Merge branch 'branch/v17' into tcsc/branch/v17/ic-rerun-import

Author: tcsc

Cargo.lock

@@ -56,7 +56,7 @@ of their current `username` trait converted to lowercase.
 Copy this example rule to a file called `my_rule.yaml` to continue with the
 guide.
 
-```
+```yaml
 # my_rule.yaml
 kind: login_rule
 version: v1
@@ -136,8 +136,8 @@ You can check the traits and roles with the following command:
 $ tctl get --format json users/<Var name="username"/> | jq '{traits: first.spec.traits, roles: first.spec.roles}'
 {
   "traits": {
-	"access": [
-	  "staging"
+    "access": [
+      "staging"
     ],
     "groups": [
       "dbs",

docs/pages/admin-guides/access-controls/login-rules/guide.mdx

@@ -285,6 +285,11 @@ auth_service:
       pin: "<CU_username>:<CU_password>"
       # pin_path can optionally be used to read the pin from a file
       # pin_path: /path/to/pin_file
+
+      # max_sessions configures the maximum number of open sessions for the HSM.
+      # If not set, it will default to the minimum of 1024 or the MaxRWSessionCount
+      # reported by the PKCS#11 module for the token. If set, must be greater than 1.
+      max_sessions: 10
 ```
   </TabItem>
 
@@ -309,6 +314,10 @@ auth_service:
       pin: "85cfpassword"
       # pin_path can optionally be used to read the pin from a file
       # pin_path: /path/to/pin_file
+
+      # Optionally specify the maximum number of open sessions for the HSM.
+      # If not set, it will default to 1024. If set, must be greater than 1.
+      max_sessions: 10
 ```
   </TabItem>
 </Tabs>

docs/pages/admin-guides/deploy-a-cluster/hsm.mdx

@@ -432,3 +432,34 @@ auth_service:
       report_results: s3://audit-long-term/report_results
       # (Optional) Athena workgroup used by access monitoring queries (if not set, the default primary workgroup will be used).
       workgroup: access_monitoring_workgroup
+    # Enables storing CAs in an external Hardware Security Module(HSM) or Key Management Service(KMS)
+    # Only one of the options can be enbabled at a given time.
+    ca_key_params:
+      # Persist CAs to Google Cloud KMS.
+      gcp_kms:
+        # The fully qualified path to the GCP key ring where CAs are to be stored.
+        keyring: 'projects/<your-gcp-project>/locations/<location>/keyRings/<your-teleport-keyring>'
+        # The protection level of the keys. Must be either SOFTWARE or HSM.
+        protection_level: 'SOFTWARE'
+      # Persist CAs to AWS KMS.
+      aws_kms:
+        # The AWS account where keys should be stored.
+        account: '123456789012'
+        # The AWS region where keys will be stored.
+        region: 'us-west-2'
+      # Persist CAs to a PKCS#11 compliant HSM.
+      pkcs11:
+        # this is the default install location of the PKCS#11 module for the HSM.
+        module_path: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
+        # slot_number is the PKCS#11 slot number to use for HSM connections.
+        slot_number: 0
+        # token_label is the label of the PKCS#11 token to use for HSM connections.
+        token_label: 'hsm1'
+        # max_sessions configures the maximum number of open sessions for the HSM.
+        # If not set, it will default to the minimum of 1024 or the MaxRWSessionCount
+        # reported by the PKCS#11 module for the token. If set, must be greater than 1.
+        max_sessions: 10
+        # pin is the PKCS#11 pin to use for HSM connections.
+        pin: '0001password'
+        # pin_path can optionally be used to read the pin from a file
+        # pin_path: /path/to/pin_file

docs/pages/includes/config-reference/auth-service.yaml

@@ -1,4 +1,4 @@
-```
+```yaml
 kind: login_rule
 version: v1
 metadata:

docs/pages/includes/login-rule-spec.mdx

@@ -9,48 +9,10 @@ The Teleport team delivers a new major release roughly every 4 months.
 
 | Version | Date                        |
 |---------|-----------------------------|
-| 17.3.0  | Week of February 24th, 2025 |
 | 17.4.0  | Week of March 24th, 2025    |
 | 17.5.0  | Week of May 19th, 2025      |
 | 18.0.0  | Week of May 26th, 2025      |
 
-### 17.3.0
-
-#### Delegated joining for Oracle Cloud Infrastructure
-
-Teleport agents running on Oracle Cloud Infrastructure (OCI) will be able to
-join the Teleport cluster without a static join token.
-
-#### Stable UIDs for host-user creation
-
-Teleport will provide the ability to create host users with stable UIDs across
-the entire Teleport cluster.
-
-#### VNet for Windows
-
-Teleport's VNet feature will be available for Windows, allowing users to access
-TCP applications protected by Teleport as if they were on the same network.
-
-#### Improved GitHub Proxy enrollment flow
-
-{/* lint ignore absolute-docs-links */}
-Teleport web UI will provide wizard-like guided enrollment flow for the new
-[GitHub
-Proxy](https://goteleport.com/docs/admin-guides/management/guides/github-integration)
-integration.
-
-#### AWS Identity Center integration improvements
-
-AWS Identity Center integration will support using IAM authentication instead
-of OIDC (useful for private clusters) and a hybrid setup that allows to use
-another IdP as external identity source.
-
-#### Okta integration improvements
-
-Teleport Okta integration will include updated guided enrollment flow and will
-allow updating integration settings (such as sync configuration or group filters)
-without having to recreate the integration.
-
 ### 17.4.0
 
 #### Database access for Oracle RDS
@@ -93,8 +55,9 @@ the Teleport Connect application without needing to use a browser.
 
 #### VNet for SSH
 
-Teleport's VNet feature will be available for SSH, allowing users to access
-SSH servers protected by Teleport as if they were on the same network.
+Teleport VNet will add native support for SSH, enabling any SSH client to connect
+to Teleport SSH servers with zero configuration. Advanced Teleport features like
+per-session MFA will have first-class support for a seamless user experience.
 
