commit 01d8ed06422edafe71b21f65874c3c9e5f6912ddef13c45648e52eaeb53a918a Author: Johannes Kastl Date: Sat Sep 14 08:16:56 2024 +0000 update to 16.3.0 OBS-URL: https://build.opensuse.org/package/show/devel:kubic/teleport?expand=0&rev=235 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..5be1d27 --- /dev/null +++ b/_service @@ -0,0 +1,39 @@ + + + https://github.com/gravitational/teleport + git + disable + .git + v16.3.0 + @PARENT_TAG@ + disable + v(.*) + v* + + + https://github.com/gravitational/webassets + git + disable + .git + webassets + yes + + + *.tar + gz + + + teleport + + + + *.tar + gz + + + + + true + teleport/tool/fdpass-teleport + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..39090a4 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/gravitational/teleport + f1ce28f6f67aa2e9f14400785f7a43ec247da995 \ No newline at end of file diff --git a/tbot.yaml b/tbot.yaml new file mode 100644 index 0000000..982b261 --- /dev/null +++ b/tbot.yaml @@ -0,0 +1,15 @@ +# +# Example tbot.yaml +# please see https://github.com/gravitational/teleport/tree/master/examples/systemd/machine-id +# for details + +# auth_server: "auth.example.com:3025" +# onboarding: +# join_method: "token" +# token: "00000000000000000000000000000000" +# ca_pins: +# - "sha256:1111111111111111111111111111111111111111111111111111111111111111" +# storage: +# directory: /var/lib/teleport/bot +# destinations: +# - directory: /opt/machine-id diff --git a/teleport-16.1.0.obscpio b/teleport-16.1.0.obscpio new file mode 100644 index 0000000..04938b6 --- /dev/null +++ b/teleport-16.1.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5f140a7a074cabce5ab56da2b74df4f9712d9528ed5b0aa8b622810eddded6c1 +size 255606798 diff --git a/teleport-16.1.3.obscpio b/teleport-16.1.3.obscpio new file mode 100644 index 0000000..92fc59d --- /dev/null +++ b/teleport-16.1.3.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce83e5f3632d9e9300f46746fa13753488b8039ff8ef53f80c28e3245f4a49ae +size 258359822 diff --git a/teleport-16.1.4.obscpio b/teleport-16.1.4.obscpio new file mode 100644 index 0000000..a29780b --- /dev/null +++ b/teleport-16.1.4.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:00f52316a4b8478d61543d74ea98d4124393b6fe86dc032d9edbb04d19eff339 +size 258401294 diff --git a/teleport-16.3.0.obscpio b/teleport-16.3.0.obscpio new file mode 100644 index 0000000..26eca57 --- /dev/null +++ b/teleport-16.3.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e3b34d55a0ac7f480c09c6d96d89238ce79bd3bd82b6807ba3beec113a8fe01 +size 264692238 diff --git a/teleport.changes b/teleport.changes new file mode 100644 index 0000000..919b9f5 --- /dev/null +++ b/teleport.changes @@ -0,0 +1,10845 @@ +------------------------------------------------------------------- +Sat Sep 14 07:49:25 UTC 2024 - Johannes Kastl + +- update to 16.3.0: + * Out-of-band user creation + - Cluster administrators are now able to configure Teleport's + ssh_service to ensure that certain host users exist on the + machine without the need to start an SSH session. #46498 + * Other improvements and fixes + - Allow the cluster wide ssh dial timeout to be set via + auth_service.ssh_dial_timeout in the Teleport config file. + #46507 + - Fixed an issue preventing session joining while host user + creation was in use. #46501 + - Added tbot Helm chart for deploying a Machine ID Bot into a + Teleport cluster. #46373 + +------------------------------------------------------------------- +Sat Sep 14 07:37:43 UTC 2024 - Johannes Kastl + +- update to 16.2.2: + * Fixed an issue that prevented the Firestore backend from + reading existing data. #46433 + * The teleport-kube-agent chart now correctly propagates + configured annotations when deploying a StatefulSet. #46421 + * Fixed regression with Slack notification rules matching on + plugin name instead of type. #46391 + * Update tsh puttyconfig to respect any defined proxy templates. + #46384 + * Ensure that additional pod labels are carried over to + post-upgrade and post-delete hook job pods when using the + teleport-kube-agent Helm chart. #46232 + * Fix bug that renders WebUI unusable if a role is deleted while + it is still being in use by the logged in user. #45774 + +------------------------------------------------------------------- +Sat Sep 14 06:35:21 UTC 2024 - Johannes Kastl + +- update to 16.2.1 (there is no 16.2.0 release): + * Fixed debug service not being turned off by configuration; + Connect My Computer in Teleport Connect should no longer fail + with "bind: invalid argument". #46293 + * Fixed an issue that could result in duplicate session + recordings being created. #46265 + * Connect now supports bulk selection of resources to create an + access request in the unified resources view. #46238 + * Added support for the teleport_installer resource to the + Teleport Terraform provider. #46200 + * Fixed an issue that would cause reissue of certificates to fail + in some scenarios where a local auth service was present. + #46184 + * Updated OpenSSL to 3.0.15. #46180 + * Extend Teleport ability to use non-default cluster domains in + Kubernetes, avoiding the assumption of cluster.local. #46150 + * Fixed retention period handling in the CockroachDB audit log + storage backend. #46147 + * Prevented Teleport Kubernetes access from resending resize + events to the party that triggered the terminal resize, + avoiding potential resize loops. #46066 + * Fixed an issue where attempts to play/export certain session + recordings would fail with gzip: invalid header. #46035 + * Fixed a bug where Teleport services could not join the cluster + using iam, azure, or tpm methods when the proxy service + certificate did not contain IP SANs. #46010 + * Prevent connections from being randomly terminated by Teleport + proxies when proxy_protocol is enabled and TLS is terminated + before Teleport Proxy. #45992 + * Updated the icons for server, application, and desktop + resources. #45990 + * Added eks:UpdateAccessEntry to IAM permissions generated by the + teleport integration IAM setup command and to the documentation + reference for auto-discovery IAM permissions. #45983 + * Added ServiceNow support to access request notification routing + rules. #45965 + * Added PagerDuty support to access request notification routing + rules. #45913 + * Fixed an issue where host_sudoers could be written to Teleport + proxy server sudoer lists in Teleport v14 and v15. #45958 + * Prevent interactive sessions from hanging on exit. #45952 + * Fixed kernel version check of Enhanced Session Recording for + distributions with backported BPF. #45941 + * Added a flag to skip a relogin attempt when using tsh ssh and + tsh proxy ssh. #45929 + * The hostname where the process is running is returned when + running tctl get db_services. #45909 + * Add buttons to clear all selected Roles/Reviewers in new Access + Requests. #45904 + * Fixed an issue WebSocket upgrade fails with MiTM proxies that + can remask payloads. #45899 + * When a database is created manually (without auto-discovery) + the teleport.dev/db-admin and + teleport.dev/db-admin-default-database labels are no longer + ignored and can be used to configure database auto-user + provisioning. #45891 + * Add support for non-RSA SSH signatures with imported CA keys. + #45890 + * Update tsh login and tsh status output to truncate a list of + roles. #45581 + +------------------------------------------------------------------- +Fri Aug 9 18:26:17 UTC 2024 - Johannes Kastl + +- update to 16.1.4: + * Improved tsh ssh performance for concurrent execs. #45162 + * Fixed issue with loading cluster features when agents are + upgraded prior to auth. #45226 + * Updated Go to 1.22.6. #45194 + +------------------------------------------------------------------- +Wed Aug 7 07:16:37 UTC 2024 - Johannes Kastl + +- update to 16.1.3 (not release 16.1.2): + * Fixed an issue where tsh aws may display extra text in addition + to the original command output. #45168 + * Fixed regression that denied access to launch some Apps. #45149 + * Bot resources now honor their metadata.expires field. #45130 + * Teleport Connect now sets TERM_PROGRAM: Teleport_Connect and + TERM_PROGRAM_VERSION: environment variables in + the integrated terminal. #45063 + * Fixed a panic in the Microsoft Teams plugin when it receives an + error. #45011 + * Added a background item for VNet in Teleport Connect; VNet now + prompts for a password only during the first launch. #44994 + * Added warning on tbot startup when the requested certificate + TTL exceeds the maximum allowed value. #44989 + * Fixed a race condition between session recording uploads and + session recording upload cleanup. #44978 + * Prevented Kubernetes per-Resource RBAC from blocking access to + namespaces when denying access to a single resource kind in + every namespace. #44974 + * SSO login flows can now authorize web sessions with Device + Trust. #44906 + * Added support for Kubernetes Workload Attestation into Teleport + Workload Identity to allow the authentication of pods running + within Kubernetes without secrets. #44883 + +------------------------------------------------------------------- +Thu Aug 1 07:25:49 UTC 2024 - Johannes Kastl + +- update to 16.1.1: + * Added option to allow client redirects from IPs in specified + CIDR ranges in SSO client logins. #44846 + * Machine ID can now be configured to use Kubernetes Secret + destinations from the command line using the kubernetes-secret + schema. #44801 + * Prevent discovery service from overwriting Teleport dynamic + resources that have the same name as discovered resources. +#44785 + * Reduced the probability that the event-handler deadlocks when + encountering errors processing session recordings. #44771 + * Improved event-handler diagnostics by providing a way to + capture profiles dynamically via SIGUSR1. #44758 + * Teleport Connect now uses ConPTY for better terminal resizing + and accurate color rendering on Windows, with an option to + disable it in the app config. #44742 + * Fixed event-handler Helm charts using the wrong command when + starting the event-handler container. #44697 + * Improved stability of very large Teleport clusters during + temporary backend disruption/degradation. #44694 + * Resolved compatibility issue with Paramiko and Machine ID's SSH + multiplexer SSH agent. #44673 + * Teleport no longer creates invalid SAML Connectors when calling + tctl get saml/ | tctl create -f without the + --with-secrets flag. #44666 + * Fixed a fatal error in tbot when unable to lookup the user from + a given UID in containerized environments for checking ACL + configuration. #44645 + * Fixed Application Access regression where an HTTP header wasn't + set in forwarded requests. #44628 + * Added Server auto-discovery support for Rocky and AlmaLinux + distros. #44612 + * Use the registered port of the target host when tsh puttyconfig + is invoked without --port. #44572 + * Added more icons for guessing application icon by name or by + label teleport.icon in the web UI. #44566 + * Remove deprecated S3 bucket option when creating or editing AWS + OIDC integration in the web UI. #44485 + * Fixed terminal sessions with a database CLI client in Teleport + Connect hanging indefinitely if the client cannot be found. +#44465 + * Added application-tunnel service to Machine ID for establishing + a long-lived tunnel to a HTTP or TCP application for Machine to + Machine access. #44443 + * Fixed a regression that caused Teleport Connect to fail to + start on Intel Macs. #44435 + * Improved auto-discovery resiliency by recreating Teleport + configuration when the node fails to join the cluster. #44432 + * Fixed a low-probability panic in audit event upload logic. + #44425 + * Fixed Teleport Connect binaries not being signed correctly. + #44419 + * Prevented DoSing the cluster during a mass failed join event by + agents. #44414 + * The availability filter is now a toggle to show (or hide) + requestable resources. #44413 + * Moved PostgreSQL auto provisioning users procedures to pg_temp + schema. #44409 + * Added audit events for AWS and Azure integration resource + actions. #44403 + * Fixed automatic updates with previous versions of the + teleport.yaml config. #44379 + * Added support for Rocky and AlmaLinux when enrolling a new + server from the UI. #44332 + * Fixed PostgreSQL session playback not rendering queries line + breaks correctly. #44315 + * Fixed Teleport access plugin tarballs containing a build + directory, which was accidentally added upon v16.0.0 release. +#44300 + * Prevented an infinite loop in DynamoDB event querying by + advancing the cursor to the next day when the limit is reached + at the end of a day with an empty iterator. This ensures the + cursor does not reset to the beginning of the day. #44275 + * The clipboard sharing tooltip for desktop sessions now + indicates why clipboard sharing is disabled. #44237 + * Prevented redirects to arbitrary URLs when launching an app. + #44188 + * Added a --skip-idle-time flag to tsh play. #44013 + * Added audit events for discovery config actions. #43793 + * Enabled Access Monitoring Rules routing with Mattermost plugin. + #43601 + * SAML application can now be deleted from the Web UI. #4778 + * Fixed an Access List permission bug where an access list owner, + who is also a member, was not able to add/remove access list + member. #4744 + * Fixed a bug in Web UI where clicking SAML GCP Workforce + Identity Federation discover tile would throw an error, + preventing from using the guided enrollment feature. #4720 + * Fixed an issue with incorrect yum/zypper updater packages being + installed. #4684 + +------------------------------------------------------------------- +Tue Jul 16 09:32:46 UTC 2024 - Johannes Kastl + +- update to 16.1.0: + * Database Access session replay + - Database Access users will be able to watch PostgreSQL query + replays in the web UI or with tsh. + * Other improvements and fixes + - Fixed "staircase" text output for non-interactive Kube exec + sessions in Web UI. #44249 + - Fixed a leak in the admin process spawned by starting VNet + through tsh vnet or Teleport Connect. #44225 + - Fixed a kube-agent-updater bug affecting resolutions of + private images. #44191 + - The show_resources option is no longer required for + statically configured proxy ui settings. #44181 + - The teleport-cluster chart can now use existing ingresses + instead of creating its own. #44146 + - Ensure that tsh login outputs accurate status information for + the new session. #44143 + - Fixes "device trust mode x requires Teleport Enterprise" + errors on tctl. #44133 + - Added the tbot install systemd command for installing tbot as + a service on Linux systems. #44083 + - Added ability to list access list members in json format in + tctl. #44071 + - Update grpc to v1.64.1 (patches GO-2024-2978). #44067 + - Batch access review reminders into 1 message and provide link + out to the web UI. #44034 + - Fixed denying access despite access being configured for + Notification Routing Rules in the web UI. #44029 + - Honor proxy templates in tsh ssh. #44026 + - Fixed eBPF error occurring during startup on Linux RHEL 9. + #44023 + - Fixed Redshift auto-user deactivation/deletion failure that + occurs when a user is created or deleted and another user is + deactivated concurrently. #43968 + - Lower latency of detecting Kubernetes cluster becoming + online. #43967 + - Teleport AMIs now optionally source environment variables + from /etc/default/teleport as regular Teleport package + installations do. #43962 + - Make tbot compilable on Windows. #43959 + - Add a new event to the database session recording with + query/command result information. #43955 + - Enabled setting event types to forward, skip events, skip + session types in event-handler helm chart. #43938 + - extraLabels configured in teleport-kube-agent chart values + are now correctly propagated to post-delete hooks. A new + extraLabels.job object has been added for labels which should + only apply to the post-delete job. #43932 + - Add support for Teams to Opsgenie plugin alert creation. + #43916 + - Machine ID outputs now execute individually and concurrently, + meaning that one failing output does not disrupt other + outputs, and that performance when generating a large number + of outputs is improved. #43876 + - SAML IdP service provider resource can now be updated from + the Web UI. #4651 + - Fixed empty condition from unquoted string with YAML editor + for Notification Routing Rules in the Web UI. #4636 + - Teleport Enterprise now supports the + TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to + specify the URL of the HTTP(S) proxy used for connections to + our usage reporting ingest service. #4568 + - Fixed inaccurately notifying user that access list reviews + are due in the web UI. #4521 + +------------------------------------------------------------------- +Thu Jul 11 19:44:53 UTC 2024 - Johannes Kastl + +- update to 16.0.4: + * Omit control plane services from the inventory list output for + Cloud-Hosted instances. #43779 + * Updated Go toolchain to v1.22.5. #43768 + * Reduced CPU usage in auth servers experiencing very high + concurrent request load. #43755 + * Machine ID defaults to disabling the use of the Kubernetes exec + plugin when writing a Kubeconfig to a directory destination. + This removes the need to manually configure + disable_exec_plugin. #43655 + * Fixed startup crash of Teleport Connect on Ubuntu 24.04 by + adding an AppArmor profile. #43653 + * Added support for dialling leaf clusters to the tbot SSH + multiplexer. #43634 + * Extend Teleport ability to use non-default cluster domains in + Kubernetes, avoiding the assumption of cluster.local. #43631 + * Wait for user MFA input when reissuing expired certificates for + a kube proxy. #43612 + * Improved error diagnostics when using Machine ID's SSH + multiplexer. #43586 + +------------------------------------------------------------------- +Thu Jul 11 19:31:49 UTC 2024 - Johannes Kastl + +- update to 16.0.3 (skipping 16.0.2 that was not released): + This release of Teleport contains a fix for a medium-level + security issue impacting Teleport Enterprise, as well as various + other updates and improvements + => the security fix has no relevance on openSUSE + * Other updates and improvements + - Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104). + #43474 + - Fixed Discover setup access error when updating user. #43560 + - Added audit event field describing if the "MFA for admin + actions" requirement changed. #43541 + - Fixed remote port forwarding validation error. #43516 + - Added support to trust system CAs for self-hosted databases. + #43493 + - Added error display in the Web UI for SSH and Kubernetes + sessions. #43485 + - Fixed accurate inventory reporting of the updater after it is + removed. #43454 + - tctl alerts ls now displays remaining alert ttl. #43436 + - Fixed input search for Teleport Connect's access request + listing. #43429 + - Added Debug setting for event-handler. #43408 + - Fixed Headless auth for sso users, including when local auth + is disabled. #43361 + - Added configuration for custom CAs in the event-handler helm + chart. #43340 + - Updated VNet panel in Teleport Connect to list custom DNS + zones and DNS zones from leaf clusters. #43312 + - Fixed an issue with Database Access Controls preventing users + from making additional database connections. #43303 + - Fixed bug that caused gRPC connections to be disconnected + when their certificate expired even though + DisconnectCertExpiry was false. #43290 + - Fixed Connect My Computer in Teleport Connect failing with + "bind: invalid argument". #43287 + - Fix a bug where a Teleport instance running only Jamf or + Discovery service would never have a healthy /readyz + endpoint. #43283 + - Added a missing [Install] section to the teleport-acm systemd + unit file as used by Teleport AMIs. #43257 + - Patched timing variability in curve25519-dalek. #43246 + - Fixed setting request reason for automatic ssh access + requests. #43178 + - Improved log rotation logic in Teleport Connect; now the + non-numbered files always contain recent logs. #43161 + - Added tctl desktop bootstrap for bootstrapping AD + environments to work with Desktop Access. #43150 + +------------------------------------------------------------------- +Thu Jul 11 19:03:17 UTC 2024 - Johannes Kastl + +- update to 16.0.1: + * tctl now ignores any configuration file if the auth_service + section is disabled, and prefer loading credentials from a + given identity file or tsh profile instead. #43115 + * Skip jamf_service validation when the service is not enabled. + #43095 + * Fix v16.0.0 amd64 Teleport plugin images using arm64 binaries. + #43084 + * Add ability to edit user traits from the Web UI. #43067 + * Enforce limits when reading events from Firestore for large + time windows to prevent OOM events. #42966 + * Allow all authenticated users to read the cluster vnet_config. + #42957 + * Improve search and predicate/label based dialing performance in + large clusters under very high load. #42943 + +------------------------------------------------------------------- +Wed Jul 10 18:48:28 UTC 2024 - Johannes Kastl + +- major update to 16.0.0: + Teleport 16 brings the following new features and improvements: + * Teleport VNet + * Device Trust for the Web UI + * Increased