport-cluster-cloud-warning.mdx diff --git a/docs/pages/kubernetes-access/helm/includes/teleport-cluster-install.mdx b/docs/pages/includes/kubernetes-access/helm/teleport-cluster-install.mdx similarity index 100% rename from docs/pages/kubernetes-access/helm/includes/teleport-cluster-install.mdx rename to docs/pages/includes/kubernetes-access/helm/teleport-cluster-install.mdx diff --git a/docs/pages/kubernetes-access/helm/includes/teleport-cluster-prereqs.mdx b/docs/pages/includes/kubernetes-access/helm/teleport-cluster-prereqs.mdx similarity index 100% rename from docs/pages/kubernetes-access/helm/includes/teleport-cluster-prereqs.mdx rename to docs/pages/includes/kubernetes-access/helm/teleport-cluster-prereqs.mdx diff --git a/docs/pages/kubernetes-access.mdx b/docs/pages/kubernetes-access.mdx new file mode 100644 index 0000000000000..b7a273b80abb8 --- /dev/null +++ b/docs/pages/kubernetes-access.mdx @@ -0,0 +1,21 @@ +--- +title: Teleport Kubernetes Access +description: Protect Kubernetes clusters with Teleport +--- + +{/*TOPICS*/} + +- [Access Kubernetes Clusters with Teleport](kubernetes-access/introduction.mdx): Learn how Teleport can protect your Kubernetes clusters with RBAC, audit logging, and more. +- [Enroll a Kubernetes Cluster](kubernetes-access/getting-started.mdx): Demonstrates how to enroll a Kubernetes cluster as a resource protected by Teleport. +- [Kubernetes Access FAQ](kubernetes-access/faq.mdx): Frequently asked questions about Teleport Kubernetes Access +- [Kubernetes Access Troubleshooting](kubernetes-access/troubleshooting.mdx): Troubleshooting common issues with Kubernetes access +- [Setting Up Teleport Access Controls for Kubernetes](kubernetes-access/manage-access.mdx): How to configure Teleport roles to access clusters, groups, users, and resources in Kubernetes. +- [Teleport Kubernetes Access Controls](kubernetes-access/controls.mdx): How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes + +## Registering Kubernetes Clusters with Teleport + +How to manually add a Kubernetes cluster to Teleport after creating it. ([more info](kubernetes-access/register-clusters.mdx)) + +- [Dynamic Kubernetes Cluster Registration](kubernetes-access/register-clusters/dynamic-registration.mdx): Register and unregister Kubernetes clusters without restarting a Teleport Kubernetes Service instance. +- [Register a Kubernetes Cluster using IAM Joining](kubernetes-access/register-clusters/iam-joining.mdx): Connecting a Kubernetes cluster to Teleport with IAM joining. +- [Register a Kubernetes Cluster with a Static kubeconfig](kubernetes-access/register-clusters/static-kubeconfig.mdx): Connecting standalone Teleport installations to Kubernetes clusters. diff --git a/docs/pages/kubernetes-access/register-clusters.mdx b/docs/pages/kubernetes-access/register-clusters.mdx index 6096f2b1d8609..82c9a9f7d03f8 100644 --- a/docs/pages/kubernetes-access/register-clusters.mdx +++ b/docs/pages/kubernetes-access/register-clusters.mdx @@ -9,13 +9,8 @@ manually, rather than letting Teleport [discover the cluster automatically](../auto-discovery/kubernetes.mdx). There are a few ways to do this: -- [Deploy the Teleport Kubernetes - Service with IAM Joining](./register-clusters/iam-joining.mdx) on your cluster of - choice. -- Deploy the Teleport Kubernetes Service outside your Kubernetes cluster (e.g., - directly on a virtual machine) and [give it access to a - kubeconfig](./register-clusters/static-kubeconfig.mdx). -- Deploy the Teleport Kubernetes Service outside of Kubernetes and [use dynamic - configuration resources](./register-clusters/dynamic-registration.mdx) to - register your clusters. +{/*TOPICS*/} +- [Dynamic Kubernetes Cluster Registration](register-clusters/dynamic-registration.mdx): Register and unregister Kubernetes clusters without restarting a Teleport Kubernetes Service instance. +- [Register a Kubernetes Cluster using IAM Joining](register-clusters/iam-joining.mdx): Connecting a Kubernetes cluster to Teleport with IAM joining. +- [Register a Kubernetes Cluster with a Static kubeconfig](register-clusters/static-kubeconfig.mdx): Connecting standalone Teleport installations to Kubernetes clusters. diff --git a/package.json b/package.json index d2eff23d6ab88..2d929cabe17e6 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "teleport-ui", "version": "1.0.0", "scripts": { - "all-topics": "node docs/gen-topic-pages/index.js --in docs/pages/database-access,docs/pages/access-controls", + "all-topics": "node docs/gen-topic-pages/index.js --in docs/pages/database-access,docs/pages/access-controls,docs/pages/desktop-access,docs/pages/kubernetes-access,docs/pages/connect-your-client,docs/pages/agents,docs/pages/auto-discovery,docs/pages/architecture,docs/pages/api,docs/pages/choose-an-edition", "build-ui": "yarn build-ui-oss && yarn build-ui-e", "build-ui-oss": "yarn workspace @gravitational/teleport build", "build-ui-e": "yarn workspace @gravitational/teleport.e build",