 ### 18.0.0
 
@@ -111,8 +74,10 @@ The key deliverables for Teleport Cloud in the next quarter:
 
 | Week of               | Description                                                    |
 |-----------------------|----------------------------------------------------------------|
-| March 3rd, 2025       | Teleport 17.3 will begin rollout on Cloud.                     |
-| March 3rd, 2025       | Teleport 17.3 agents will begin rollout to eligible tenants.   |
+| March 10, 2025       | Teleport 17.3 will begin rollout on Cloud.                      |
+| March 10, 2025       | Teleport 17.3 agents will begin rollout to eligible tenants.    |
+| March 31, 2025       | Teleport 17.4 will begin rollout on Cloud.                      |
+| March 31, 2025       | Teleport 17.4 agents will begin rollout to eligible tenants.    |
 
 ## Production readiness
 

docs/pages/upcoming-releases.mdx

@@ -51,10 +51,11 @@ type pkcs11KeyStore struct {
 
 func newPKCS11KeyStore(config *servicecfg.PKCS11Config, opts *Options) (*pkcs11KeyStore, error) {
 	cryptoConfig := &crypto11.Config{
-		Path:       config.Path,
-		TokenLabel: config.TokenLabel,
-		SlotNumber: config.SlotNumber,
-		Pin:        config.PIN,
+		Path:        config.Path,
+		TokenLabel:  config.TokenLabel,
+		SlotNumber:  config.SlotNumber,
+		Pin:         config.PIN,
+		MaxSessions: config.MaxSessions,
 	}
 
 	ctx, err := crypto11.Configure(cryptoConfig)

lib/auth/keystore/pkcs11.go

@@ -1138,6 +1138,7 @@ func applyPKCS11Config(pkcs11Config *PKCS11, cfg *servicecfg.Config) error {
 
 	cfg.Auth.KeyStore.PKCS11.TokenLabel = pkcs11Config.TokenLabel
 	cfg.Auth.KeyStore.PKCS11.SlotNumber = pkcs11Config.SlotNumber
+	cfg.Auth.KeyStore.PKCS11.MaxSessions = pkcs11Config.MaxSessions
 
 	cfg.Auth.KeyStore.PKCS11.PIN = pkcs11Config.PIN
 	if pkcs11Config.PINPath != "" {

lib/config/configuration.go

@@ -3217,6 +3217,27 @@ func TestApplyKeyStoreConfig(t *testing.T) {
 				worldReadablePinFilePath,
 			),
 		},
+		{
+			name: "correct config with max sessions",
+			auth: Auth{
+				CAKeyParams: &CAKeyParams{
+					PKCS11: &PKCS11{
+						ModulePath:  securePKCS11LibPath,
+						TokenLabel:  "foo",
+						SlotNumber:  &slotNumber,
+						MaxSessions: 100,
+					},
+				},
+			},
+			want: servicecfg.KeystoreConfig{
+				PKCS11: servicecfg.PKCS11Config{
+					TokenLabel:  "foo",
+					SlotNumber:  &slotNumber,
+					MaxSessions: 100,
+					Path:        securePKCS11LibPath,
+				},
+			},
+		},
 		{
 			name: "correct gcp config",
 			auth: Auth{

lib/config/configuration_test.go

@@ -895,6 +895,8 @@ type PKCS11 struct {
 	// Trailing newlines will be removed, other whitespace will be left. Set
 	// this or Pin to set the pin.
 	PINPath string `yaml:"pin_path,omitempty"`
+	// MaxSessions is the upper limit of sessions allowed by the HSM.
+	MaxSessions int `yaml:"max_sessions"`
 }
 
 // GoogleCloudKMS configures Google Cloud Key Management Service to to be used for

lib/config/fileconf.go

@@ -242,6 +242,8 @@ type PKCS11Config struct {
 	TokenLabel string
 	// PIN is the PKCS11 PIN for the given token.
 	PIN string
+	// MaxSessions is the upper limit of sessions allowed by the HSM.
+	MaxSessions int
 }
 
 // CheckAndSetDefaults checks that required parameters of the config are
@@ -253,6 +255,17 @@ func (cfg *PKCS11Config) CheckAndSetDefaults() error {
 	if cfg.SlotNumber == nil && cfg.TokenLabel == "" {
 		return trace.BadParameter("must provide one of SlotNumber or TokenLabel")
 	}
+
+	switch {
+	case cfg.MaxSessions < 0:
+		return trace.BadParameter("the value of PKCS11 MaxSessions must not be negative")
+	case cfg.MaxSessions == 1:
+		return trace.BadParameter("the minimum value for PKCS11 MaxSessions is 2")
+	case cfg.MaxSessions == 0:
+	// A value of zero is acceptable and indicates to the pkcs11 library to use the default value.
+	default:
+	}
+
 	return nil
 }