support for per-session MFA + * Web UI notification system + * Access requests from the resources view + * tctl for Windows + * Teleport plugins improvements + Breaking changes: + * Multi-factor authentication is now required for local users + * Community Edition license + * Incompatible clients are rejected + * Opsgenie plugin annotations + * New required permissions for DynamoDB + * Machine ID and OpenSSH client config changes + * Removal of Active Directory configuration flow + * Teleport Assist is removed + Full changelog: + https://github.com/gravitational/teleport/releases/tag/v16.0.0 + +------------------------------------------------------------------- +Thu Jul 4 07:35:11 UTC 2024 - Johannes Kastl + +- update to 15.4.7: + * Added audit events for discovery config actions. #43794 + * Updated Go toolchain to v1.22.5. #43769 + * Reduced CPU usage in auth servers experiencing very high + concurrent request load. #43760 + * Machine ID defaults to disabling the use of the Kubernetes exec + plugin when writing a Kubeconfig to a directory destination. + This removes the need to manually configure + disable_exec_plugin. #43656 + * Fixed startup crash of Teleport Connect on Ubuntu 24.04 by + adding an AppArmor profile. #43652 + * Added support for dialling leaf clusters to the tbot SSH + multiplexer. #43635 + * Extend Teleport ability to use non-default cluster domains in + Kubernetes, avoiding the assumption of cluster.local. #43632 + * Wait for user MFA input when reissuing expired certificates for + a kube proxy. #43613 + * Improved error diagnostics when using Machine ID's SSH + multiplexer. #43587 + +------------------------------------------------------------------- +Wed Jul 3 15:58:15 UTC 2024 - Johannes Kastl + +- update to 15.4.6: + * Security Fixes + - [Medium] Fixes issue where a SCIM client could potentially + overwrite. Teleport system Roles using specially crafted + groups. This issue impacts Teleport Enterprise deployments + using the Okta integration with SCIM support enabled. + * Other updates and improvements + - Fixed Discover setup access error when updating user. #43561 + - Updated Go toolchain to 1.22. #43550 + - Fixed remote port forwarding validation error. #43517 + - Added support to trust system CAs for self-hosted databases. + #43500 + - Added error display in the Web UI for SSH and Kubernetes + sessions. #43491 + - Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104). + #43475 + - Fixed accurate inventory reporting of the updater after it is + removed.. #43453 + - tctl alerts ls now displays remaining alert ttl. #43435 + - Fixed input search for Teleport Connect's access request + listing. #43430 + - Added Debug setting for event-handler. #43409 + - Fixed Headless auth for sso users, including when local auth + is disabled. #43362 + - Added configuration for custom CAs in the event-handler helm + chart. #43341 + - Fixed an issue with Database Access Controls preventing users + from making additional database connections depending on + their permissions. #43302 + - Fixed Connect My Computer in Teleport Connect failing with + "bind: invalid argument". #43288 + +------------------------------------------------------------------- +Fri Jun 21 19:10:03 UTC 2024 - Johannes Kastl + +- update to 15.4.5: + * Added a missing [Install] section to the teleport-acm systemd + unit file as used by Teleport AMIs. #43256 + * Patched timing variability in curve25519-dalek. #43249 + * Updated tctl to ignore a configuration file if the auth_service + section is disabled, and prefer loading credentials from a + given identity file or tsh profile instead. #43203 + * Fixed setting request reason for automatic ssh access requests. + #43180 + * Updated teleport to skip jamf_service validation when the Jamf + service is not enabled. #43169 + * Improved log rotation logic in Teleport Connect; now the + non-numbered files always contain recent logs. #43162 + * Made tsh and Teleport Connect return early during login if ping + to proxy service was not successful. #43086 + * Added ability to edit user traits from the Web UI. #43068 + * Enforce limits when reading events from Firestore to prevent + OOM events. #42967 + * Fixed updating groups for Teleport-created host users. #42884 + * Added support for crown_jewel resource. #42866 + * Added ability to edit user traits from the Web UI. #43068 + * Fixed gRPC disconnection on certificate expiry even though + DisconnectCertExpiry was false. #43291 + * Fixed issue where a Teleport instance running only Jamf or + Discovery service would never have a healthy /readyz endpoint. + #43284 + +------------------------------------------------------------------- +Wed Jun 19 04:42:25 UTC 2024 - Johannes Kastl + +- change license to AGPL-3.0-only, as license was changed upstream + in 15.0.0 already + +------------------------------------------------------------------- +Fri Jun 14 18:14:03 UTC 2024 - Johannes Kastl + +- update to 15.4.4: + * Improve search and predicate/label based dialing performance in + large clusters under very high load. #42941 + * Fix an issue Oracle access failed through trusted cluster. + #42928 + * Fix errors caused by dynamoevents query StartKey not being + within the [From, To] window. #42915 + * Fix Jira Issue creation when Summary exceeds the max allowed + size. #42862 + * Fix editing reviewers from being ignored/overwritten when + creating an access request from the web UI. #4397 + +------------------------------------------------------------------- +Thu Jun 13 05:17:15 UTC 2024 - Johannes Kastl + +- new subpackage teleport-fdpass-teleport, see below +- update to 15.4.3: + Note: This release includes a new binary, fdpass-teleport, that + can be optionally used by Machine ID to significantly reduce + resource consumption in use-cases that create large numbers of + SSH connections (e.g. Ansible). Refer to the documentation for + more details. + * Update azidentity to v1.6.0 (patches CVE-2024-35255). #42859 + * Remote rate limits on endpoints used extensively to connect to + the cluster. #42835 + * Machine ID SSH multiplexer now only writes artifacts if they + have not changed, resolving a potential race condition with the + OpenSSH client. #42830 + * Use more efficient API when querying SSH nodes to resolve Proxy + Templates in tbot. #42829 + * Improve the performance of the Athena audit log and S3 session + storage backends. #42795 + * Prevent a panic in the Proxy when accessing an offline + application. #42786 + * Improve backoff of session recording uploads by teleport + agents. #42776 + * Introduce the new Machine ID ssh-multiplexer service for + significant improvements in SSH performance. #42761 + * Reduce backend writes incurred by tracking status of + non-recorded sessions. #42694 + * Fix not being able to logout from the web UI when session + invalidation errors. #42648 + * Fix access list listing not updating when creating or deleting + an access list in the web UI. #4383 + * Fix crashes related to importing GCP labels. #42871 + +------------------------------------------------------------------- +Tue Jun 11 12:12:48 UTC 2024 - Johannes Kastl + +- update to 15.4.2 (15.4.1 was never released): + * Fixed a Desktop Access resize bug which occurs when window was + resized during MFA. #42705 + * Fixed listing available db users in Teleport Connect for + databases from leaf clusters obtained through access requests. + #42679 + * Fixed file upload/download for Teleport-created users in + insecure-drop mode. #42660 + * Updated OpenSSL to 3.0.14. #42642 + * Fixed fetching resources with tons of metadata (such as labels + or description) in Teleport Connect. #42627 + * Added support for Microsoft Entra ID directory synchronization + (Teleport Enterprise only, preview). #42555 + * Added experimental support for storing audit events in + cockroach. #42549 + * Teleport Connect binaries for Windows are now signed. #42472 + * Updated Go to 1.21.11. #42404 + * Added GCP Cloud SQL for PostgreSQL backend support. #42399 + * Added Prometheus metrics for the Postgres event backend. #42384 + * Fixed the event-handler Helm chart causing stuck rollouts when + using a PVC. #42363 + * Fixed web UI notification dropdown menu height from growing too + long from many notifications. #42336 + * Disabled session recordings for non-interactive sessions when + enhanced recording is disabled. There is no loss of auditing or + impact on data fidelity because these recordings only contained + session.start, session.end, and session.leave events which were + already captured in the audit log. This will cause all teleport + components to consume less resources and reduce storage costs. + #42320 + * Fixed an issue where removing an app could make teleport app + agents incorrectly report as unhealthy for a short time. #42270 + * Fixed a panic in the DynamoDB audit log backend when the cursor + fell outside of the [From,To] interval. #42267 + * The teleport configure command now supports a --node-name flag + for overriding the node's hostname. #42250 + * Added support plugin resource in tctl tool. #42224 + +------------------------------------------------------------------- +Sat Jun 1 09:58:28 UTC 2024 - Johannes Kastl + +- update to 15.4.0: + * Access requests notification routing rules + Hosted Slack plugin users can now configure notification + routing rules for role-based access requests. + * Database access for Spanner + Database access users can now connect to GCP Spanner. + * Unix Workload Attestation + Teleport Workload ID now supports basic workload attestation on + Unix systems, allowing cluster administrators to restrict the + issuance of SVIDs to specific workloads based on UID/PID/GID. + * Other improvements and fixes + - Fixed an issue where mix-and-match of join tokens could + interfere with some services appearing correctly in + heartbeats. #42189 + - Added an alternate EC2 auto discover flow using AWS Systems + Manager as a more scalable method than EICE in the "Enroll + New Resource" view in the web UI. #42205 + - Fixed kubectl exec functionality when Teleport is running + behind L7 load balancer. #42192 + - Fixed the plugins AMR cache to be updated when Access + requests are removed from the subject of an existing rule. + #42186 + - Improved temporary disk space usage for session recording + processing. #42174 + - Fixed a regression where Kubernetes Exec audit events were + not properly populated and lacked error details. #42145 + - Fixed Azure join method when using Resource Groups in the + allow section. #42141 + - Added new teleport debug set-log-level / profile commands + changing instance log level without a restart and collecting + pprof profiles. #42122 + - Added ability to manage access monitoring rules via tctl. + #42092 + - Added access monitoring rule routing for slack access plugin. + #42087 + - Extended Discovery Service to self-bootstrap necessary + permissions for Kubernetes Service to interact with the + Kubernetes API on behalf of users. #42075 + - Fixed resource leak in session recording cleanup. #42066 + - Reduced memory and CPU usage after control plane restarts in + clusters with a high number of roles. #42062 + - Added an option to send a Ctrl+Alt+Del sequence to remote + desktops. #41720 + - Added support for GCP Spanner to Teleport Database Service. + #41349 + +------------------------------------------------------------------- +Thu May 23 19:36:32 UTC 2024 - Johannes Kastl + +- update to 15.3.6 (no releases between .1 and .6): + This release contains fixes for several high-severity security + issues, as well as numerous other bug fixes and improvements. + Security Fixes + * [High] Unrestricted redirect in SSO Authentication + Teleport didn’t sufficiently validate the client redirect URL. + This could allow an attacker to trick Teleport users into + performing an SSO authentication and redirect to an + attacker-controlled URL allowing them to steal the credentials. + #41834. + Warning: Teleport will now disallow non-localhost callback URLs + for SSO logins unless otherwise configured. Users of the tsh + login --callback feature should modify their auth connector + configuration as follows: + The allowed_https_hostnames field is an array containing + allowed hostnames, supporting glob matching and, if the string + begins and ends with ^ and $ respectively, full regular + expression syntax. Custom callback URLs are required to be + HTTPS on the standard port (443). + * [High] CockroachDB authorization bypass + When connecting to CockroachDB using Database Access, Teleport + did not properly consider the username case when running RBAC + checks. As such, it was possible to establish a connection + using an explicitly denied username when using a different + case. #41823. + * [High] Long-lived connection persistence issue with expired + certificates + Teleport did not terminate some long-running mTLS-authenticated + connections past the expiry of client certificates for users + with the disconnect_expired_cert option. This could allow such + users to perform some API actions after their certificate has + expired. #41827. + * [High] PagerDuty integration privilege escalation + When creating a role access request, Teleport would include + PagerDuty annotations from the entire user’s role set rather + than a specific role being requested. For users who run + multiple PagerDuty access plugins with auto-approval, this + could result in a request for a different role being + inadvertently auto-approved than the one which corresponds to + the user’s active on-call schedule. #41837. + * [High] SAML IdP session privilege escalation + When using Teleport as SAML IdP, authorization wasn’t properly + enforced on the SAML IdP session creation. As such, + authenticated users could use an internal API to escalate their + own privileges by crafting a malicious program. #41846. + We strongly recommend all customers upgrade to the latest + releases of Teleport. + Other fixes and improvements + * Fixed access request annotations when annotations contain + globs, regular + * expressions, trait expansions, or claims_to_roles is used. + #41936. + * Added AWS Management Console as a guided flow using AWS OIDC + integration in + * the "Enroll New Resource" view in the web UI. #41864. + * Fixed spurious Windows Desktop sessions screen resize during an + MFA ceremony. #41856. + * Fixed session upload completion with large number of + simultaneous session + * uploads. #41854. + * Fixed MySQL databases version reporting on new connections. + #41819. + * Added read-only permissions for cluster maintenance config. + #41790. + * Stripped debug symbols from Windows builds, resulting in + smaller tsh and + * tctl binaries. #41787 + * Fixed passkey deletion so that a user may now delete their last + passkey if + * the have a password and another MFA configured. #41771. + * Changed the default permissions for the Workload Identity Unix + socket to 0777 + * rather than the default as applied by the umask. This will + allow the socket to + * be accessed by workloads running as users other than the user + that owns the + * tbot process. #41754 + * Added ability for teleport-event-handler to skip certain events + type when + * forwarding to an upstream server. #41747. + * Added automatic GCP label importing. #41733. + * Fixed missing variable and script options in Default Agentless + Installer + * script. #41723. + * Removed invalid AWS Roles from Web UI picker. #41707. + * Added remote address to audit log events emitted when a Bot or + Instance join + * completes, successfully or otherwise. #41700. + * Simplified how Bots are shown on the Users list page. #41697. + * Added improved-performance implementation of ProxyCommand for + Machine ID and + * SSH. This will become the default in v16. You can adopt this + new mode early by + * setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694. + * Improved EC2 Auto Discovery by adding the SSM script output and + more explicit + * error messages. #41664. + * Added webauthn diagnostics commands to tctl. #41643. + * Upgraded application heartbeat service to support 1000+ dynamic + applications. #41626 + * Fixed issue where Kubernetes watch requests are written out of + order. #41624. + * Fixed a race condition triggered by a reload during Teleport + startup. #41592. + * Updated discover wizard Install Script to support Ubuntu 24.04. + #41589. + * Fixed systemd unit to always restart Teleport on failure unless + explicitly stopped. #41581. + * Updated Teleport package installers to reload Teleport service + config after + * upgrades. #41547. + * Fixed file truncation bug in Desktop Directory Sharing. #41540. + * Fixed WebUI SSH connection leak when browser tab closed during + SSH connection + * establishment. #41518. + * Fixed AccessList reconciler comparison causing audit events + noise. #41517. + * Added tooling to create SCIM integrations in tctl. #41514. + * Fixed Windows Desktop error preventing rendering of the remote + session. #41498. + * Fixed issue in the PagerDuty, Opsgenie and ServiceNow access + plugins that + * causing duplicate calls on access requests containing duplicate + service names. + * Also increases the timeout so slow external API requests are + less likely to + * fail. #41488. + * Added basic Unix workload attestation to the tbot SPIFFE + workload API. You + * can now restrict the issuance of certain SVIDs to processes + running with a + * certain UID, GID or PID. #41450. + * Added "login failed" audit events for invalid passwords on + password+webauthn + * local authentication. #41432. + * Fixed Terraform provider issue causing the Provision Token + options to default + * to false instead of empty. #41429. + * Added support to automatically download CA for MongoDB Atlas + databases. #41338. + * Fixed broken "finish" web page for SSO Users on auto discover. + #41335. + * Allow setting Kubernetes Cluster name when using non-default + addresses. #41331. + * Added fallback on GetAccessList cache miss call. #41326. + * Fixed DiscoveryService panic when auto-enrolling EKS clusters. + #41320. + * Added validation for application URL extracted from the web + application launcher request route. #41304. + * Allow defining custom database names and users when selecting + wildcard during test connection when enrolling a database + through the web UI. #41301. + * Fixed broken link for alternative EC2 installation during EC2 + discover flow. #41292 + * Updated Go to v1.21.10. #41281. + * Updated user management to explicitly deny password resets and + local logins to + * SSO users. #41270. + * Fixed fetching suggested access lists with large IDs in + Telepor... + +------------------------------------------------------------------- +Wed May 8 10:32:02 UTC 2024 - Johannes Kastl + +- update to 15.3.1: + * Fixed screen_size behavior for Windows Desktops, which was + being overridden by the new resize feature. #41241 + * Ensure that the active sessions page shows up in the web UI for + users with permissions to join sessions. #41221 + * Added indicators on the account settings page that tell which + authentication methods are active. #41169 + * Fix a bug that was preventing tsh proxy kube certificate + renewal from working when accessing a leaf kubernetes cluster + via the root. #41158 + * Fixed AccessDeniedException for dynamodb:ConditionCheckItem + operations when using AWS DynamoDB for cluster state storage. + #41133 + * Added lock target to lock deletion audit events. #41112 + * Fixed a permissions issue that prevented the teleport-cluster + helm chart operator from registering agentless ssh servers. + #41108 + * Improve the reliability of the upload completer. #41103 + * Allows the listener for the tbot database-tunnel service to be + set to a unix socket. #41008 + +------------------------------------------------------------------- +Thu May 2 17:45:44 UTC 2024 - Johannes Kastl + +- update to 15.3.0: + * Improved Roles UI + The Roles page of the web UI is now backed by a paginated API, + ensuring fast load times even on clusters with large numbers of + roles. + * Resizing for Windows desktop sessions + Windows desktop sessions now automatically resize as the size + of the browser window changes. + * Hardware key support for agentless nodes + Teleport now supports connecting to agentless OpenSSH nodes + even when Teleport is configured to require hardware key MFA + checks. + * TPM joining + The new TPM join method enables secure joining for agents and + Machine ID bots that run on-premise. Based on the secure + properties of the host's hardware trusted platform module, this + join method removes the need to create and distribute secret + tokens, significantly reducing the risk of exfiltration. + * Other improvements and fixes + - Fixed user SSO bypass by performing a local passwordless + login. #41067 + - Enforce allow_passwordless server-side. #41057 + - Fixed a memory leak caused by incorrectly passing the offset + when paginating all Access Lists' members when there are more + than the default pagesize (200) Access Lists. #41045 + - Added resize capability to windows desktop sessions. #41025 + - Fixed a regression causing roles filtering to not work. + #40999 + - Allow AWS integration to be used for global services without + specifying a valid region. #40991 + - Made account id visible when selecting IAM Role for accessing + the AWS Console. #40987 + +------------------------------------------------------------------- +Sat Apr 27 09:30:21 UTC 2024 - Johannes Kastl + +- update to 15.2.5: + * Extend proxy templates to allow the target host to be resolved + via a predicate expression or fuzzy matching. #40966 + * Fix an issue where access requests would linger in UI and tctl + after expiry. #40964 + * The teleport-cluster Helm chart can configure AccessMonitoring + when running in aws mode. #40957 + * Make podSecurityContext configurable in the teleport-cluster + Helm chart. #40951 + * Allow to mount extra volumes in the updater pod deployed by the + teleport-kube-agentchart. #40946 + * Improve error message when performing an SSO login with a + hardware key. #40923 + * Fix a bug in the teleport-cluster Helm chart that happened when + sessionRecording was off. #40919 + * Fix audit event failures when using DynamoDB event storage. + #40913 + * Allow setting additional Kubernetes labels on resources created + by the teleport-cluster Helm chart. #40909 + * Fix Windows cursor getting stuck. #40890 + * Issue cert.create events during device authentication. #40872 + * Add the ability to control ssh_config generation in Machine + ID's Identity Outputs. This allows the generation of the + ssh_config to be disabled if unnecessary, improving performance + and removing the dependency on the Proxy being online. #40861 + * Prevent deleting AWS OIDC integration used by External Audit + Storage. #40851 + * Introduce the tpm join method, which allows for secure joining + in on-prem environments without the need for a shared secret. + #40823 + * Reduce parallelism when polling AWS resources to prevent API + throttling when exporting them to Teleport Access Graph. #40811 + * Fix spurious deletion of Access List Membership metadata during + SCIM push or sync. #40544 + * Properly enforce session moderation requirements when starting + Kubernetes ephemeral containers. #40906 + +------------------------------------------------------------------- +Thu Apr 25 05:34:37 UTC 2024 - Johannes Kastl + +- update to 15.2.4 (skipping non-existing release 15.2.3): + * Fixed a deprecation warning being shown when tbot is used with + OpenSSH. #40837 + * Added a new Audit log event that is emitted when an Agent or + Bot request to join the cluster is denied. #40814 + * Fixed regenerating cloud account recovery codes. #40786 + * Changed UI for the sign-up and authentication reset flows. + #40773 + * Added a new Prometheus metric to track requests initiated by + Teleport against the control plane API. #40754 + * Fixed an issue that prevented uploading a zip file larger than + 10MiB when updating an AWS Lambda function via tsh app access. + #40737 + * Patched CVE-2024-32650. #40735 + * Fixed possible data race that could lead to concurrent map read + and map write while proxying Kubernetes requests. #40720 + * Fixed access request promotion of windows_desktop resources. + #40712 + * Fixed spurious ambiguous host errors in ssh routing. #40706 + * Patched CVE-2023-45288 and CVE-2024-32473. #40695 + * generic "not found" errors are returned whether a remote + cluster can't be found or access is denied. #40681 + * Fixed a resource leak in the Teleport proxy server when using + proxy peering. #40672 + * Added Azure CLI access support on AKS with Entra Workload ID. + #40660 + * Allow other issue types when configuring JIRA plugin. #40644 + * Added regexp.match to access request filter and where + expressions. #40642 + * Notify the requester in slack review request messages. #40624 + * Handle passwordless in MFA audit events. #40617 + * Added auto discover capability to EC2 enrollment in the web UI. + #40605 + * Fixes RDP licensing. #40595 + * Added support for the ascii variants of smartcard calls. #40566 + * Added the ability to configure labels that should be set on the + Kubernetes secret when using the kubernetes_secret destination + in tbot. #40550 + * Updated cosign to address CVE-2024-29902 and CVE-2024-29903. + #40497 + * The Web UI now supports large number of roles by paginating + them. #40463 + * Improved the responsiveness of the session player during long + periods of idle time. #40442 + * Fixed incorrect format for database_object_import_rule + resources with non-empty expiry. #40203 + * Updated Opsgenie annotations so approve-schedules is used for + both alert creation and auto approval if notify schedules is + not set. #40121 + +------------------------------------------------------------------- +Sat Apr 13 09:36:55 UTC 2024 - Johannes Kastl + +- update to 15.2.2: + * Updated the cluster selector in the UI to now only be visible + when more than one cluster is available. #40478 + * Fixed accidental passkey "downgrades" to MFA. #40409 + * Added tsh proxy kube --exec mode that spawns kube proxy in the + background, which re-executes the user shell with the + appropriate kubeconfig. #40395 + * Made Amazon S3 fields optional when creating or editing AWS + OIDC integration on the web UI. #40368 + * Fixed a bug that prevented the available logins from being + displayed for Windows desktops in leaf clusters that were being + accessed via the root cluster web ui. #40367 + * Changed Teleport Connect to hide cluster name in the connection + list if there is only a single cluster available. #40356 + * Fixed invalid session TTL error when creating access request + with tsh. #40335 + * Added missing discovery AWS matchers fields "Integration" and + "KubeAppDiscovery" to the file configuration. #40320 + * Added automatic role access requests. #40285 + * Redesigned the login UI. #40272 + * Added friendly role names for Okta sourced roles. These will be + displayed in access list and access request pages in the UI. + #40260 + * Added Teleport Machine ID Workload Identity support for legacy + systems which are not able to parse DNS SANs, and which are not + SPIFFE aware. #40180 + +------------------------------------------------------------------- +Sat Apr 6 20:08:36 UTC 2024 - Johannes Kastl + +- update to 15.2.1: + * Teleport Connect now shows all recent connections instead of + capping them at 10. #40250 + * Limit max read size for the tsh device trust DMI cache file on + Linux. #40234 + * Fix an issue that prevents the teleport service from restarting. + #40229 + * Add new resource filtering predicates to allow exact matches on + a single item of a delimited list stored in a label value. For + example, if given the following label containing a string + separated list of values foo=bar,baz,bang, it is now possible to + match on any resources with a label foo that contains the + element bar via contains(split(labels[foo], ","), bar). #40183 + * Updated Go to 1.21.9. #40176 + * Adds disable_exec_plugin option to the Machine ID Kubernetes + Output to remove the dependency on tbot existing in the target + environment. #40162 + * Adds the database-tunnel service to tbot which allows an + authenticated database tunnel to be opened by tbot. This is an + improvement over the original technique of using tbot proxy db. + #40151 + * Allow diagnostic endpoints to be accessed behind a PROXY + protocol enabled loadbalancer/proxy. #40138 + * Include system annotations in audit event entries for access + requests. #40123 + * Fixed GitHub Auth Connector update event to show in Audit Log + with name and description. #40116 + * Re-enabled the show_desktop_wallpaper flag. #40088 + * Reduce default Jamf inventory page size, allow custom values to + be provided. #3817 + +------------------------------------------------------------------- +Sat Mar 30 17:16:29 UTC 2024 - Johannes Kastl + +- update to 15.2.0: + * Improved Access Requests UI + The access requests page of the web UI will be backed by a + paginated API, ensuring fast load times even on clusters with + many access requests. + Additionally, the UI allows you to search for access requests, + sort them based on various attributes, and includes several new + filtering options. + * Zero-downtime web asset rollout + Teleport 15.2 changes the way that web assets are served and + cached, which will allow multiple compatible versions of the + Teleport Proxy to run behind the same load balancer. + * Workload Identity MVP + With Teleport 15.2, Machine ID can bootstrap and issue identity + to services across multiple computing environments and + organizational boundaries. Workload Identity issues + SPIFFE-compatible x509 certificates that can be used for mTLS + between services. + * Support for Kubernetes 1.29+ + The Kubernetes project is deprecating the SPDY protocol for + streaming commands (kubectl exec, kubectl port-forward, etc) + and replacing it with a new websocket-based subprotocol. + Teleport 15.2.0 will support the new protocol to ensure + compatibility with newer Kubernetes clusters. + * Automatic database access requests + Both tsh db connect and tsh proxy db will offer the option to + submit an access request if the user attempts to connect to a + database that they don't already have access to. + * GCP console access via Workforce Identity Federation + Teleport administrators will be able to setup access to GCP web + console through Workforce Identity Federation using Teleport as + a SAML identity provider. + * IaC support for OpenSSH nodes + Users will be able to register OpenSSH nodes in the cluster + using Terraform and Kubernetes Operator. + * Access requests start time + Users submitting access requests via web UI will be able to + request specific access start time up to a week in advance. + * Terraform and Operator support for agentless SSH nodes + The Teleport Terraform provider and Kubernetes operator now + support declaring agentless OpenSSH and OpenSSH EC2 ICE + servers. You can follow this guide to register OpenSSH agents + with infrastructure as code. + Setting up EC2 ICE automatic discovery with IaC will come in a + future update. + * Operator and CRDs can be deployed separately + The teleport-operator and teleport-cluster charts now support + deploying only the CRD, the CRD and the operator, or only the + operator. + From the teleport-cluster Helm chart: + operator: + enabled: true|false + installCRDs: always|never|dynamic + From the teleport-operator Helm chart: + enabled: true|false + installCRDs: always|never|dynamic + In dynamic mode (by default), the chart will install CRDs if + the operator is enabled, but will not remove the CRDs if you + temporarily disable the operator. + * Operator now propagates labels + Kubernetes CR labels are now copied to the Teleport resource + when applicable. + This allows you to configure RBAC for operator-created + resources, and to filter Teleport resources more easily. + * Terraform provider no longer forces resource re-creation on + version change + Teleport v15 introduced two Terraform provider changes: + - setting the resource version is now mandatory + - a resource version change triggers the resource re-creation + to ensure defaults were correctly set + The second change was too disruptive, especially for roles, as + they cannot be deleted if a user or an access list references + them. Teleport 15.2 lifts this restriction and allows version + change without forcing the resource deletion. + Another change to ensure resource defaults are correctly set + during version upgrades will happen in v16. + * Other improvements and fixes + - Fixed "Invalid URI" error in Teleport Connect when starting + mongosh from database connection tab. #40033 + - Adds support for easily exporting the SPIFFE CA using tls + auth export --type tls-spiffe and the /webapi/auth/export + endpoint. #40007 + - Update Rust to 1.77.0, enable RDP font smoothing. #39995 + - The role, server and token Teleport operator CRs now display + additional information when listed with kubectl get. #39993 + - Improve performance of filtering resources via predicate + expressions. #39972 + - Fixes a bug that prevented CA import when a SPIFFE CA was + present. #39958 + - Fix a verbosity issue that caused the + teleport-kube-agent-updater to output debug logs by default. + #39953 + - Reduce default Jamf inventory page size, allow custom values + to be provided. #39933 + - AWS IAM Roles are now filterable in the web UI when launching + a console app. #39911 + - The teleport-cluster Helm chart now supports using the Amazon + Athena event backend. #39907 + - Correctly show the users allowed logins when accessing leaf + resources via the root cluster web UI. #39887 + - Improve performance of resource filtering via labels and + fuzzy search. #39791 + - Enforce optimistic locking for AuthPreferences, + ClusterNetworkingConfig, SessionRecordingConfig. #39785 + - Fix potential issue with some resources expiry being set to + 01/01/1970 instead of never. #39773 + - Update default access request TTLs to 1 week. #39509 + - Fixed an issue where creating or updating an access list with + Admin MFA would fail in the WebUI. #3827 + +------------------------------------------------------------------- +Fri Mar 29 19:31:04 UTC 2024 - Johannes Kastl + +- update to 15.1.10: + * Fixed possible phishing links which could result in code + execution with install and join scripts. #39837 + * Fixed MFA checks not being prompted when joining a session. + #39814 + * Added support for Kubernetes websocket streaming subprotocol v5 + connections. #39770 + * Fixed a regression causing MFA prompts to not show up in + Teleport Connect. #39739 + * Fixed broken SSO login landing page on certain versions of + Google Chrome. #39723 + * Teleport Connect now shows specific error messages instead of + generic "access denied". #39720 + * Added audit events for database auto user provisioning. #39665 + * Updated Electron to v29 in Teleport Connect. #39657 + * Added automatic access request support for tsh db login, tsh db + connect and tsh proxy db. #39617 + * Fixed a bug in Teleport Cloud causing the hosted ServiceNow + plugin to crash when setting up the integration. #39603 + * Fixed a bug of the discovery script failing when jq was not + installed. #39599 + * Ensured that audit events are emitted whenever the + authentication preferences, cluster networking config, or + session recording config are modified. #39522 + * Database object labels will now support templates. #39496 + +------------------------------------------------------------------- +Tue Mar 19 20:27:13 UTC 2024 - Johannes Kastl + +- update to 15.1.9: + * Improved performance when listing nodes with tsh or tctl. + #39567 + * Require AWS S3 bucket fields when creating/editing AWS OIDC + integration in the web UII. #39510 + * Added remote port forwarding to tsh. #39441 + * Added support for setting default relay state for SAML IdP + initiated logins via the web interface and tctl. For supported + preset service provider types, a default value will be applied + if the field is not configured. #39401 + +------------------------------------------------------------------- +Mon Mar 18 15:38:52 UTC 2024 - Johannes Kastl + +- update to 15.1.8: + * Fixed an issue with AWS IAM permissions that may prevent AWS + database access when discovery_service is enabled in the same + Teleport config as the db_service, namely AWS RDS, Redshift, + Elasticache, and MemoryDB. #39488 + +------------------------------------------------------------------- +Mon Mar 18 15:17:25 UTC 2024 - Johannes Kastl + +- update to 15.1.7: + * Fixed issue with Teleport auth server panicking when Access + Graph is enabled in discovery service. [#39456] + * Added remote port forwarding for Teleport nodes. #39440 + * Added remote port forwarding for OpenSSH nodes. #39438 + +------------------------------------------------------------------- +Sun Mar 17 13:44:52 UTC 2024 - Johannes Kastl + +- update to 15.1.6: + * Added remote port forwarding for Teleport nodes. #39440 + * Added remote port forwarding for OpenSSH nodes. #39438 + +------------------------------------------------------------------- +Sun Mar 17 13:32:06 UTC 2024 - Johannes Kastl + +- update to 15.1.5: + * Improve error messaging when creating resources fails because + they already exist or updating resources fails because they + were removed. #39395 + * The audit entry for access_request.search will now truncate the + list of roles in the audit UI if it exceeds 80 characters. + #39372 + * Re-enable AWS IMDSv1 fallback due to some EKS clusters having + their IMDSv2 hop limit set to 1, leading to IMDSv2 requests + failing. Users who wish to keep IMDSv1 fallback disabled can + set the AWS_EC2_METADATA_V1_DISABLED environmental variable. + #39366 + * Only allow necessary operations during moderated file transfers + and limit in-flight file transfer requests to one per session. + #39351 + * Make the Jira access plugin log Jira errors properly. #39346 + * Fixed allowing invalid access request start time date to be + set. #39322 + * Teleport Enterprise now attempts to load the license file from + the configured data directory if not otherwise specified. + #39314 + * Improve the security for MFA for Admin Actions when used + alongside Hardware Key support. #39306 + * The saml_idp_service_provider spec adds a new preset field that + can be used to specify predefined SAML service provider + profile. #39277 + * Fixed a bug that caused some MFA for Admin Action flows to fail + instead of retrying: ex: tctl bots add --token=. #39269 + +------------------------------------------------------------------- +Sun Mar 17 13:20:04 UTC 2024 - Johannes Kastl + +- update to 15.1.4: + * Raised concurrent connection limits between Teleport Cloud + regions and in clusters that use proxy peering. #39233 + * Improved clean up of system resources during a fast shutdown of + Teleport. #39211 + * Resolved sporadic errors caused by requests fail to comply with + Kubernetes API spec by not specifying resource identifiers. + #39168 + * Added a new password change wizard. #39124 + * Fixed the NumLock and Pause keys for Desktop Access sessions + not working. #39095 + +------------------------------------------------------------------- +Sun Mar 17 12:52:27 UTC 2024 - Johannes Kastl + +- update to 15.1.3: + * Fix a bug when using automatic updates and the discovery + service. The default install script now installs the correct + teleport version by querying the version server. #39099 + * Fix a regression where tsh kube credentials fails to re-login + when credentials expire. #39075 + * TBot now supports --proxy-server for explicitly configuring the + Proxy address. We recommend switching to this if you currently + specify the address of your Teleport proxy to --auth-server. + #39055 + * Expand the EC2 joining process to include newly created AWS + regions. #39051 + * Added GCP MySQL access IAM Authentication support. #39040 + * Fixed compatibility of the Teleport service file with older + versions of systemd. #39032 + * Update WebUI database connection instructions. #39027 + * Teleport Proxy Service now runs a version server by default + serving its own version. #39017 + * Significantly reduced latency of network calls in Teleport + Connect. #39012 + * SPIFFE SVID generation introduced to tbot (experimental). + #39011 + * Adds tsh workload issue command for issuing SVIDs using tsh. + #39115 + * Fixed an issue in SAML IdP entity descriptor generator process, + which would fail to generate entity descriptor if the + configured Entity ID endpoint would return HTTP status code + above 200 and below 400 . #38987 + * Updated Go to 1.21.8. #38983 + * Updated electron-builder dependency to address possible + arbitrary code execution in the Windows installer of Teleport + Connect (CVE-2024-27303). #38964 + * Fixed an issue where it was possible to skip providing old + password when setting a new one. #38962 + * Added database permission management support for Postgres. + #38945 + * Improved reliability and performance of tbot. #38928 + * Filter terminated sessions from the tsh sessions ls output. + #38887 + * Make it easier to identify Teleport browser tabs by placing the + session information before the cluster name. #38737 + * The teleport-ent-upgrader package now gracefully restarts the + Teleport binary if possible, to avoid cutting off ongoing + connections. #3578 + * Trusted device authentication failures may now include a brief + explanation message in the corresponding audit event. #3572 + * Okta access lists sync will now sync groups without members. + #3636 + +------------------------------------------------------------------- +Sun Mar 17 12:38:22 UTC 2024 - Johannes Kastl + +- update to 15.1.2: + * Fix a bug when using automatic updates and the discovery + service. The default install script now installs the correct + teleport version by querying the version server. #39099 + * Fix a regression where tsh kube credentials fails to re-login + when credentials expire. #39075 + * TBot now supports --proxy-server for explicitly configuring the + Proxy address. We recommend switching to this if you currently + specify the address of your Teleport proxy to --auth-server. + #39055 + * Expand the EC2 joining process to include newly created AWS + regions. #39051 + * Added GCP MySQL access IAM Authentication support. #39040 + * Fixed compatibility of the Teleport service file with older + versions of systemd. #39032 + * Update WebUI database connection instructions. #39027 + * Teleport Proxy Service now runs a version server by default + serving its own version. #39017 + * Significantly