Merge remote-tracking branch 'origin/master' into vapopov/client-auto…

…-update

.github/ISSUE_TEMPLATE/test-plan-docs.md

@@ -9,6 +9,13 @@ Perform the following checks on the Teleport documentation whenever we roll out
 a new major version of Teleport on Teleport Cloud. Use `/docs/upcoming-releases`
 to determine the rollout date.
 
+## Is the internal documentation coverage record up to date?
+
+- [ ] Identify features within the new release that we want to include as topics
+  in our measurement of documentation coverage. Update our internal
+  documentation coverage record to include the new topics. See our internal
+  knowledge base for the location of the coverage record.
+
 ## Is the docs site configuration accurate?
 
 > [!IMPORTANT] 

.github/workflows/changelog-merge-queue.yaml

@@ -0,0 +1,25 @@
+# This check runs only on PRs that are in the merge queue.
+#
+# PRs in the merge queue have already been approved but the reviewers check
+# is still required so this workflow allows the required check to succeed,
+# otherwise PRs in the merge queue would be blocked indefinitely.
+#
+# See "Handling skipped but required checks" for more info:
+#
+# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+#
+# Note both workflows must have the same name.
+name: Validate changelog entry
+on:
+  merge_group:
+
+jobs:
+  validate-changelog:
+    name: Validate the changelog entry
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
+    steps:
+      - run: 'echo "Skipping changelog check in merge queue"'

.github/workflows/lint.yaml

@@ -231,4 +231,4 @@ jobs:
       - name: Check if Terraform resources are up to date
         # We have to add the current directory as a safe directory or else git commands will not work as expected.
         # The protoc-gen-terraform version must match the version in integrations/terraform/Makefile
-        run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform@08768262d29336b8ae0915ef41bb6d9768518c66 && make terraform-resources-up-to-date
+        run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform@c91cc3ef4d7d0046c36cb96b1cd337e466c61225 && make terraform-resources-up-to-date

.golangci.yml

@@ -155,29 +155,35 @@ linters-settings:
           - "!$test"
           - '**/tool/tbot/**'
           - '**/lib/client/**'
+          - '!**/lib/integrations/**'
+          - '**/integrations/**'
         deny:
+          - pkg: github.com/gravitational/teleport/lib/bpf
+            desc: '"lib/bpf" requires CGO'
+          - pkg: github.com/gravitational/teleport/lib/backend/lite
+            desc: '"lib/backend/lite" requires CGO'
+          - pkg: github.com/gravitational/teleport/lib/cgroup
+            desc: '"lib/cgroup" requires CGO'
+          - pkg: github.com/gravitational/teleport/lib/config
+            desc: '"lib/config" requires CGO via "lib/pam" and "lib/backend/lite"'
+          - pkg: github.com/gravitational/teleport/lib/desktop/rdp/rdpclient
+            desc: '"lib/desktop/rdp/rdpclient" requires CGO'
           - pkg: github.com/gravitational/teleport/lib/devicetrust/authn$
-            desc: '"devicetrust/authn" requires CGO on darwin'
+            desc: '"lib/devicetrust/authn" requires CGO on darwin'
           - pkg: github.com/gravitational/teleport/lib/devicetrust/enroll
-            desc: '"devicetrust/enroll" requires CGO on darwin'
+            desc: '"lib/devicetrust/enroll" requires CGO on darwin'
           - pkg: github.com/gravitational/teleport/lib/devicetrust/native
-            desc: '"devicetrust/native" requires CGO on darwin'
-          - pkg: github.com/gravitational/teleport/lib/bpf
-            desc: '"lib/bpf" requires CGO'
-          - pkg: github.com/gravitational/teleport/lib/vnet/daemon
-            desc: '"vnet/daemon" requires CGO'
-          - pkg: github.com/gravitational/teleport/lib/system/signal
-            desc: '"lib/system/signal" requires CGO'
+            desc: '"lib/devicetrust/native" requires CGO on darwin'
           - pkg: github.com/gravitational/teleport/lib/inventory/metadata
             desc: '"lib/inventory/metadata" requires CGO'
-          - pkg: github.com/gravitational/teleport/lib/desktop/rdp/rdpclient
-            desc: '"lib/desktop/rdp/rdpclient" requires CGO'
           - pkg: github.com/gravitational/teleport/lib/pam
             desc: '"lib/pam" requires CGO'
           - pkg: github.com/gravitational/teleport/lib/srv/uacc
             desc: '"lib/srv/uacc" requires CGO'
-          - pkg: github.com/gravitational/teleport/lib/cgroup
-            desc: '"lib/cgroup" requires CGO'
+          - pkg: github.com/gravitational/teleport/lib/system/signal
+            desc: '"lib/system/signal" requires CGO'
+          - pkg: github.com/gravitational/teleport/lib/vnet/daemon
+            desc: '"vnet/daemon" requires CGO'
   errorlint:
     comparison: true
     asserts: true