reduced latency of network calls in Teleport + Connect. #39012 + * SPIFFE SVID generation introduced to tbot (experimental). + #39011 + * Adds tsh workload issue command for issuing SVIDs using tsh. + #39115 + * Fixed an issue in SAML IdP entity descriptor generator process, + which would fail to generate entity descriptor if the + configured Entity ID endpoint would return HTTP status code + above 200 and below 400 . #38987 + * Updated Go to 1.21.8. #38983 + * Updated electron-builder dependency to address possible + arbitrary code execution in the Windows installer of Teleport + Connect (CVE-2024-27303). #38964 + * Fixed an issue where it was possible to skip providing old + password when setting a new one. #38962 + * Added database permission management support for Postgres. + #38945 + * Improved reliability and performance of tbot. #38928 + * Filter terminated sessions from the tsh sessions ls output. + #38887 + * Make it easier to identify Teleport browser tabs by placing the + session information before the cluster name. #38737 + * The teleport-ent-upgrader package now gracefully restarts the + Teleport binary if possible, to avoid cutting off ongoing + connections. #3578 + * Trusted device authentication failures may now include a brief + explanation message in the corresponding audit event. #3572 + * Okta access lists sync will now sync groups without members. + #3636 + +------------------------------------------------------------------- +Sun Mar 17 11:29:44 UTC 2024 - Johannes Kastl + +- update to 15.1.1: + * Fixed panic when an older tsh or proxy changes an access list. + #38861 + * SSH connection resumption now works during graceful upgrades of + the Teleport agent. #38842 + * Fixed an issue with over counting of reported Teleport updater + metrics. #38831 + * Fixed tsh returning "private key policy not met" errors instead + of automatically initiating re-login to satisfy the private key + policy. #38819 + * Made graceful shutdown and graceful restart terminate active + sessions after 30 hours. #38803 + +------------------------------------------------------------------- +Sun Mar 17 09:41:08 UTC 2024 - Johannes Kastl + +- update to 15.1.0: + * New Features + - Standalone tbot Docker image + We now ship a new container image that contains tbot but + omits other Teleport binaries, providing a light-weight + option for Machine ID users. + - Custom mouse pointers for remote desktop sessions + Teleport remote desktop sessions now automatically change the + mouse cursor depending on context (when hovering over a link, + resizing a window, or editing text, for example). + - Synchronization of Okta groups and apps + Okta integration now support automatic synchronization of + Okta groups and app assignments to Teleport as access lists + giving users ability to request access to Okta apps without + extra configuration. + - EKS auto-discovery in Access Management UI + Users going through EKS enrollment flow in Access Management + web UI now have an option to enable auto-discovery for EKS + clusters. + * Other changes + - Fixed application access events being overwritten when using + DynamoDB as event storage. #38815 + - Fixed a regression that had reintroduced long freezes for + certain actions like "Run as different user". #38805 + - When teleport is configured to require MFA for admin actions, + MFA is required to get certificate authority secrets. Ex: + tctl auth export --keys or tctl get + cert_authority/host/root.example.com --with-secrets. #38777 + - Added auto-enrolling capabilities to EKS discover flow in the + web UI. #38773 + - Heavily optimized the Access List page in the UI, speeding + things up considerably. #38764 + - Align DynamoDB BatchWriteItem max items limit. #38763 + - tbot-distroless image is now published. This contains just + the tbot binary and therefore has a smaller image size. + #38718 + - Fixed a regression with Teleport Connect not showing the + re-login reason and connection errors when accessing + databases, Kube clusters, and apps with an expired cert. + #38716 + - Re-enabled the Windows key and prevents it from sticking or + otherwise causing problems when cmd+tab-ing or alt+tab-ing + away from the browser during desktop sessions. #38699 + - Resource limits are now correctly applied to the + wait-auth-update initContainer in the teleport-cluster Helm + chart. #38692 + - When teleport is configured to require MFA for admin actions, + MFA is required to create, update, or delete trusted + clusters. #38690 + - Fixed error in tctl get users --with-secrets when using SSO. + #38663 + - When device trust is required and MFA is optional, users will + need to add their first MFA device from a trusted device. + #38657 + - Temporary files are no longer created during Discover UI EKS + cluster enrollment. #38649 + - When teleport is configured to require MFA for admin actions, + MFA is required to get or list tokens with tctl. Ex: tctl + tokens ls or tctl get tokens/foo. #38645 + - Implemented dynamic mouse pointer updates to reflect + context-specific actions, e.g. window resizing. #38614 + - MFA approval is no longer required in the beginning of EKS + Discover flow. #38580 + - Fixed Postgres v16.x compatibility issue preventing multiple + connections for auto-provisioned users. #38543 + - Fixed incorrect color of resource cards after changing the + theme in Web UI and Connect. #38537 + - Updated the dialog for adding new authentication methods in + the account settings screen. #38535 + - Displays review dates for access lists in dates, not + remaining hours in tsh. #38525 + - Ensure that tsh continues to function if one of its profiles + is invalid. #38514 + - Fixed logging output for teleport configure ... commands. + #38508 + - Fixed tsh/WebAuthn.dll panic on Windows Server 2019. #38490 + - Fixes an issue that prevented the Web UI from properly + displaying the hostname of servers in leaf clusters. #38469 + - Added ssh_service.enhanced_recording.root_path configuration + option to change the cgroup slice path used by the agent. + #38394 + - Fixed a bug that could cause expired SSH servers from + appearing in the Web UI until the Proxy is restarted. #38310 + - Desktops can now be configured to use the same screen + resolution for all sessions. #38307 + - The maximum duration for an access request is now 14 days, + the okta-requester role has been added which takes advantage + of this. #38224 + - Added TLS routing native WebSocket connection upgrade + support. #38108 + - Fixed a bug allowing the operator to delete resource it does + not own. #37750 + +------------------------------------------------------------------- +Sun Feb 25 17:46:00 UTC 2024 - Johannes Kastl + +- update to 15.0.2: + * Fixed a potential panic in the tsh status command. #38305 + * Fixed SSO user locking in the setup access step of the RDS auto + discover flow in the web UI. #38283 + * Optionally permit the auth server to terminate client + connections from unsupported versions. #38182 + * Fixed Assist obstructing the user dropdown menu when in docked + mode. #38156 + * Improved the stability of Teleport during graceful upgrades. + #38145 + * Added the ability to view and manage Machine ID bots from the + UI. #38122 + * Fixed a bug that prevented desktop clipboard sharing from + working when large amounts of text are placed on the clipboard. + #38120 + * Added option to validate hardware key serial numbers with + hardware key support. #38068 + * Removed access tokens from URL parameters, preventing them from + being leaked to intermediary systems that may log them in + plaintext. #38032 + * Forced agents to terminate Auth connections if joining fails. + #38005 + * Added a tsh sessions ls command to list active sessions. #37969 + * Improved error handling when idle desktop connections are + terminated. #37955 + * Updated Go to 1.21.7. #37846 + * Discover flow now starts two instances of DatabaseServices when + setting up access to Amazon RDS. #37805 + +------------------------------------------------------------------- +Sun Feb 25 15:21:23 UTC 2024 - Johannes Kastl + +- update to 15.0.1: + * Correctly handle non-registered U2F keys. #37720 + * Fixed memory leak in tbot caused by never closing reverse + tunnel address resolvers. #37718 + * Fixed conditional user modifications (used by certain Teleport + subsystems such as Device Trust) on users that have previously + been locked out due to repeated recovery attempts. #37703 + * Added SCIM support in Okta integration (cloud only). #3341 + * Added okta integration SCIM support for web UI. #37697 + * Fixed usage data submission becoming stuck sending too many + reports at once (Teleport Enterprise only). #37687 + * Fixed cache init issue with access list members/reviews. #37673 + * Fixed "failed to close stream" log messages. #37662 + * Skip tsh AppID pre-flight check whenever possible. #37642 + +------------------------------------------------------------------- +Sun Feb 25 14:20:05 UTC 2024 - Johannes Kastl + +- major update to 15.0.0: + Full changelog and breaking changes see + https://github.com/gravitational/teleport/releases/tag/v15.0.0 + * Teleport 15 brings the following new major features and + improvements: + - Desktop access performance improvements + - Enhanced Device Trust support + - SSH connection resumption + - RDS auto-discovery in Access Management UI + - EKS Integration for Teleport + - MFA for Administrative Actions + - Improved SAML IdP configuration flow + - Improved provisioning for Okta + - Support for AWS KMS + - Teleport Connect improvements + - Session playback improvements + - Standalone Kubernetes Operator + - Roles v6 and v7 support for Kubernetes Operator + - Enhanced ARM64 builds + +------------------------------------------------------------------- +Sun Feb 18 15:19:42 UTC 2024 - Johannes Kastl + +- update to 14.3.6 (14.3.5 does not exist): + * Fixed a potential panic in the tsh status command. #38304 + * Fixed locking SSO user in the setup access step of the RDS auto + discover flow in the web UI. #38284 + * Optionally permit the auth server to terminate client + connections from unsupported versions. #38186 + * Removed access tokens from URL parameters, preventing them from + being leaked to intermediary systems that may log them in + plaintext. #38070 + * Added option to validate hardware key serial numbers with + hardware key support. #38069 + * Forced agents to terminate Auth connections if joining fails. + #38004 + * Added a tsh sessions ls command to list active sessions. #37970 + * Improved error handling when idle desktop connections are + terminated. #37956 + * Updated Go to 1.21.7. #37848 + * Discover flow now starts two instances of DatabaseServices when + setting up access to Amazon RDS. #37804 + * Fixed incorrect resizing of CLI apps in Teleport Connect on + Windows. #37799 + * Fixed handling of non-registered U2F keys. #37722 + * Fixed memory leak in tbot caused by never closing reverse + tunnel address resolvers. #37719 + * Fixed app redirection loop on browser's incognito mode and 3rd + party cookie block. #37692 + +------------------------------------------------------------------- +Sat Feb 3 08:30:56 UTC 2024 - Johannes Kastl + +- update to 14.3.4: + * Skip tsh AppID pre-flight check whenever possible. #37643 + * Update OpenSSL to 3.0.13. #37552 + * tsh FIDO2 backend re-written for improved responsiveness and + reliability. #37538 + * Do not add alphabetically first Kube cluster's name to a user + certificate on login. #37501 + * Allow to replicate proxy pods when using an ingress in the + teleport-cluster Helm chart. #37480 + * Fix an issue tsh uses wrong default username for auto-user + provisioning enabled databases in remote clusters #37418 + * Prevent backend throttling caused by a large number of app + sessions. #37391 + * Emit audit events when SFTP or SCP commands are blocked. #37385 + * Fix goroutine leak on PostgreSQL access. #37342 + * Fixed incompatibility between leaf clusters and ProxyJump. + #37319 + * Fixed a potential crash when setting up the Connect My Computer + role in Teleport Connect. #37314 + * Fixed CA key generation when two auth servers share a single + YubiHSM2. #37296 + * Add support for cancelling CockroachDB requests. #37282 + * Fix Terraform provider creating AccessLists with next audit + date set to Epoch. #37262 + * Fix an issue selecting MySQL database is not reflected in the + audit logs. #37257 + * The login screen will no longer be rendered for authenticated + users. #37230 + * Fixed missing proxy address in GCP and Azure VM auto-discovery. + #37215 + * Teleport namespace label prefixes are now sorted toward the end + of the labels list in the web UI. #37191 + * Adds tbot proxy kube to support connecting to Kubernetes + clusters using Machine ID when the Proxy is behind a L7 LB. + #37157 + * Fix a bug that was breaking web UI if automatic upgrades are + misconfigured. #37130 + * Fix an issue AWS Redshift auto-provisioned user not deleted in + drop mode. #37036 + * Fix an issue database auto-user provisioning fails to connect a + second session on MariaDB older than 10.7. #37028 + * Improved styling of the login form in Connect and Web UI. + #37003 + * Ensure that moderated sessions do not get stuck in the event of + an unexpected drop in the moderator's connection. #36917 + * The web terminal now properly displays underscores on Linux. + #36890 + * Fix tsh panic on Windows if WebAuthn.dll is missing. #36868 + * Increased timeout when waiting for response from Jira API and + webhook to reconcile. #36818 + * Ensure connect_to_node_attempts_total is always incremented + when dialing hosts. #36739 + * Fixed a potential crash in Teleport Connect after downgrading + the app from v15+. #36730 + * Prevent a goroutine leak caused by app sessions not cleaning up + resources properly. #36668 + * Added tctl idp saml test-attribute-mapping command to test SAML + IdP attribute mapping. #36662 + * Fixed an issue where valid SAML entity descriptors could be + rejected. #36485 + * Updated SAML IdP UI to display entity ID, SSO URL and X.509 + certificate. #3322 + * Updated access request creation dialog to pre-select suggested + reviewers. #3325 + +------------------------------------------------------------------- +Mon Jan 15 19:15:12 UTC 2024 - Johannes Kastl + +- update to 14.3.3: + * Fixed routing to nodes by their public addresses. #36624 + * Enhanced Kubernetes app discovery functionality to provide the + ability to disable specific Service imports and configure the + TLS Skip Verify option using an annotation. #36611 + * Added client remote IP address to some administrative audit + events. #36567 + +------------------------------------------------------------------- +Mon Jan 15 19:09:24 UTC 2024 - Johannes Kastl + +- update to 14.3.2: + * Fixed routing to nodes by their public address. #36591 + * Verify MFA device locks during user authentication. #36589 + * Fixed tctl get access_list and support creating Access Lists + without a next audit date. #36572 + +------------------------------------------------------------------- +Mon Jan 15 17:06:20 UTC 2024 - Johannes Kastl + +- update to 14.3.1: + * Added support to select database roles from tsh. #36528 + * Fixed goroutine leak per ssh session. #36511 + * Fixed user invites preventing listing tokens. #36492 + * Updated Go to v1.21.6. #36478 + * Fixed refresh_identity = true preventing Access Plugins + connecting to Teleport using TLS routing with a L7 LB. #36469 + * Added --callback flag to tsh login. #36468 + * Added auto-enrolling capabilities to RDS discover flow in the + web UI. #36434 + * Fixed an issue where bad cache state could cause spurious + access denied errors during app access. #36432 + * Resources named . and .. are no longer allowed. Please review + the resources in your Teleport instance and rename any + resources with these names before upgrading. #36404 + * Ensured that the login time is populated for app sessions. + #36373 + * Fixed incorrect report of user's IP address in Kubernetes Audit + Logs. #36346 + * Access lists and associated resources are now cached, which + should significantly reduce the impact of access list + calculation. #36331 + * Added new certificate extensions and usage reporting flags to + explicitly identify Machine ID bots and their cluster activity. + #36313 + * Fixed potential panic after backend watcher failure. #36301 + * Prevent deleted users from using account reset links created + prior to the user being deleted. #36271 + * Make Unified Resources page in Web UI responsive. #36265 + * Added "Database Roles" column to tsh db ls -v. #36246 + * Safeguard against the disruption of cluster access caused by + incorrect Kubernetes APIService configurations. #36227 + * Support running a version server in the proxy for automatic + agent upgrades. #36220 + * The user login state generator now uses the cache, which should + reduce the number of calls to the backend. #36196 + * Added the --insecure-no-resolve-image flag to the + teleport-kube-agent-updater to disable image tag resolution if + it cannot pull the image. #36097 + * Added future assume time to access requests. #35726 + +------------------------------------------------------------------- +Sun Jan 7 18:18:50 UTC 2024 - Johannes Kastl + +- update to 14.3.0: + This release of Teleport contains multiple security fixes, + improvements and bug fixes. + * Security fixes + - Teleport Proxy now restricts SFTP for normal users as + described under Advisory + https://github.com/gravitational/teleport/security/advisories/GHSA-c9v7-wmwj-vf6x + - Fixed an issue that would allow for SSRF via Teleport's + reverse tunnel subsystem. Documented under the advisory + -https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36 + - On macOS, Teleport filters the environment to prevent code + execution via `DYLD_` variables. Documented under + https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 + - A fix was applied to Access Lists to prevent possible + privilege escalation of list owners. Documented under + https://github.com/gravitational/teleport/security/advisories/GHSA-76cc-p55w-63g3 + * Other Fixes & Improvements + - Added the ability to promote an access request to an access + list in Teleport Connect + - Fixed an issue that would prevent websocket upgrades from + completing. + - Enhanced the audit events related to Teleport's SAML IdP + - Added support for STS session tags in the database + configuration for granular DynamoDB access. + - Added support for the IAM join method in ca-west-1. + - Improved the formatting of access list notifications in tsh. + - Fixed downgrade logic of KubernetesResources to Role v6 + - Fixed potential panic during early phases of SSH service + lifetime + - Added a `tsh latency` command to monitor ssh connection + latency in realtime + - Support GitHub joining from Enterprise accounts with + `include_enterprise_slug` enabled. + - Added vpc-id as a label to auto-discovered RDS databases + - Improved teleport agent performance when handling a large + number of TCP forwarding requests. + - Bump golang.org/x/crypto to v0.17.0, which addresses the + Terrapin vulnerability (CVE-2023-48795) + - Include the lock expiration time in `lock.create` audit + events + - Add custom attribute mapping to the + `saml_idp_service_provider` spec. + - Fixed PIV not being available on Windows tsh binaries + - Restored direct dial SSH server compatibility with certain + SSH tools such as `ssh-keyscan` (#35647) + - Prevent users from deleting their last passwordless device + - the `teleport-kube-agent` chart now supports passing extra + arguments to the updater. + - New access lists with an unspecified NextAuditDate now pick + a new date instead of being rejected + - Changed the minimal supported macOS version of Teleport + Connect to 10.15 (Catalina) + - Add non-AD desktops to Enroll New Resource + - Fixed a bug in `teleport-kube-agent` chart when using both + `appResources` and the `discovery` role. + - Fixed session upload audit events sometimes containing an + incorrect URL for the session recording. + - Prevent tsh from re-authenticating if the MFA ceremony fails + during `tsh ssh` + - Prevent attempts to join a nonexistent SSH session from + hanging forever + - Improved Windows hosts registration with a new + `static_hosts` configuration field + - Fixed the sorting of name and description columns for user + groups when creating an access request + +------------------------------------------------------------------- +Fri Dec 15 06:33:22 UTC 2023 - Johannes Kastl + +- update to 14.2.3: + * Prevent Cloud tenants from being a leaf cluster. #35687 + * Added "Show All Labels" button in the unified resources list + view. #35666 + * Added auto approval flow to servicenow plugin. #35658 + * Added guided SAML entity descriptor creation when entity + descriptor XML is not yet available. #35657 + * Added a connection test when enrolling a new Connect My + Computer resource in Web UI. #35649 + * Fixed regression of Kubernetes Server Address when Teleport + runs in multiplex mode. #35633 + * When using the Slack plugin, users will now be notified + directly of access requests and their approvals or denials. + #35577 + * Fixed bug where configuration errors with an individual SSO + connector impacted other connectors. #35576 + * Fixed client IP propagation from the Proxy to the Auth during + IdP initiated SSO. #35545 + +------------------------------------------------------------------- +Sat Dec 9 19:51:14 UTC 2023 - Johannes Kastl + +- update to 14.2.2: + * Prevent panic when dialing a deleted Application Server. #35525 + * Fixed regression issue with arm32 binaries in 14.2.1 having + higher glibc requirements. #35539 + * Fixed GCP VM auto-discovery not using instances' internal IP + address. #35521 + * Calculate latency of Web SSH sessions and report it to users. + #35516 + * Fix bot's unable to view or approve access requests issue. + #35512 + * Fix querying of large audit events with Athena backend. #35483 + * Fix panic on potential nil value when requesting + /webapi/presetroles. #35463 + * Add insecure-drop host user creation mode. #35403 + * IAM permissions for rds:DescribeDBProxyTargets are no longer + required for RDS Proxy discovery. #35389 + * Update Go to 1.21.5. #35371 + * Desktop connections default to RDP port 3389 if not otherwise + specified. #35343 + * Add cluster_auth_preferences to the shortcuts for + cluster_auth_preference. #35329 + * Make the podSecurityPolicy configurable in the + teleport-kube-agent chart. #35320 + * Prevent EKS fetcher not having correct IAM permissions from + stopping whole Discovery service start up. #35319 + * Add database automatic user provisioning support for + self-hosted MongoDB. #35317 + * Improve the resilience of tbot to misconfiguration of auth + connectors when generating a Kubernetes output. #35309 + * Fix crash when writing kubeconfig with tctl auth sign --tar. + #34874 + +------------------------------------------------------------------- +Fri Dec 1 06:22:19 UTC 2023 - Johannes Kastl + +- update to 14.2.1: + * Fixed issue that could cause app and desktop session recording + events to be written to the audit log. #35183 + * Fixed a possible panic when downgrading Teleport roles to older + versions. #35236 + * Fixed a regression issue where tsh db connect to Redis 7 fails + with an error on REDIS_REPLY_STATUS. #35162 + * Allow Teleport to complete abandoned uploads faster in HA + deployments. #35102 + * Fixed error when installing a v13 node with the default + installer from a v14 cluster. #35058 + * Fixed issue with the absence of membership expiry circumventing + membership requirements check. #35057 + * Added read verb to suggested role spec when enrolling new + resources. #35053 + * Added more new "Enroll Integration" tiles for Machine ID + guides. #35050 + * Fixed default installer yum error on RHEL and Amazon Linux. + #35021 + * External Audit Storage enables Cloud customers to store Audit + Logs and Session Recordings in their own AWS account. #35008 + * Fixed IP propagation for nodes/bots joining the cluster and add + LoginIP to bot certificates. #34958 + * Fixed an issue tsh db connect does not give reason on + connection errors. #34910 + * Updated distroless images to use Debian 12. #34878 + * Added new email-based UI for inviting new local users on + Teleport Cloud clusters. #34869 + * Fix an issue "Allowed Users" in "tsh db ls" shows wrong user + for databases with Automatic User Provisioning enabled. #34850 + * Fixed issue with application access requests and web UI large + file downloads timing out after 30 seconds. #34849 + * Added default database support for PostgreSQL auto-user + provisioning. #34840 + * Machine ID: handle kernel version check failing more + gracefully. #34828 + +------------------------------------------------------------------- +Tue Nov 21 05:58:22 UTC 2023 - Johannes Kastl + +- update to 14.2.0: + * New Features + - Advanced Okta Integration (Enterprise Edition only) + Teleport will be able to automatically create SSO connector + and sync users when configuring Okta integration. + - Connect my Computer support in Web UI + The Teleport web UI will provide a guided flow for joining + your computer to the Teleport cluster using Teleport Connect. + - Dynamic credential reloading for plugins + Teleport plugins will support dynamic credential reloading, + allowing them to take advantage of short-lived (and + frequently rotated) credentials generated by Machine ID. + * Fixes and Improvements + - Access list review reminders will now be sent via Slack + #34663 + - Improve the error message when attempting to enroll a + hardware key that cannot support passwordless #34589 + - Allow selecting multiple resource filters in the search bar + in Connect #34543 + - Added a guided flow for joining your computer to the Teleport + cluster using Teleport Connect; find it in the Web UI under + Enroll New Resource -> Connect My Computer (available only + for local users, with prerequisites) #33688 + +------------------------------------------------------------------- +Fri Nov 17 06:05:32 UTC 2023 - kastl@b1-systems.de + +- Update to version 14.1.5: + * Increased the maximum width of the console tabs in the web UI. + #34648 + * Fixed accessing dedicated Proxy Kubernetes port when TLS + routing is enabled. #34645 + * Fixed tsh --piv-slot custom PIV slot setting for Hardware Key + Support. #34592 + * Disabled AWS IMDSv1 fallback and enforced use of FIPS endpoints + in FIPS mode. #34433 + * Fixed incorrect permissions when opening X11 listener. #34617 + * Prevented .tsh/environment values from overriding prior set + values. #34626 + * Changed access lists to respect user locking. #34620 + * Fixed access requests to respect explicit deny rules. #34600 + * Added Teleport Access Graph integration. #34569 + * Fixed cleanup of unused GCP KMS keys. #34468 + * Added list view option to the unified resources page. #34466 + * Fixed duplicate entries in resources view when updating + nodename #34236 #34453 + * Allow configuring cluster_networking_config and + cluster_auth_preference via --bootstrap. #34445 + * Fixed tsh logout with broken key directory. #34435 + * Added binary formatted parameters as base64 encoded strings to + PostgreSQL Statement Bind audit log events. #34432 + * Reduced CPU & memory usage, and logging in the operator, by + reusing connections to Teleport. #34425 + * Updated the code signing certificate for Windows artifacts. + #34377 + * Added IAM Authentication support for Amazon MemoryDB Access. + #34348 + * Split large desktop recordings into multiple files during + export. #34319 + * Allow setting server labels from tctl. #34137 + +------------------------------------------------------------------- +Thu Nov 16 14:24:38 UTC 2023 - kastl@b1-systems.de + +- Update to version 14.1.3: + * Security Fixes + - [Medium] Arbitrary code execution with LD_PRELOAD and SFTP + Teleport implements SFTP using a subcommand. Prior to this + release it was possible to inject environment variables into + the execution of this subcommand, via shell init scripts or + via the SSH environment request. + This is addressed by preventing LD_PRELOAD and other + dangerous environment variables from being forwarded during + re-exec. + * [Medium] Outbound SSH from Proxy can lead to IP spoofing + If the Teleport auth or proxy services are configured to + accept PROXY protocol headers, a malicious actor can use this + to spoof their IP address. + This is addressed by requiring that the first bytes of any + SSH connection are the SSH protocol prefix, denying a + malicious actor the opportunity to send their own proxy + headers. + * Other Fixes & Improvements + - Fixed issue where tbot would select the wrong address for + Kubernetes Access when in ports separate mode #34283 + - Added post-review state of Access Request in audit log + description #34213 + - Updated Operator Reconciliation to skip Teleport Operator on + status updates #34194 + - Updated Kube Agent Auto-Discovery to install the Teleport + version provided by Automatic Upgrades #34157 + - Updated Server Auto-Discovery installer script to use bash + instead of sh #34144 + - When a promotable Access Request targets a resource that + belongs to an Access List, owners of that list will now + automatically be added as reviewers. #34131 + - Added Database Automatic User Provisioning support for + Redshift #34126 + - Added teleport_auth_type config parameter to the AWS + Terraform examples #34124 + - Fixed issue where an auto-provisioned PostgreSQL user may + keep old roles indefinitely #34121 + - Fixed incorrectly set file mode for Windows TPM files #34113 + - Added dynamic credential reloading for access plugins #34079 + - Fixed Azure Identity federated Application ID #33960 + - Fixed issue where Kubernetes Audit Events reported incorrect + information in the exec audit #33950 + - Added support for formatting hostname as host:port to tsh + puttyconfig #33883 + - Added support for --set-context-name to tsh proxy kube + - Fixed various Access List bookkeeping issues #33834 + - Fixed issue where tsh aws ecs execute-command would always + fail #33833 + - Updated UI to automatically redirect to login page on missing + session cookie #33806 + - Added Dynamic Discovery matching for Databases #33693 + - Fixed formatting errors on empty result sets in tsh #33633 + - Added Database Automatic User Provisioning support for + MariaDB #34256 + - Fixed issue where MySQL auto-user deletion fails on usernames + with quotes #34304 + +------------------------------------------------------------------- +Thu Nov 09 06:48:36 UTC 2023 - kastl@b1-systems.de + +- Update to version 14.1.2: + * Release 14.1.2 (#34327) + * docs: add team scope to automatic updates (#34343) + * Document workload ID for AKS for the helm guide (#34323) + * [v14] event fanout rework (#33841) + * [v14] Add first step of guided flow for Connect My Computer in + Discover (#34335) + * chore: Bump golangci-lint to v1.55.2 (#34313) (#34336) + * [v14] Return server's `subKind` from tshd (#34297) + * Fix an issue MySQL auto-user deletion fails on usernames that + requite quotes (#34258) (#34304) + * [v14] Added Database Automatic User Provisioning support for + MariaDB (#34256) + * [v14] Add Connect My Computer tile to Discover (#34287) + * [v14] Filter dangerous environment variables before reexec + (#34274) + * [v14] chore: Bump Go to v1.21.4 (#34308) + * [v14] Fix an issue auto-provisioned PostgreSQL user may keep + old roles indefinitely (#34121) + * [v14] Fix Machine ID selection of Kubernetes Access + address/port (#34283) + * Update e (#34295) + * [v14] Link to version-specific docs pages from the support page + (#34261) + * [v14] Tidy up pointer/value receivers in tbot (#34269) + * Replace getPlatform implementation (#34193) + * Add missing private key policy field to + UserCertificateIssuedEvent.Anonymize. (#34264) + * [v14] docs: update Server SSH getting started to SSH video + (#34248) + * use upgradeEnrollAlertID in error logs (#34219) + * [v14] Database Automatic User Provisioning support for Redshift + (#34126) + * Dynamic Discovery Matchers for Databases (#33693) + * Remove nodeCount from Web server and UI (#34216) + * fix step number (#34225) + * [v14] Special case the subsystems handled by `teleport exec` + (#34142) + * [v14] include state of access request after review in audit log + description (#34213) + * Update e reference (#34210) + * Web: Ease AWS integration with Discover Flow (#33777) (#34189) + * Cherrypick 3b23d9d (#34206) + * Fix Teleport update reconciliation on `status` updates (#34063) + (#34194) + * Fix links in the Predicate Language guide (#34160) + * Consolidate context usage for client src/dst addresses into + authz package (#34168) + * [v14] Add Access List owners to suggested reviewers. (#34131) + * docs: add join token in MySQL CloudSQL config (#34155) + * Discover Kube Agent: use automatic upgrades version (#34145) + (#34157) + * [v14] Installer Scripts: use bash instead of sh (#34144) + * [v14] [docs] troubleshooting for AWS Access SSM sessions + (#34118) + * chore: Bump golangci-lint to v1.55.1 (#34048) (#34127) + * fix: Use octal mode for Windows TPM files (#34113) + * [v14] terraform: Add/restore support for TELEPORT_AUTH_TYPE + (#34124) + * [v14] Show alert about insufficient permissions in Connect My + Computer setup tab (#34064) + * [v14] Access Plugins: Support dynamic credential reloading + (#34079) + * Clean up logging of watcher kinds (#33957) + * Improve error messaging when instance is newer than auth + (#34083) + * [v14] Prevent SSO Redirects to other origins (#34077) + * AWS OIDC IdP Configure script: remove region (#34061) + * Fix agentless leaf node authorization (#33993) (#34053) + * Fix potential SEO issues (#33948) + * chore: Bump OpenSSL to 3.0.12 (#34066) + * [v14] Connect My Computer: Implement in-app flow after deep + link click (#34062) + * [v14] Improve styling of the shared `UnifiedResources` + component (#34059) + * Fix non-interactive kube benchmark (#33560) + * [v14] Update permissions required in Slack access request docs + (#34047) + * Fix Azure Identity federated Application ID (#33960) + * [v14] DiscoveryConfig: fix `CheckAndSetDefaults` for matchers + (#34024) + * [v14] docker `v24.0.7+incompatible` update (#34043) + * [v14] Fix discrepancies with dynamo events retention period + (#34007) + * Fix table alignment in `tctl tokens ls` examples (#34001) + * Change deep links to include port number (#34027) + * [v14] Make unified resources data fetching mechanism more + flexible (#33976) + * Unify auth server receiver names (#33994) + * [v14] update-SSO-troubleshooting docs (#33897) + * Automatically forward some spans from tsh to Cloud (#33329) + (#33991) + * [v14] Ignore shared aws config not found error (#33933) + * [v14] Remove "Preview" designation (#33986) + * [v14] Explain template variables wherever they appear (#33977) + * [v14] Limit gRPC Active streams (#33985) + * Bump github.com/crewjam/saml from + 0.4.14-0.20230420111643-34930b26d33b to 0.4.14 (#33500) + (#33989) + * Ensure upload streams use the correct context (#33978) + * Clarify Opsgenie prerequisites (#33970) + * [v14] Use the correct error when inspecting Kubernetes session + (#33950) + * Fix git installation path on CentOS 7 docker image (#33132) + * [v14] handle empty lists for yaml and json formatted lists in + tctl (#33633) + * [v14] docs: Add Docker to the PagerDuty access request plugin + (#33829) + * [v14] Await peristed state restoration before concluding UI + initialization (#33914) + * Return predicate failed message in unified resource requests + (#33902) + * [v14] Update Oracle DB docs and messaging (#33926) + * Add a missing trace.Wrap to first time joining errors (#33894) + * Fix an issue `tsh aws ecs execute-command` fails (#33833) + * [v14] Add suggested reviewers as assingee to servicenow + incidents (#33845) + * [v14] Require SSH prefix in `router.DialHost` connections + (#33729) + * Fix flaky test by avoiding session recording test cleanup race + condition. (#33906) + * [v14] tsh: Add support for host:port combinations to tsh + puttyconfig (#33883) + * Enforce body size limits for http responses (#33768) (#33859) + * [v14] Update docs with database user auto provisioning modes + (#33901) + * Add missing redirect (#33889) + * [v14] Improve UX for headless kube proxy by giving user more + time when reissuing expired certificates (#33855) + * [v14] Web: Redirect to login upon missing session cookie + (#33806) + * [v14] Fix Assume Roles switch back, don't delete role if access + list is using it. (#33834) + * [v14] Refactor unified resources view (#33874) + * [v14] Send deep link clicks to frontend app in Connect (#33878) + * [v14] Add hosted plugin docs (#33881) + * [v14] Parse deep links sent to Connect (#33740) + * Disambiguate directory sharing's disabled and inactive states + (#33814) + * [auto] docs: Update version to v14.1.1 (#33848) + * Remove unused docs images (#33268) + * Fix title conflict (#33261) + * [v14] Update manual AD configuration for desktop access + (#33837) + +------------------------------------------------------------------- +Tue Oct 24 14:15:31 UTC 2023 - kastl@b1-systems.de + +- Update to version 14.1.1: + * Release 14.1.1 (#33843) + * [v14] Align titles in the introduction to topic sections, + modify Desktop Access reference (#33826) + * fix order (#33775) + * [v14] Add headless mode to 'tsh proxy kube' (#33783) + * Fix the top bar going outside the window (#33821) + * docs: update local windows getting started to include all + scopes (#33818) + * Fix d3-color@3.1.0 breaking tests (#33813) + * [v14] docs: reword tctl instructions (#33812) + * Check if resource exists before making sort keys to delete + (#33766) + * [v14] [docs] Automatic user provisioning for MySQL (#33745) + * Manually fire OpInit in NodeJoinWait test (#33692) + * docs: fix YAML syntax for Grafana header rewrite (#33780) + * Machine ID Docs Refactor (#31259) (#33714) + * docs: Update service type for ACM deployments in Enterprise + (#33774) + * Update Jest to v29 and use custom env to expose TextEncoder & + TextDecoder (#33741) + * Always use lowercase when pinning resources (#33765) + * [v14] snowflake/http: Limit Decompressed Request to 10MB + (#33764) + * Add MySQL auto-user deletion (#33520) (#33710) + * remove preview from directory sharing button (#33757) + * [v14] Add an Access Request configuration guide (#33756) + * Pin d3-color version to ^3.1.0 (#33760) + * Remove "Preview" from Resource Access Request page (#33664) + * test(db): simplify active connections tests setup (#32923) + (#33686) + * Upgrade Vite + Vite dependencies (#33566) + * Minor docs typo fix (#33589) + * Bump rustix from 0.36.5 to 0.36.16 (#33707) + * Extend rsync command timeout in tests. (#33673) + * Clean up a few log entries (#33644) + * Update Node.js to 18.18.2 (#33521) (#33624) + * [v14] include url and saml connector name in entity descriptor + url errors (#33667) + * Extend test timeouts. (#33617) + * bump docs to 13.4.3 (#33700) + * [docs] add missing database matchers for discovery config + reference (#33694) + * docs: mention support for multiple AD domains (#33332) + * [auto] docs: Update version to v14.1.0 (#33680) + * [v14] DiscoveryConfig: WebAPI CRUD (#33380) + * [v14] Configure Connect to intercept deep link clicks (#33684) + * Update synchronization period in Okta docs. (#33638) + * [v14] Add the ability to run a specific tool to Assist. + (#33640) + * Remove access list from unified watcher (#33685) + * Add PostgreSQL auto-user deletion (#32792) (#33570) + * [v14] Add docs for Connect My Computer (#33149) + +------------------------------------------------------------------- +Tue Oct 24 14:01:09 UTC 2023 - kastl@b1-systems.de + +- Update to version 14.1.0: + Security fixes + * Updated golang.org/x/net dependency. #33420 + - swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation + Attack: CVE-2023-44487 + * Updated google.golang.org/grpc to v1.57.1. #33487 + - swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation + Attack: CVE-2023-44487 + * Updated OpenTelemetry dependency. #33523 #33550 + - OpenTelemetry-Go Contrib vulnerable to denial of service in + otelhttp due to unbound cardinality metrics: CVE-2023-45142 + * Updated babel/core to 7.3.2. #33441 + - Arbitrary code execution when compiling specifically crafted + malicious code: CVE-2023-45133 + + Changelog: + + * Release 14.1.0 (#33507) + * Add private key policy to user login and certificate posthog + events. (#33615) + * [v14] allow https:// in proxy parameter in tsh (#33646) + * docs: include all db protocols in faq and config (#33641) + * [v14] docs: Reorganize and revise moderated sessions (#33545) + * Add Docker to Slack access request plugin (#33393) + * Select examples `api` dependency update (#33595) (#33601) + * [v14] Update hardware key support docs (#33650) + * Expand access list review audit entry. (#33573) + * add security group picker to deployservice step (#33453) + * Add Docker to MSFT teams plugin (#33387) + * Add Docker to Mattermost plugin (#33390) + * Deflake TestChaosUpload (#33610) + * [v14] Update e (#33605) + * docs: update okta service setup (#33464) + * Update e (#33602) + * Update generate-eventschema (#33598) + * Fix a couple of typos and reword scenario descriptions (#33397) + * [v14] Fix issue with ServiceNow incidents not including link to + access request (#33593) + * [v14] docs: Add timing for automatic agent updates to the cloud + FAQ (#33400) + * Fix hardware key support for sso web login (#33433) (#33548) + * Add Hardware Key login audit event fields (#33254) (#33549) + * [v14] Add Access Monitoring Ping Auth Response Feature flag + (#33585) + * Add nav title & packages for Access Monitoring (#33580) + * [v14] Update e (#33530) + * [v14] Fix assist audit query prompt (#33581) + * [v14] Security Reports (#33459) + * Propagate resource revision to/from the backend (#32040) + (#33214) + * [v14] Show Connect My Computer CTA only if versions are + compatible (#33563) + * Gracefully handle web socket closure by clients (#33480) + (#33529) + * [v14] Machine ID: Improve warning/error message when secure + symlinks are not available (#33562) + * [v14] Allow Bots to submit access request reviews (#33509) + * [v14] Fix flaky test `TestWithRsync/with_headless_tsh` (#33557) + * Add user certificates generated prometheus metric. (#33476) + * [v14] Missed OpenTelemetry Updates (#33550) + * docs: Add WinSCP to PuTTY client instructions (#32868) (#33092) + * [v14] Prevent remote proxies from impersonating users from + different clusters (#33539) + * Notify CLI users when access lists need reviews. (#33468) + * [v14] OpenTelemetry Updates (#33523) + * [v14] Configure custom PIV slot for hardware key support - + follow up (#33353) + * [v14] AWS OIDC: Only consider Linux/UNIX when listing EC2 + instances (#33515) + * Update upcoming-releases.mdx (#33525) + * Revert private key policy error handling in WebUI (#33237) + (#33482) + * [v14] Database Automatic User Provisioning support for MySQL + (#33379) + * [v14] Fix user login state gRPC client upsert. (#33451) + * Make privateKeyPolicyEnabled an optional field. (#33481) + * Update remaining `google.golang.org/grpc` to v1.57.1 (#33487) + * Make initialization of Connect synchronous (#33508) + * [v14] Update @babel/core to 7.23.2 and dedupe babel deps + (#33441) + * [v14] update e (#33493) + * Configure custom PIV slot for hardware key support (#31732) + (#33352) + * [v14] Show resources in Slack notification for access requests + (#33264) + * Extend handshake read deadline to allow signature operations + that require user input to be completed (hardware key + touch/pin). (#32921) (#33348) + * [v14] Add `pcscd` install instructions for hardware key support + (#33376) + * Add support for deploy service agent auto updates (#31982) + (#33313) + * * Use lowercase for sort keys in unified cache (#33475) + * [v14] Include 'nextAuditDate' in 'CreateAccessListReview' + method (#33485) + * fix oidc test race (#33432) + * [v14] docs: update macos app remove command to delete dir and + correct fips debug container address (#33367) + * [v14] Add a duration for starting notifications to access + lists. (#33474) + * [docs] clarify RDS/Aurora databases getting modified (#33410) + * [v14] Prevent double registration of Kubernetes GVK for older + Kube clusters (#33402) + * [v14] Web: Add notification store (#33381) + * Web: add identity management nav section (#33423) + * Add usage events for desktop access (#33455) + * Wait for nodes to be availble in disconnection tests (#33446) + * Use searchAsRoles in unified requests (#33427) + * Show Connect My Computer button in empty state in Connect + (#33440) + * Remove Connect My Computer feature flag (#32850) + * Refactor desktop audit event emission (#33316) + * [v14] Bump golang.org/x/net Backport (#33420) + * Fix an issue `tsh` fails to connect Proxy behind TLS-terminated + loadbalancer in separate port mode (#33406) + * Add resource pinning to Unified Resource cards (#32980) + (#33404) + * [v14] PIV refactors (#33349) + * [v14] Fix access list audit log formatting (#33383) + * Allow access requests to use user login state. (#33350) + * join_sessions overrides the deny rule for sessions a user is + allowed to join (#33161) + * Allow for Windows PKI operations to target a different domain + (#33275) + * [auto] docs: Update version to v14.0.3 (#33361) + * Downgrade `@teleport-access-approver` to `v6` (#33354) + * [v14] Pinned Resources backend (#33277) + * Remove access lists and members from the cache. (#33322) + * Added 10/11 Upcoming Releases Update (#33309) + * Make system roles case-insensitive in provision tokens (#33260) + * docs: include servicenow and opsgenie in plugin index (#33292) + * [v14] docs: Reduce the use of capitalized trusted clusters and + a few other fixes (#33310) + * Add Docker to email plugin (#33321) + * [v14] Add param `extraContainers` to `teleport-cluster` and + `teleport-kube-agent` (#33299) + +------------------------------------------------------------------- +Tue Oct 24 11:52:47 UTC 2023 - kastl@b1-systems.de + +- skipping non-existent release 14.0.2 +- Update to version 14.0.3: + * Release 14.0.3 (#33290) + * [v14] Remove check that enforces slack oauthProviders are set + (#33141) + * [v14] Report exit code of rsync processes if they fail in + TestWithRsync (#33262) + * DiscoveryConfig: init service and add resource to `tctl` + (#32399) (#33289) + * Update e (#33280) + * [v14] re-add agentless node manual installation docs (#32811) + * chore: Bump google.golang.org/grpc to v1.57.1 (#33265) + * [v14] [buddy] docs: minor typos and improvements in the + description of the Teleport Proxy Service (#33184) + * [v14] utils.RecursiveChown: Fix for Privilege Escalation due to + following symlinks (#33248) + * Reword Troubleshooting section in Connect docs (#33201) + * Add server troubleshooting to left nav (#33224) + * fix watcher setup in oidc test (#33258) + * [v14] docs: role definition update and update networking ports + info (#33223) + * [v14] docs: Caveat for token permissions not scoped to any + resource context (#33166) + * disable TestHSMDualAuthRotation (#33251) + * Backport changes to Restrict Access to Privileged Accounts + topic (#33238) + * [v14] Fix `tsh kube credentials` when root cluster roles don't + allow Kube access (#33210) + * [v14] chore: Bump Go to v1.21.3 (#33229) + * Yarn replacement version bumps (#33023) + * [v14] [docs] Attempt to clarify ElastiCache/MemoryDB auth + methods (#33215) + * [v14] docs: Add Docker to partials and update the discord + access request plugin (#33163) + * Fixes emitting wrong events for ec2 discover flow (#33185) + * Fix Kubernetes agent updater helm chart reference to bool + (#33212) + * [v14] Fix Proxy Kube listener behavior regarding PROXY protocol + usage (#33135) + * DiscoveryMatchers: move checkandset to types package (#32857) + (#32959) + * [v14] Split RDS Proxy guides per protocol (#33145) + * [v14] Header `Connection: close` causes `kubectl` to fail exec + (#33172) + * Web: Add EC2 name when listing instances in Discover flow + (#33179) + * [v14] Add support for gap prop to Button (#33196) + * Fix self-signed cert validity on macOS systems (#33156) + * fix leaf SSH sessions not getting recorded (#33102) + * [v14] OneOff Script: use ent build if cluster is Enterprise + (#33148) + * Add helper for generating request TTL options (#33041) + * Track connections to direct dial nodes across clusters (#33045) + * Add initial command to session trackers (#33112) + * [v14] docs: include info for accessing database audit activity + (#33093) + * [v14] docs: Draft of troubleshooting topics for Server Access + (#32876) + * [v14] docs: update fips docker address and internal address + listing (#33087) + * [v14] Fix --debug flag in Connect & enable devtools in debug + mode (#33137) + * [v14] Web: add link to CloudShell on EICE/EC2 Discover flow + (#33079) + * Fix some Rust lint warnings caught by Clippy 1.73.0 (#33098) + * [v14] Reliability improvements for HSM tests (#33091) + * docs: title zypper enterprise linux install tab (#33074) + * [v14] docs: Update HA Terraform reference and add starter + cluster reference (#33085) + * [v14] Update e ref. (#33066) + * [v14] Add cost optimized pagination search for athena (#33007) + * [v14] Add the Access List review backend. (#33070) + * Update cloud docs to 13.4.2 (#33071) + * [v14] AWS OIDC - EICE: improve error when EC2 does not accept + SSH connections (#33057) + * Update e ref (#32990) + * Downgrade Electron to 25.9.0 (#33058) + * Fix switch condition in Proxy listeners setup (#32966) + * Allow breaker tripped error to be configurable (#33036) + * Fix `kubectl log` commands when they refer to deployment + instead of pod (#32962) + * [v14] chore: Bump Go to v1.21.2 (#33046) + * Add in audit review recurrence presets. (#32960) + * [v14] chore: Pin golangci-lint and buf, bump buf to v1.27.0 + (#33034) + * fix: improve reconnection reliability after process reloads + (#32807) + * Add sort index trees to unified resource cache (#33027) + * [v14] chore: Address crypto/elliptic package deprecations + (#32929) + * update --db-user and --db-name docs (#32888) + * Remove unused bloat bypass workflow (#32984) + * Track user connections across clusters (#32967) + * [v14] Web: Create (re-use) step navigator for general use + (#32979) + * Added 10/04 Upcoming Releases Update (#32981) + * Fix desktop listener PROXY mode setting (#32937) + * Web build: fix circular dep warnings (#32975) + * [v14] Yarn dependency upgrades (#32977) + * [v14] `removeSecure()` should close the file before removing it + on Windows (#32963) + * [v14] Special case TestOpenFileLinks on macOS (#32957) + * update cloud docs to 13.4.0 (#32951) + * Bump zod from 3.21.2 to 3.22.3 (#32954) + * Update error message on GitHub OSS (#32914) + * [v14] Connect My Computer: Improve copy and UI consistency + (#32890) + * MenuIcon: Support arbitrary icon through Icon prop (#32889) + * Update e (#32931) + * Add new methods to AccessResourcesGetter interface (#32862) + * [v14] docs: change open source/OSS references to community + edition (#32877) + * [v14] Replace Access Plane with Access Platform (#32878) + * Bump webpki from 0.22.1 to 0.22.2 (#32883) (#32907) + * [v14] docs: Add how to verify the binaries are FIPS-compliant + #32169 (#32882) + * [v14] Pin Teleport Terraform Provider to Teleport major version + (#32898) + * [v14] Fix max_duration when session TTL is short (#32817) + * [v14] puttyconfig: Switch to string-based Validity format and + deprecate MatchHosts (#32856) + * [v14] Add the internal access list review resource. (#32861) + * [v14] docs: update tctl tsh version location in prereqs + (#32858) + * [v14] docs: remove old versions ref (#32865) + * Convert `examples/teleport-usage` to use distroless image + (#32666) + * Sort cloud label names to the back (#32691) + * Use Proxy gRPC API when creating tracing client (#32663) + * Use Proxy gRPC API during log in (#32662) + * Prevent Kube proxy from set the default Kube impersonation + headers (#32848) + * Add support for Client ID to Azure VM auto-discovery (#32800) + * Use a context with a different scope for diagnostic trace + upload (#32838) + * Update e ref (#32812) + * Add connection information to multiplexer logs so it's easier + to investigate (#32738) + * [v14] DiscoveryConfig: add service with rbac support (#32719) + * add usage events for eice discover (#32815) + * [v14] Check to make sure defaultAllowRules matches preset + roles. (#32793) + * Added 09/27 Upcoming Releases Update (#32680) + * Improve RDS MySQL IAM auth error message (#32803) + * Add promoted access list title to teleterm access request + (#32717) + * [v14] Improve Connect My Computer UI & logout experience + (#32791) + * [v14] Fix remote pool of signed certs when exec into leaf + clusters (#32768) + * [v14] Improve explanation of `TBOT_GITLAB_JWT` config in GitLab + guide (#32797) + * [v14] Fix data race in Postgres engine on connection close + (#32783) + * [auto] docs: Update version to v14.0.1 (#32621) + * [v14] Properly apply `client_idle_timeout` to database access + sessions (#32720) + * [v14] Add access request promotion state and suggestion API + changes (#32710) + * allow teleport to start when some etcd nodes are unreachable + (#32779) + * Cut CI unit test runtime in half (#32774) + * conditionally show assist popover (#32267) (#32765) + * [v14] fix: Fix panic on `tsh device enroll --current-device` + (#32756) + * add eice discover flow (#32760) + * [v14] Web: Add disabled state to RadioGroup and add new icon + (#32758) + * [v14] Add Access Review gRPC service methods and messages. + (#32549) + * bump e (#32752) + * Fix the in-product link to trusted cluster docs (#32749) + * Remove reference to use a load balancer (#32695) + * Leverage marketing params on Discover (#31648) (#32515) + * [v14] Make spacing of Connect My Computer status more + consistent (#32736) + * docs: helm updates (#32705) + * [v14] docs: update Teleport Team prereqs (#32697) + * DiscoveryConfig: add service and client (#32562) + * [v14] Web: Extract re-usable parts and add new icons (#32713) + * Connect My Computer: Agent compatibility fixes (#32477) + (#32648) + * Update e (#32722) + * [v14] Update config reference for proxy_protocol field. + (#32667) + * Fix label name mismatch (#32569) + * [v14] Fixed issue where prerelease container image tags can + overwrite production container image tags (#32701) + * [v14] docs: remove multi level claim reference (#32673) + * Drain unused SSH channels (#32676) + * Fix usage of ClusterName from config when starting Auth server + (#32682) + * [v14] Connect: Add --debug flag, don't pass --insecure flag in + dev mode by default (#32657) + * remove docs for deprecated flags (#32670) + * Fix overflow in dropdown menu (#32647) + * Move `lib/utils/prompt` to `api/utils/prompt` (#32334) (#32576) + * [v14] [docs] DB access troubleshoot sts:AssumeRole not + authorized (#32661) + * Bump graphql from 16.6.0 to 16.8.1 (#32635) + * [v14] Fix Access List Members cache and eventing. (#32649) + * [v14] fix: Let users without a useable device issue register + challenges (#32430) + * Fix enterprise version check (#32554) (#32631) + * Update the supported versions table for v14 (#32585) + * Make UUIDs used in test helpers less random (#32564) + * [v14] Update copy of Connect My Computer setup & misc + improvements (#32565) + * Simplify LockTarget.IsEmpty implementation (#32607) + * Added 09/26 Upcoming Releases Update (#32599) + +------------------------------------------------------------------- +Tue Oct 24 11:44:42 UTC 2023 - kastl@b1-systems.de + +- Update to version 14.0.1: + * Release 14.0.1 (#32611) + * Fix issue Teleport Connect Kube terminal throws internal server + error (#32612) + * Fix install-linux.mdx (#32586) + * docs: oracle guide steps (#32582) + * Remove mention of reversetunnel_connected_proxies (#32572) + * [v14] docs: add faq answer for using oss or ent release for + agents (#32520) + * [v14] Remove non-file path links from partials (#32234) + * ExtendWebSession: Update roles on req.ReloadUser (#32541) + * Correct grammar error in PagerDuty integration notification + (#32537) + * Use cluster name from ServerIdentity for Auth multiplexer + (#32352) + * athena: configure limits in examples (#32543) + * [v14] Add support for Protobuf Enums into Operator CRDs + (#32557) + * Add alignSelf to Button (#32561) + * Remove Preview from Connect title bar (#32560) + * [v14] Bump UI Role version to `v7` (#32341) + * fix(regular): combine static and dynamic labels for session + metadata (#32382) + * [v14] Connect My Computer: Add progress bar to the setup screen + (#32475) + * [v14] DiscoveryConfig: add proto and gRPC methods (#32313) + * `compareSemVers` should return 0 if values are equal (#32459) + * [v14] Updated packer version to fix tag builds (#32526) + * Update getting started (#32517) + * docs: Flip Github connector examples for OSS vs Commercial + (#32507) + * Add posthog events for discovered Kubernetes Apps (#32379) + * [v14] Update reduce-blast-radius.mdx (#32397) + * Dynamically generate unifiedId (#32263) + * Fill in missing CHANGELOG info (#32416) + * [v14] docs: remove v10 references (#32491) + * [v14] docs: helm install agent updates (#32503) + * [v14] docs: Root access is insecure: draft for expanded + security admin topics (#32423) + * [v14] Update e ref. (#32496) + * [v14] Allow sudoer files to be created separately from host + user creation (#32400) + * Remove gravitational/configure dependency (#32487) + * Fix incorrect CA in Machine ID database access guide (#32465) + * Add small delay to display shimmer boxes (#32482) + * [v14] Refresh resources after Connect My Computer setup + (#32484) + * [v14] docs: remove duplicate warning (#32478) + * [v14] Secure File Removal Improvements (#32435) + * [v14] Prevent duplicate Access List owners. (#32481) + * Connect My Computer: Store agent logs (#32044) (#32458) + * pgbk: remove CREATE PUBLICATION (#32474) + * Enforce use of IMDSv2 for AMI builds (#32418) + * Fix bugs with GCP project ID + default installer (#32316) + * docs: remove guidance on version warning older then v11 + (#32408) + * Move Discovery Matchers to their own files (#32368) + * Connect My Computer: Keeping compatibility promise (#31951) + (#32394) + * [v14] docs: Oracle Audit Logs (#32282) + * [v14] ci: clarify failure on `go mod tidy` (#32389) + * [v14] Provide error message if process file is unavailable due + to permissions for teleport start (#32348) + * Upgrade TypeScript to 5.2.2 (#32375) + * [v14] Connect My Computer: Remove the agent (#32369) + * [v14] Add initial ServiceNow plugin docs (#32268) + * Application access header rewrites should be a list (#32340) + * [v14] Remove unused servicenow rotation code and rotas from + recipient (#32363) + * Add interactive tonal primary colors (#32007) (#32319) + * [v14] Fix repeated ServiceAccount in `teleport-kube-agent` + chart (#32338) + * [v14] Update e (#32366) + * Add Access List usage events, emit event for userloginstate + Generator. (#32297) + * post-release: update the docs version (#32308) + * [v14] Define and add `IneligibleStatus` fields for access list + members and owners (#32278) + * Update token parameter description to be consistent (#32330) + * [v14] pgbk: docs for change_feed_conn_string and warning + against OLAP workloads (#32283) + * Fix issues in Azure VM auto-discovery docs (#32317) + * Implement waiting for Connect My Computer node to join cluster + (#32295) + * Allow including only traits when doing a JWT rewrite (#32291) + * Move Upcoming Releases to v14 (#32300) + * docs: include SLES install with zypper repo in ent install + (#32305) + * docs: update version (#32292) + * [docs] fix Postgres auto-user provisioning role group (#31967) + * [v14] Add initial servicenow plugin (#32131) + * [v14] Execute time-bound graceful shutdowns on + `SIGINT`/`SIGTERM`. (#32189) + * Fix double counting of auth server (#32270) + +------------------------------------------------------------------- +Tue Oct 24 09:46:50 UTC 2023 - kastl@b1-systems.de + +- Update to version 14.0.0: + very large changelog, please check it here: + https://github.com/gravitational/teleport/releases/tag/v14.0.0 + + Breaking changes and deprecations + * SSH node open dial no longer supported + Teleport 14 no longer allows connecting to OpenSSH servers not + registered with the cluster. Follow the updated agentless + OpenSSH integration guide to register your OpenSSH nodes in the + cluster’s inventory. + You can set TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes + environment variable on Teleport proxy to temporarily re-enable + the open dial functionality. The environment variable will be + removed in Teleport 15. + * Proxy protocol default change + Starting from version 14, Teleport will require users to + explicitly enable or disable PROXY protocol in their + proxy_service/auth_service configuration using proxy_protocol: + on|off option. + Users who run their proxies behind L4 load balancers with PROXY + protocol enabled, should set proxy_protocol: on. Users who + don’t run Teleport behind PROXY protocol enabled load + balancers, should disable proxy_protocol: off explicitly for + security reasons. + By default, Teleport will accept the PROXY line but will + prevent connections with IP pinning enabled. IP pinning users + will need to explicitly enable/disable proxy protocol like + explained above. + See more details in our documentation. + * Legacy deb/rpm package repositories are deprecated + Teleport 14 will be the last release published to the legacy + package repositories at deb.releases.teleport.dev and + rpm.releases.teleport.dev. Starting with Teleport 15, packages + will only be published to the new repositories at + apt.releases.teleport.dev and yum.releases.teleport.dev. + All users are recommended to switch to + apt.releases.teleport.dev and yum.releases.teleport.dev + repositories as described in installation instructions. + * Cf-Access-Token header no longer included with app access requests + Starting from Teleport 14, the Cf-Access-Token header + containing the signed JWT token will no longer be included by + default with all app access requests. All requests will still + include Teleport-JWT-Assertion containing the JWT token. + See documentation for details on how to inject the JWT token + into any header using header rewriting. + * tsh db CLI commands changes + In Teleport 14 tsh db sub-commands will attempt to select a + default value for --db-user or --db-name flags if they are not + provided by the user by examining their allowed db_users and + db_names. + The flags --cert-file and --key-file for tsh proxy db command + were also removed, in favor of the --tunnel flag that opens an + authenticated local database proxy. + * MongoDB versions prior to 3.6 are no longer supported + Teleport 14 includes an update to the MongoDB driver. + Due to the MongoDB team dropping support for servers prior to + version 3.6 (which reached EOL on April 30, 2021), Teleport + also will no longer be able to support these old server + versions. + * Symlinks for ~/.tsh/environment no longer supported + In order to strengthen the security in Teleport 14, file + loading from home directories where the path includes a symlink + is no longer allowed. The most common use case for this is + loading environment variables from the ~/.tsh/environment file. + This will still work normally as long as the path includes no + symlinks. + * Deprecated audit event + Teleport 14 deprecates the trusted_cluster_token.create audit + event, replacing it with a new join_token.create event. The new + event is emitted when any join token is created, whether it be + for trusted clusters or other Teleport services. + Teleport 14 will emit both events when a trusted cluster join + token is created. Starting in Teleport 15, the + trusted_cluster_token.create event will no longer be emitted. + +------------------------------------------------------------------- +Thu