Makefile

@@ -1303,6 +1303,7 @@ ADDLICENSE_COMMON_ARGS := -c 'Gravitational, Inc.' \
 		-ignore 'version.go' \
 		-ignore 'web/packages/design/src/assets/icomoon/style.css' \
 		-ignore 'web/packages/teleport/src/ironrdp/**' \
+		-ignore 'lib/limiter/internal/ratelimit/**' \
 		-ignore 'webassets/**' \
 		-ignore 'ignoreme'
 ADDLICENSE_AGPL3_ARGS := $(ADDLICENSE_COMMON_ARGS) \

README.md

@@ -182,18 +182,6 @@ To perform a build
 make full
 ```
 
-To build `tsh` with Apple TouchID support enabled:
-
-> **Important**
->
->`tsh` binaries with Touch ID support are only functional using binaries signed
-with Teleport's Apple Developer ID and notarized by Apple. If you are a Teleport
-maintainer, ask the team for access.
-
-```shell
-make build/tsh TOUCHID=yes
-```
-
 `tsh` dynamically links against libfido2 by default, to support development
 environments, as long as the library itself can be found:
 
@@ -215,6 +203,9 @@ make build/tsh FIDO2=static  # static linking, for an easy setup use `make enter
 make build/tsh FIDO2=off     # doesn't link libfido2 in any way
 ```
 
+`tsh` builds with Touch ID support require access to an Apple Developer account.
+If you are a Teleport maintainer, ask the team for access.
+
 #### Build output and run locally
 
 If the build succeeds, the installer will place the binaries in the `build` directory.

api/client/client.go

@@ -2824,10 +2824,6 @@ func (c *Client) GetAuthPreference(ctx context.Context) (types.AuthPreference, e
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-
-		// An old server would send PIVSlot instead of HardwareKey.PIVSlot
-		// TODO(Joerger): DELETE IN 17.0.0
-		pref.CheckSetPIVSlot()
 	}
 
 	return pref, trace.Wrap(err)
@@ -2842,21 +2838,13 @@ func (c *Client) SetAuthPreference(ctx context.Context, authPref types.AuthPrefe
 		return trace.BadParameter("invalid type %T", authPref)
 	}
 
-	// An old server would expect PIVSlot instead of HardwareKey.PIVSlot
-	// TODO(Joerger): DELETE IN 17.0.0
-	authPrefV2.CheckSetPIVSlot()
-
 	_, err := c.grpc.SetAuthPreference(ctx, authPrefV2)
 	return trace.Wrap(err)
 }
 
 // setAuthPreference sets cluster auth preference via the legacy mechanism.
 // TODO(tross) DELETE IN v18.0.0
 func (c *Client) setAuthPreference(ctx context.Context, authPref *types.AuthPreferenceV2) (types.AuthPreference, error) {
-	// An old server would expect PIVSlot instead of HardwareKey.PIVSlot
-	// TODO(Joerger): DELETE IN 17.0.0
-	authPref.CheckSetPIVSlot()
-
 	_, err := c.grpc.SetAuthPreference(ctx, authPref)
 	if err != nil {
 		return nil, trace.Wrap(err)