Oct 19 05:46:50 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.4.4: + * Release 13.4.4 (#33622) + * Select examples `api` dependency update (#33595) (#33599) + * Expand access list review audit entry. (#33572) + * add security group picker to deployservice step (#33454) + * [v13] Add support for deploy service agent auto updates + (#31982) (#33311) + * Add Docker to Slack access request plugin (#33392) + * [v13] docs: Reorganize and revise moderated sessions (#33546) + * Deflake TestChaosUpload (#33611) + * [v13] Update e (#33606) + * docs: update okta service setup (#33465) + * Add Docker to MSFT teams plugin (#33386) + * Add Docker to Mattermost plugin (#33389) + * docs: Fix a couple of typos and reword scenario descriptions + (#33398) + * docs: Add agent updates follow the cluster upgrade to the FAQ + (#33401) + * Remove sending tracingContext in NewClientConn (#33584) + * [v13] OpenTelemetry Update Backport (#33551) + * Gracefully handle web socket closure by clients (#33480) + (#33532) + * Allow Bots to submit access request reviews (#33375) (#33510) + * [v13] Prevent remote proxies from impersonating users from + different clusters (#33540) + * Notify CLI users when access lists need reviews. (#33469) + * [v13] Missed v13 golang backport updates (#33527) + * Update e (#33531) + * [v13] AWS OIDC: Only consider Linux/UNIX when listing EC2 + instances (#33514) + * [v13] Update e (#33526) + * fix oidc test race (#33431) + * [v13] Fix user login state gRPC client upsert. (#33450) + * [v13] Bump `google.golang.org/grpc` to v1.57.1 (#33488) + * [v13] Update @babel/core to 7.23.2 and dedupe babel deps + (#33442) + * Update e (#33494) + * [v13] Add `pcscd` install instructions for hardware key support + (#33377) + * Web: Fix passing in color to wrong field name (#33489) + * [v13] Include 'nextAuditDate' in 'CreateAccessListReview' + method (#33484) + * [v13] Add a duration for starting notifications to access + lists. (#33473) + * [v13] docs: update macos app remove command to delete dir and + correct fips debug container address (#33368) + * [docs] clarify RDS/Aurora databases getting modified (#33411) + * [v13] Web: Add notification store (#33382) + * Add usage events for desktop access (#33456) + * Web: add identity management nav section (#33409) (#33425) + * [v13] Bump for word-wrap and semver (#33452) + * Allow for Windows PKI operations to target a different domain + (#33276) + * [v13] Bump golang.org/x/net Backport (#33447) + * Remove "aurora" engine from db fetcher (#30572) (#33236) + * Refactor desktop audit event emission (#33336) + * Fix an issue `tsh` fails to connect Proxy behind TLS-terminated + loadbalancer in separate port mode (#33407) + * [v13] Fix access list audit log formatting (#33384) + * Allow access requests to use user login state. (#33351) + * join_sessions overrides the deny rule for sessions a user is + allowed to join (#33160) + * [auto] docs: Update version to v13.4.3 (#33360) + * Remove access lists and members from the cache. (#33324) + * docs: include servicenow and opsgenie in plugin index (#33293) + * Add Docker to email plugin (#33320) + +------------------------------------------------------------------- +Thu Oct 12 06:03:55 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.4.3: + * Release 13.4.3 (#33291) + * Add param `extraContainers` to `teleport-cluster` and + `teleport-kube-agent` (#32953) (#33300) + * Update e (#33281) + * Backport changes to Restrict Access to Privileged Accounts + topic (#33255) + * [v13] [buddy] docs: minor typos and improvements in the + description of the Teleport Proxy Service (#33183) + * Add server troubleshooting to left nav (#33222) + * [v13] utils.RecursiveChown: Fix for Privilege Escalation due to + following symlinks (#33247) + * Reword Troubleshooting section in Connect docs (#33202) + * fix watcher setup in oidc test (#33259) + * [v13] docs: Add Docker to partials and update the discord + access request plugin (#33168) + * [v13] docs: role definition update and update networking info + (#33225) + * Disable golangci-lint action cache (#30780) (#33240) + * [v13] chore: Bump Go to v1.20.10 (#33230) + * Fixes emitting wrong events for ec2 discover flow (#33186) + * [v13] [docs] Attempt to clarify ElastiCache/MemoryDB auth + methods (#33216) + * [v13] docs: Caveat for token permissions not scoped to any + resource context (#33165) + * [v13] Fix `tsh kube credentials` when root cluster roles don't + allow Kube access (#33211) + * Fix Kubernetes agent updater helm chart reference to bool + (#33213) + * Yarn replacement version bumps (#32982) (#33024) + * Fix --debug flag in Connect & enable devtools in debug mode + (#33204) + * [v13] Split RDS Proxy guides per protocol (#33146) + * Web: Add EC2 name when listing instances in Discover flow + (#33178) + * [v13] Add support for gap prop to Button (#33199) + * [v13] fix leaf SSH sessions not getting recorded (#33104) + * [v13] OneOff Script: use ent build if cluster is Enterprise + (#33147) + * Fix self-signed cert validity on macOS systems (#33157) + * Add initial command to session trackers (#32947) (#33113) + * [v13] docs: update fips docker address and internal listing + (#33088) + * [v13] docs: include info for accessing database audit activity + (#33094) + * [v13] Web: add link to CloudShell on EICE/EC2 Discover flow + (#33078) + * Fix some Rust lint warnings caught by Clippy 1.73.0 (#33097) + * Update e (#33105) + * Add promoted access list title to teleterm access request + (#32718) + * docs: title zypper enterprise linux install tab (#33075) + * Add the Access List review backend. (#33069) + * [v13] Add cost optimized pagination search for athena (#33006) + * Update cloud docs to 13.4.2 (#33072) + * [v13] Access request promotion (#33029) + * [v13] Update e ref. (#33067) + * Downgrade Electron to 25.9.0 (#33059) + * Allow breaker tripped error to be configurable (#32869) + (#33037) + * [v13] chore: Bump Go to v1.20.9 (#33047) + * Correct typo in Makefile. (#33052) + * [v13] chore: Move golangci-lint and buf to GHA, bump versions + (#33038) + * Add in audit review recurrence presets. (#32961) + * [v13] Track user connections across clusters (#32996) + * Web: Create (re-use) step navigator for general use (#32939) + (#32985) + * Web: fix passing in color into wrong field (#32992) + * Web build: fix circular dep warnings (#32976) + * [v13] `removeSecure()` should close the file before removing it + on Windows (#32964) + * update cloud docs to 13.4.0 (#32950) + * Bump zod from 3.21.2 to 3.22.3 (#32955) + * Update error message on GitHub OSS (#32915) + * Update e (#32935) + * [v13] Fix: Add access list field to web usercontext ACL + (#32917) + * [v13] docs: Draft of troubleshooting topics for Server Access + (#32875) + * [v13] Replace Access Plane with Access Platform (#32879) + * Change Open source and OSS to Teleport Community Edition + (#32884) + * Bump webpki from 0.22.1 to 0.22.2 (#32883) (#32906) + * MenuIcon: Support arbitrary icon through Icon prop (#32891) + * Pin Teleport Terraform Provider to Teleport major version + (#32897) + * re-add agentless node manual installation docs (#32813) + * Add the internal access list review resource. (#32864) + * [v13] docs: update tctl tsh version location in prereqs + (#32859) + * [v13] docs: remove old versions ref (#32866) + * Cut CI unit test runtime in half (#32851) + * Use Proxy gRPC API when creating tracing client (#32664) + * [v13] [docs] DB access troubleshoot sts:AssumeRole not + authorized (#32660) + * Use a context with a different scope for diagnostic trace + upload (#32837) + * Add connection information to multiplexer logs so it's easier + to investigate (#32739) + * add usage events for eice discover (#32617) (#32816) + * [v13] Check to make sure defaultAllowRules matches preset + roles. (#32794) + * Improve RDS MySQL IAM auth error message (#32802) + * [v13] Improve explanation of `TBOT_GITLAB_JWT` config in GitLab + guide (#32796) + * [v13] Update Okta SDK to v2.20.0 (#32782) + * add eice discover flow (#32202) (#32766) + * [auto] docs: Update version to v13.4.1 (#32606) + * allow teleport to start when some etcd nodes are unreachable + (#32778) + * conditionally show assist popover (#32267) (#32764) + * [v13] fix: Fix panic on `tsh device enroll --current-device` + (#32757) + * Web: Add disabled state to RadioGroup and add new icon (#32762) + * move aws region selector to shared and add types and endpoints + (#32096) (#32754) + * [v13] fix: Let users without a useable device issue register + challenges (#32668) + * bump e-ref (#32759) + * Fix the in-product link to trusted cluster docs (#32750) + * [v13] Leverage marketing params on Discover (#31648) (#32514) + * Web: Extract re-usable parts and add new icons (#32529) + (#32716) + * Remove reference to use a load balancer (#32693) + * [v13] Add Access Review gRPC service methods and messages. + (#32548) + * docs: helm updates (#32732) + * docs: update Teleport Team prereqs (#32700) + * Properly apply `client_idle_timeout` to database access + sessions (#32485) (#32725) + * Add textTransform override for resource launch buttons (#32686) + * Add alignSelf to Button (#32641) + * Update e (#32723) + * Fix label name mismatch (#32570) + * [v13] Fixed issue where prerelease container image tags can + overwrite production container image tags (#32703) + * [v13] docs: remove multi level claim reference (#32674) + * Fix usage of ClusterName from config when starting Auth server + (#32683) + * Drain unused SSH channels (#32677) + * [v13] Connect: Add --debug flag, don't pass --insecure flag in + dev mode by default (#32656) + * Fix overflow in dropdown menu (#32646) + * Add PROXY header getter to the grpc proxy client (#32178) + * Move `lib/utils/prompt` to `api/utils/prompt` (#32334) (#32577) + * [v13] Fix `TestEC2Hostname` (#32665) + * Bump graphql from 16.6.0 to 16.8.1 (#32636) + * Fix enterprise version check (#32554) (#32633) + * Fix Access List Members cache and eventing. (#32651) + * Update the supported versions table for v14 (#32584) + * Simplify LockTarget.IsEmpty implementation (#32608) + * Fix install-linux.mdx (#32587) +- skip non-existent release 13.4.2 + +------------------------------------------------------------------- +Wed Sep 27 04:37:00 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.4.1: + * Release 13.4.1 (#32594) + * [v13] Remove unused FIPS infrastructure (#32539) + * Remove mention of reversetunnel_connected_proxies (#32573) + * [v13] docs: add faq answer for using oss or ent release for + agents (#32521) + * Add gRPC error interceptors to API client. (#31009) + * Correct grammar error in PagerDuty integration notification + (#32538) + * [v13] Add support for Protobuf Enums into Operator CRDs + (#32556) + * fix(regular): combine static and dynamic labels for session + metadata (#32383) + * Allow sudoer files to be created without host users (#32404) + * `compareSemVers` should return 0 if values are equal (#32315) + (#32462) + * [v13] Updated packer version to fix tag builds (#32527) + * docs: helm install agent updates (#32508) + * docs: Flip Github connector examples for OSS vs Commercial + (#32506) + * [v13] Update reduce-blast-radius.mdx (#32396) + * [v13] docs: Root access is insecure: draft for expanded + security admin topics (#32424) + * [v13] docs: remove v10 references (#32492) + * [v13] Update e ref. (#32497) + * Remove gravitational/configure dependency (#32488) + * Secure File Removal Improvements (#32260) (#32437) + * [v13] docs: remove duplicate warning (#32479) + * [v13] Prevent duplicate Access List owners. (#32480) + * Fix incorrect CA in Machine ID database access guide (#32466) + * [v13] Improve AWS CLI Access performance by caching AWS session + credentials (#32414) + * Fix data race when calling Uploader's `Close` and `Serve` + simultaneously (#30360) (#32395) + * Enforce use of IMDSv2 for AMI builds (#32419) + * Support AWS EC2 IMDSv2 for installer and inventory metadata + (#31134) + * docs: remove guidance on version warning older than v11 + (#32410) + * [v13] Use the instance role for the upload completer (#32346) + * [v13] Provide error message if process file is unavailable due + to permissions for teleport start (#32349) + * [v13] ci: clarify failure on `go mod tidy` (#32390) + * Upgrade TypeScript to 5.2.2 (#32376) + * Application access header rewrites should be a list (#32339) + * Add interactive tonal primary colors (#32007) (#32320) + * [v13] Fix repeated ServiceAccount in `teleport-kube-agent` + chart (#32337) + * [v13] update e (#32367) + * Add Access List usage events, emit event for userloginstate + Generator. (#32298) + * Make access list membership check fn public (#31355) (#32362) + * [v13] Define and add `IneligibleStatus` fields for access list + members and owners (#31857) (#32279) + * Bump UI Role version to `v6` (#32335) + * Update token parameter description to be consistent (#32331) + * pgbk: docs for change_feed_conn_string and warning against OLAP + workloads (#32079) (#32284) + * Allow including only traits when doing a JWT rewrite (#32290) + * docs: include SLES install with zypper repo in ent install + (#32306) + * [docs] fix Postgres auto-user provisioning role group (#31968) + * Fix double counting of auth server (#32269) + * [auto] docs: Update version to v13.4.0 (#32276) + +------------------------------------------------------------------- +Thu Sep 21 04:39:02 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.4.0: + * Release 13.4.0 (#32179) + * [v13] Revise desktop access-Active Directory script-driven + (#32156) + * Leave access intact if access list has not been reviewed by + review date. (#32261) + * Fix the userloginstate generator if the user has no traits. + (#32258) + * [v13] Omit WithError for "proxy already claimed" (#32242) + * Fix variable in Azure AD docs (#32247) + * [v13] convert protobuf's zero time into go's zero time (#32127) + * Add access list to default allow editor preset role (#32253) + * Add systemd instructions to the Jamf Pro guide (#32244) + * docs: include postgresql in ha docs (#32239) + * Prevent zombie sessions being left behind for web sessions + (#32200) + * Fix incorrcect use of apostrophe in discover UI (#32149) + * Stop implicitly loading global tsh config on Windows (#32223) + * Validate SAMLIdPServiceProviders ACS endpoints (#32220) + * Verify expected token properties in WithProvisionTokenAuth. + (#32215) + * Manually create the users HOME rather than letting useradd do + it (#32210) + * [v13] pgbk: specify the schema name in wal2json's add-tables + (#32198) + * Respect MongoDB max message size (#31963) (#32144) + * chore: Bump OpenSSL to 3.0.11 (#32160) + * [v13] AWS OIDC: command to configure IAM for listing databases + (#31980) + * Update e (#32177) + * [v13] docs: Trusted cluster root certificates for access to + leaf clusters security issue (#32152) + * [v13] docs: rewrite trusted clusters overview, how-to, and + related topics (#32154) + * [v13] support discovered name match in tbot outputs (#32111) + * Web: Fix user signup flow and auto focus login form transition + issues (#31510) (#31965) + * Add btmp support for user accounting (#32054) + * Add error to Attempt in useAsync (#32118) + * helm: fix deletion hook serviceAccount in the agent chart + (#31877) + * Update helm-deployments.mdx (#32041) + * [v13] Fix Kubernetes selected cluster (#32087) + * [v13] tsh kube ls ux (#32084) + * [v13] handle discovery renaming when listing resource in `tctl` + text … (#32083) + * [v13] Deflake `TestListKube` (#32082) + * Updated OS package repo docs (#31541) (#32103) + * Fix issues in GCP auto-discovery docs (#31826) (#31976) + * docs: mention how to register a Windows desktop with tctl + (#31986) + * fix awsoidc tests (#32003) + * Prevent trusted clusters in Cloud (#31874) + * [v13] Apply various small BPF refactors (#31995) + * Remove unused bot_token.create event (#31973) + * Upgrade node-abi to 3.47.0 (#31960) + * Fix focus background in passwordless user prompt in Connect + (#31934) + * correct tsh recording command description (#31949) + * Make LogWriter's not implemented error message more obvious + (#31930) + * [v13] pgbk: add change_feed_conn_string option (#31938) + * [v13] WebAPI: Include new DB RDS fields (vpc and subnet) + (#31817) + * [v13] Fix directory sharing for non-ascii directory names + (#31924) + * Fix typo in HSM docs (#31910) + * Ignore Vagrant folder (#31908) + * [v13] Fix JSON marshalling for Audit struct (#31329) + * [v13] Add AccessList with member upserting functionality + (#31608) + * Web: Add new supported aws region (il-central-1) to selector + (#31840) + * Update Electron to 26.2.1 (#31802) (#31860) + * [v13] document OIDC connector 'max_age' field (#31887) + * Extend EC2 joining for `Okta`, `Discovery` and `MDM` services + (#31894) + * [v13] AWS OIDC - List RDS: add Subnet and VPC for aurora + clusters (#31879) + * [v13] Update e ref. (#31884) + * return an error when attempting to join a session of an OpenSSH + node (#31844) + * Add access list audit events. (#31443) (#31872) + * [v13] Use builtin auth checker for upsert app server. (#31782) + * [v13] Validate unknown AWS regions from discovery matchers + (#31830) + * Expose aggregating.ClearAlert() for use by e (#31848) + * athena: modify time range when query with keyset (#31864) + * [v13] AWS OIDC: Set up integration with a single command + (#31790) + * Wait for headless watcher to initialize in tests instead of + using a retry mechanism. (#30060) (#31851) + * [v13] docs: Rough draft of troubleshooting for apps (#31823) + * Update config.json (#31820) + * Update upcoming-releases.mdx (#31807) + * add device enroll and license limit event to prehog (#31779) + * Increase timeout on usage event check (#31785) + * [v13] Bump github.com/jackc/pgx/v5 to a real release (#31795) + * [v13] AWS OIDC - List SecurityGroups: add Inbound and Outbound + Rules (#31624) + * Validate desktop names (#31766) + * fix: device trust enroll current device command (#31757) + * Switch from `mozilla.org/pkcs7` to `digitorus/pkcs7` (#30704) + (#30717) + * Remove internal access list object members field in spec. + (#31665) + * Make the WebAuthn error message a bit more explicit (#31632) + * [v13] Kubernetes External Joining: `static_jwks` implementation + (#30225) (#31703) + * Increase lock release timeout in RunWhileLocked (#31742) + * [v13] [buddy] docs: Machine ID with ansible, use + CanonicalDomain (#31734) + * [v13] pgbk: derive ID from revision (#31692) + * [v13] integrations/operator: Add pprof support (#31707) + * [v13] differentiate discovered resource names (#30456) + * Increase timeout on usage event assertions (#31726) + * [v13] [Docs] Update documentation for max duration feature in + access requests (#31680) + * Improve logging for the upload completer (#31571) + * [v13] Docs: Update terraform docs to 13.3.8 release (#31696) + * Deflake TestTeleportProcessAuthVersionCheck (#31710) + * Use the regions in teleport config instead of ENV for bootstrap + (#31701) + * Update the auto-discovery and discovery installers to support + SUSE (#31428) + * [v13] Upgrade Node.js to v18 (#31626) + * Fix incorrect autofill in safari (#31611) + * React to version updates faster (#31651) + * [v13] Update e ref. (#31639) + * Remove members from access list spec. (#31635) + * Make `TestIntegrations/ReconcileLabels` a unit test (#31124) + (#31594) + * Make internal changelog links relative (#31305) + * [v13] Edit the app access DynamoDB guide (#30781) + * [v13] helm: Optionally add publicAddr to cert-manager + certificate requests (#31603) + * Adds default Github API urls to SSO connector. (#31480) + * post-release: specify base branch for docs PR (#31499) (#31575) + * Make sure Teleport sessions use the user login state. (#31363) + (#31614) + * [v13] Deflake `TestIntegrations/Discovery` (#31595) + * fix terminal resizing (#31586) + * Fix typo in teleport-kube-agent Chart Reference (#31536) + * docs: minor updates to aws opensearch and azure sql server + guides (#31531) + * [v13] Ensures the canvas stays at a fixed size (#31524) + * Perform rate limiting on all user-initiated LLM calls in assist + (#31438) (#31567) + * Fix not being able to search for locks in table (#31581) + * docs: update docker image versions (#31562) + * [v13] Bump cloud version (#31551) + * remove margin on OIDC/SAML connectors (#31503) + * [v13] update ToolTipNoPermBadge component (#31488) + * Edit Server Access intro guide architecture info (#31493) + * [v13] Azure HA Teleport deployment guide (#31501) + * [v13] chore: Bump Go to v1.20.8 (#31506) + * [auto] docs: Update version to v13.3.8 (#31473) + * [v13] Update download links on support page (#31492) + * AWS OIDC - DeployService: add optional Security Groups (#31268) + * [v13] pgbk: partial backports #31358 #31426 (#31449) + * [v13] docs: use branch link instead of master (#31467) + * docs: include sudo for example commands (#31463) + * docs: Fix typo in JSON (#31452) + * [v13] docs: include ent cloud version for faq question on sso + (#31455) + +------------------------------------------------------------------- +Wed Sep 06 05:23:21 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.8: + * Release 13.3.8 (#31442) + * Added 08/31 Update (#31301) + * desktop discovery: unmap IPv6 addresses (#31434) + * fix: Skip known bad asset tags on Windows (#31412) + * [v13] Update device trust docs (#31328) + * MySQL: avoid tiny writes to improve performance in read-heavy + scenarios (#31402) + * Periodically refresh Azure cloud credentials (#31164) + * Periodically refresh Azure cloud credentials (#31164) + * AWS OIDC - List EC2: add instance id as label (#31436) + * Update product change log link (#31424) + * Fix webauthnwin c types size (#31420) + * Preserve query params in cross-cluster app redirect. (#31379) + * [v13] AWS OIDC: List Security Groups (#31272) + * Update e (#31384) + * Remove note about canceled requests not being supported + (#31318) + * [v13] docs: describe dedicated account dashboard for ent + (#31336) + * Fix plugin screen not wrapping tiles (#31365) + * AWS OIDC EICE: fix connection set up (#31209) (#31362) + * Web: return user traits with getUser request (#31331) + * [v13] skip motd in UI if request initiated from tsh headless + auth (#31205) + * Recommend writing the client secret to a file (#30954) + * bump eref (#31308) + * [v13] docs: add prompt field definition for OIDC auth connector + (#31294) + * [v13] docs: update db getting started and mongodb atlas + (#31299) + * [docs] update TLS routing curl test with --no-alpn (#31239) + * [v13] [buddy] Add an optional PodMonitor to the + teleport-kube-agent chart (#31247) + * [v13] docs: update labels documentation (#31110) + * Fixed typo in error message for terminal params (#31288) + * Clarified default cryptographic primitives (#31263) + * Add known STS endpoint for il-central-1 (#31282) + * use active db cert principals when available (#31250) + * Fix the access list lockName in the backend service. (#31290) + * docs: use variables for proxy addresses in Kube access (#31241) + * post-release: pass GITHUB_TOKEN for gh CLI use (#31225) + (#31280) + * UsageEvents: add OpenSSH EC2 Instance Connect Endpoint Nodes + (#31266) + * AWS OIDC - List RDS: add VPC ID (#30971) (#31274) + * Move the `tsh` config file guidance (#30953) + * [v13] Refactor IsOwner/IsMember and use AccessListMember + object. (#31234) + * Allow configurable Okta service synchronization duration. + (#31251) + * [v13] Ensure access list data integrity. (#31233) + * docs: update version (#31221) + * [v13] AWS OIDC: Create EC2 Instance Connect Endpoint (#31198) + * Fix ui trace forwarding (#31223) + * [v13] tctl acl command uses separate member calls. (#31212) + * [v13] Remove dead KNNRetriever class (#31189) + * [v13] Fix flaky tests (#31163) + * Fix flaky tsh export test (#31167) + * [v13] Don't set additional groups on darwin (#31152) + +------------------------------------------------------------------- +Tue Sep 05 14:18:59 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.7: + * Release 13.3.7 (#31172) + * Allow Azure/IAM join over reverse tunnel (#31000) + * [v13] wait for disconnect in tests (#31160) + * docs: include sudo for db configure create examples (#31049) + * docs: mention that the GitHub connector requires team slugs, + not display names (#31154) + * Use Amazon EICE to connect into EC2 instances (#30632) (#31021) + * add custom theme and logos (#30823) (#31149) + * Fix Oracle Windows Path Separator (#31129) + * fix unbackported breakpoints (#31151) + * Get accessInfo based on user on access request drop (#31136) + * Update headless modal to show both Reject and Cancel (#31135) + * Use 127.0.0.1:3080 as Vite default proxy target (#31148) + * add feature hiding license flag (#30083) (#30936) + * Respect `[HTTP(S)|NO]_PROXY` envs when dialing directly to Kube + via SPDY (#30624) (#31133) + * [v13] Dynamic identity file reloading support for API Client + (#31076) + * add OSS CTA for auth connectors (#30713) (#31083) + * docs: update version (#31064) + * docs: update cloud version (#31079) + * ci: Use "post-release" environment in update-docs post-release + workflow (#30937) + * Fix flaky test TestDatabaseRootLeafIdleTimeout (#31100) + * [v13] AWS OIDC: Add StateMessage and DashboardLink to List EICE + (#30949) + * [v13] oss CTAs for support, access reqs & moderated sessions + (#31030) + * docs: add page on revoking access (#30682) + * [v13] Fix leaking connection monitor instances. Expand comment + with a warning. (#31042) + * Web: Add calendar icon, export select style, and add type to + validation rule (#30817) (#31036) + * Add access list members to the cache. (#30837) (#30919) + +------------------------------------------------------------------- +Tue Sep 05 14:07:46 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.6: + * Release 13.3.6 (#31031) + * Ensure that DNS errors in desktop discovery fail fast (#31032) + * [v13] docs: include example service account JSON in the Google + workspace guide (#30807) + * Remove exported webauthn test functions. (#31008) + * Improve proxy address sourcing for VM auto-discovery (#31001) + * Fetch metadata for heartbeat in background (#30999) + * Additional safety with `X-Forwarded-Host` handling (#30980) + (#31027) + * bump e (#31012) + * Fix flaky TestResizeTerminal (#30983) + * [v13] Reduce memory leakage in API client caused by `otelgrpc` + interceptors (#30991) + * [v13] AWS OIDC: Configure IAM for EC2 Instance Connect Endpoint + (#30948) + * Added PostgreSQL enablement to documentation (#31006) + * [v13] Use the most recent user object for the bot generation + label. (#30996) + * Issue certficate for desktop connection before actual + connection (#30963) + * [v13] helm: Use cert-manager secret or tls.existingSecretName + for ingress when enabled (#30984) + * docs: update version (#30959) + * Flesh out the Application Access intro (#30958) + * Add package manager Enterprise install steps (#30777) + * Add secure credentials for API client tests (#30518) (#30870) + * docs: update agent joining when to use (#30961) + * [v13] Remove ScopedBlocks from the docs (#30805) + * [v13] Metrics: expose install method counter (#30683) + * Add `DeleteClusterMaintenanceConfig` for terraform (#30667) + * reduce alert log spam (#30849) (#30904) + * Fix access list enterprise tests. (#30931) + * Expose AuthorizeContextWithVerbs. (#30917) + * [v13] Changes to Discord plugin for running in hosted mode. + (#30826) + * [v13] Include consistent installation info (including Helm) + across Access Request plugin docs (#30449) + * Set cloud version to v13.3.4 (#30926) + * Update eks helm guide for AWS PCA (#30633) + * [v13] Include file option description in token, session-id + parameters (#30928) + * Emit event for auto-discovered VMs (#29285) (#30923) + * [v13] Add in the next audit date to access lists. (#30912) + * List EC2 instances: add subnet id field (#30692) (#30897) + * [v13] Add preset device trust roles (#30908) + * [v13] Machine ID: Support for JSON log formatting (#30763) + * [v13] Add FeatureRecommendationEvent to Prehog (#30875) + * add option to force re-authentication for OIDC connectors + (#30877) + * crdgen: handle OIDCConnectorSpecV3.MaxAge as a special case + (#30879) + +------------------------------------------------------------------- +Tue Sep 05 13:40:29 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.5: + * Release 13.3.5 (#30832) + * [v13] Update access duration logic and tests for dry run + requests (#30885) + * [v13] Update the docs UI reference (#30857) + * docs: remove default designation in cloud proxies (#30868) + * Update e ref (#30848) + * Respect `[HTTP(S)|NO]_PROXY` envs when dialing directly to Kube + (#30583) (#30615) + * [v13] [buddy] 🐛 issue #30400 fixing missing billing_mode param + in teleport-cluster helm chart fo dynamodb autoscaling (#30841) + * [v13] Web: Remove all cap and bolding for LabelInput used with + inputs (#30845) + * AWS OIDC - DeployService: use debug log level for service + (#30606) + * fix (#30824) + * feat(helm/teleport-kube-agent): custom annotations in the + Secret (#30838) + * [v13] Embedded Assist SSH (#30811) + * ci: Pass secrets from post-release to update-ami-ids (#30754) + * Update e (#30814) + * Add in access list member backend and gRPC methods. (#30800) + * Add required title to access list resource (#30782) + * [v13] docs: updates to cloud api docs (#30801) + * Add a link to Teleport Labs in the landing page (#30482) + * fix typo in s3 completemultipartupload metric (#30710) + * Added Week of 08/17 Update (#30625) + * [v13] AWS OIDC: List EC2 Instance Connect Endpoints (#30752) + * Drop etcd from buildbox (#30700) (#30765) + * Generate user login state from access lists and integrate into + certificates. (#29364) (#30628) + * Add `--current-device` capabilities to `tsh` (#30636) (#30702) + * [v13] Enable limited Access Requests feature for the Team plan + (#29866) (#30570) + * [v13] Fixed an issue with `tsh aws ssm start-session` (#30668) + * Ensure the correct stderr is used for ssh sessions (#30684) + * [v13] Split up the CLI reference (#30371) + * [v13] docs: include openssh instrs for jetbrains setup (#30470) + * Correct DynamoDB table config instructions (#30675) + * Web: Add access_list rule to usercontext and access list + related icons (#30564) (#30658) + * Drop gcloud SDK from buildbox (#30640) (#30696) + * Drop custom gRPC chain functions (#30685) + * docs: update gitlab and azuread sso docs (#30680) + * [v13] Review Requests: prevent reviews after request is + resolved (#30690) + * Update docs version automatically (#30670) + * [v13] Add initial servicenow client (#30611) + * Deflake `TestNodeWatcher` tests (#30676) + * [v13] Add initial rough opsgenie docs (#30609) + +------------------------------------------------------------------- +Tue Sep 05 13:27:27 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.4: + * Release 13.3.4 (#30666) + * Remove exported Webauthn functions (#30420) (#30650) + * [v13] Fix node equality check in embedding processor (#30325) + (#30608) + * Begin separating access list members from access list + resources. (#30627) + +------------------------------------------------------------------- +Tue Sep 05 13:16:56 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.3: + * Teleport Release 13.3.3 (#30614) + * Add Teleport agent pod readiness checks to docs (#30362) + * Discovery service panics on GKE clusters without labels + (#30643) (#30647) + * Isolate MFA prompt into a new package (#30379) (#30599) + * Deflake discovery tests (#30474) (#30641) + * Make TestWebClientClosesIdleConnections more stable (#30637) + * [v13] Add user login state to the cache. (#30219) + * Add Teleport Connect to Headless docs. (#30594) + * [v13] Add `teleport_proxy_db_active_connections_total` gauge. + (#30604) + * Build version checker - multiple fixes (#30580) (#30595) + * [v13] bump e ref (#30613) + * [v13] [docs] TLS routing FAQs (#30610) + * events emitter: improve logging on failed emits (#30185) + * [v13] small change to tsh error messages (#30575) + * bump e (#30592) + * [v13] Add Teleport Connect to Headless docs (#30476) + * [v13] fix forwarding a SSH agent in a Cygwin environment + (#30582) + * [v13] fix `tsh db connect` and `tsh proxy db` with logged in + certs (#30563) + * update tsh db env/config ux (#30571) + * [v13] Partially backport: add metrics for database service + (#28150, #30121). (#30429) + * Work around go-ldap's lack of errors.Is support (#30560) + * update onboarding UI styles (#29917) (#30558) + * [v13] Re-add ServerInfo reconciler with better backend + performance (#30495) + * [v13] discover personalization (#30557) + * docs: correct double quotes in tctl devices add example + (#30559) + * Discover RDS: remove aurora engine (#30548) + * OneOff: add success message (#30540) + * [v13] Remove temporary type aliases from `lib/auth/webauthn` + (#30551) + * Teleport Connect headless approval - Skip Confirmation (#29875) + (#30475) + * [v13] Database Service to validate URL of database resources + from Discovery Service (#30462) + * Semver version validation (#30538) + * pam: free conversation buffer on error (#30521) + * [v13] [Docs] Teleport Team getting started, Fix comparison + pointer to Teleport Enterprise/Enterprise Cloud (#30430) + * [v13] docs: hsm minor corrections (#30506) + * [v13] Update e ref. (#30502) + * [v13] Remove `lib/auth/webauthn` dependency from `webauthncli` + (#30498) + * Fix PIV support for tsh proxy kube and Teleport connect + (#30205) (#30477) + * docs: update faq for proxy recording mode support (#30491) + * Refactor AWS db mocks (#30086) (#30461) + * Redirect directly to Okta apps from proxy. (#30489) + * chore: Bump golangci-lint to v1.54.1 (#30435) (#30483) + * [v13] Update 11 eol date (#30467) + * Fix SAML certificate decoding when data is padded (#30450) + * Improve LDAP desktop discovery (#30383) + * fix: Explicitly mention OTPs on tsh/Windows logins (#30444) + * integrations/access: Make the plugins exit when the connection + breaks instead of retrying infinetly and hanging (#30039) + (#30431) + * [v13] Fixed "user is not managed" error when accessing + ElastiCache and MemoryDB (#30353) + * [v13] Adjust indentation in Assist YAML conf reference (#29195) + (#30375) + * [v13] Adds Discord settings to API types. (#30316) + * [v13] chore: Bump Buf to v1.26.1 (#30329) + * Error if users attempt to do `tsh login --headless` (#30298) + (#30307) + * Mention Discord and ServiceNow integrations on previews page + (#30373) + * [v13] Document `jwt_claims` app rewrite option (#30366) + * Version ID check on Amazon Linux2023/rhel installs (#30310) + * Set network restrictions static fields upon update (#30324) + * AgentMetadataEvent: add AWS OIDC Deploy Service install method + (#30328) + * [v13] Add device authentication event to prehog (#30303) + * Fix AccessDenied not recognized for MemoryDB/RSSL API calls + (#30286) + * [v13] EC2 Instance Connect Endpoint: List EC2 Instances + (#30258) + * [v13] Add option to configure JWT claim rewriting (#30280) + * Added 08/10 Upcoming Releases Update (#30283) + * changelog: Update distroless debug image name (#30305) + * Fix resources being deleted from Firestore on update (#30287) + * Fix desktop access connecting to direct dial nodes (#30275) + * chore: Bump gci to v0.11.0 (#30228) (#30261) + * chore: Bump golangci-lint to v1.54.0 (#30222) (#30265) + * [v13] Adjust max session duration in web sessions (#30153) + * Fix matcher AssumeRoleARN not appied to + DiscoveryResourceChecker (#30260) + * docs: update version (#30257) + * [v13] Add a quick note about AWS and FIPS (#30240) + * Support auditing chunked SQL Server packets (#29228) (#30243) + * integrations/access: fix infinite retry on already resolved + requests (#30231) + * Add in the access list tctl command. (#30238) + * chore: Bump golang.org/x/net to v0.14.0 (#30234) + * [v13] docs: use a consistent intro in the DB guides (#30204) + * Promote EKS and AKS discovery to GA (#30209) + * [v13] refactor label string formatting (#30223) + * [v13] Allow host users to be created with a specific UID or GID + (#30178) + * Add in paginated access list endpoint. (#30132) + * [v13] Use distinct prompts during Windows WebAuthn registration + (#30215) + * [v13] [Docs] Fix the table of contents and edit content + (#30067) + +------------------------------------------------------------------- +Tue Sep 05 11:30:56 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.2: + * Release 13.3.2 (#30192) + * Revert "Add discovery-side label reconciler" (#30198) + * [v13] integrations/operator: Fix a bug that caused + ProvisionToken.spec.github.allow rules to be ignored (#30179) + * Add the `hcl` label to Terraform snippets (#30147) + * EC2 Instance Connect Endpoint: HTTP endpoint to create Nodes + (#29370) (#30189) + * Backported OS repo publishing changes to v13 (#30154) + * [v13] Tests: run `lib/integration` and `lib/auth/integration` + (#30173) + * fix: Save device keys on os.UserCacheDir (#30177) + * [v13] Add initial auto approval flow for opsgenie plugin + (#30161) + * [v13] Improve "tsh kube login" message for proxy behind l7 lb + (#30174) + * docs: update version (#30162) + * AWS configurator support for OpenSearch (#30085) + * Refactor database `DiscoveryResourceChecker` (#30056) + * Add support for templating to kube's `--set-context-override` + (#30157) + * [v13] dronegen: Build Teleport Connect for amd64 push build + (#30021) + * [v13] Bumps `e` version to include hosted Jira integration + (#30117) + * [Docs] Add the max-duration role option to documentation + (#30148) + * [v13] [buddy] Allow setting storage class name for auth + component (#30145) + * Add imagePullSecrets to predeploy tests (#30142) + * Ensure Helm deployment guides match the sidebar (#30007) + * Use test server context to ensure headless watcher is closed + once the test completes. (#30138) + * Add docs for the new Slack helm chart values (#30130) + * List supported URI schemas in the audit error messages (#30080) + * Stablize backend test suite (#30074) + * [v13] Changes to the Jira plugin required to run as a hosted + integration (#30040) + * [v13] Add GCP auto-discovery docs (#30052) + * update e-ref (#30069) + * Backport #29757 to branch/v13 (#30015) + * [v13] docs: document browser env var for tsh (#30057) + * [v13] Improve backend `testKeepAlive` (#30053) + * [v13] Stop piping child process output into logger only after + close (#30025) + * chore: Bump Buf to v1.25.1 (#30046) + * bump e (#30045) + * [v13] Fix authorization rules to the Assistant and + UserPreferences service (#29961) + * add oss support for existing user onboard survey (#29535) + (#29983) + * [v13] Add Kubernetes Access FAQ and Troubleshooting docs + (#29857) + * Drop subtests from `addOneOfEachMFADevice` helper (#30036) + * [v13] Tighten discovery service permissions (#29994) + +------------------------------------------------------------------- +Fri Aug 04 06:29:52 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.1: + * Release 13.3.1 (#30016) + * Update e (#30012) + * [v13] [Mattermost] Lax requiring recipients and set raw + recipients on cfg init (#30009) + * Fix `tool.tsh.common.TestKube/list_kube` flaky test (#29998) + * Added Prometheus metric for created access requests (#29761) + (#29991) + * Fix rough edges with usage script (#29982) + * Add Prometheus metrics to Kubernetes Access (#29363) (#29970) + * pgbk: ensure TOASTed values in the change feed (#29975) + * [v13] WebDiscover: Enable auto deploy and skip IAM policy + screen on condition (#29978) + * [v13] WebDiscover: Partially implement auto deploy database + server view (#28629) + * Hardware Key Support docs - additional troubleshooting info + (#29147) (#29956) + * Use enum to describe `IAMPolicyStatus` instead of a bool + (#29721) (#29951) + * [v13] ci: Fix post-release calling update-ami-ids (#29886) + * [v13] Add Kubernetes/Helm instructions to the RDS guide + (#29920) + * terraform-agent-pool: Fix token provisioning and add expiry + (#29943) + * fix: Bump libcrypto version in pkgconfig files (#29947) + * [v13] Add Headless Polling to Teleport Connect (#28975) + * [v13] docs: add client tools download section (#29891) + * propagate tctl verbose flag (#29870) + * docs: update version (#29884) + * [v13] Postgres and Azure Blob Storage backend docs (#29912) + * Add support for deleting proxy resources to tctl (#29903) + * chore: Bump openssl to 3.0.10 (#29876) (#29908) + * [v13] chore: Bump Go to 1.20.7 (#29904) + * web: Ignore .swc directory when computing web SHA (#29897) + * Postgres: reduce logging level for individual messages. + (#29847) + * [v13] Add docs on how to impersonate Kubernetes ServiceAccounts + (#29868) + * lib/teleterm TestStart: Increase timeout, improve error + handling (#29852) + +------------------------------------------------------------------- +Wed Aug 02 07:11:14 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.3.0: + * Release 13.3.0 (#29796) + * ALPN upgrade with custom X-Teleport-Upgrade header (#29683) + (#29829) + * [v13] Link to example Login Rules from Login Rules guide + (#29802) + * [v13] Vendors Discord plugin source into Teleport (#29841) + * refactor(services): skip ad validation for rds proxy mssql + (#29233) + * fix race condition where a headless watcher subscriber would + overwrite a more recent update. (#29617) (#29838) + * [v13] Explain how to start new services on an agent (#29653) + * docs: include gke in Kube Discovery config list (#29758) + * [v13] fix tsh db connect with active mysql cert (#29826) + * [v13] Fix tsh db login exact db name (#29825) + * bump e ref (#29821) + * [v13] docs: simplify Terraform sections and convert to steps. + (#29714) + * Update e (#29817) + * add backwards compatibility for listing apps (#29816) + * display survey for existing users (#29378) (#29713) + * assist: add classification code and emit even on execution + (#28492) (#29811) + * [v13] Long living approval (#29754) + * assist: Refactor token counting (#29753) + * Fix data race in TestAuth_RegisterUsingToken (#29756) + * [v13] update e ref (#29747) + * [v13][tctl] Adds option to write tarred `tctl auth sign` output + to stdout (#29666) + * docs: document strings.split for Login Rules (#29748) + * use correct session recording mode in session start and end + events (#29584) (#29689) + * docs: update version (#29723) + * helm: add azure support (#29734) + * [v13] Add shield alert icon (#29570) + * Bump Helm version in the buildbox (#29739) + * docs: Content fixes regarding SOC 2 (#29740) + * [v13] Fix Kubernetes Legacy Proxy heartbeats (#29738) + * Add GCP VM auto-discovery (#28562) (#29612) + * Hold Auth init lock for the duration of initialization (#29706) + * update e ref (#29719) + * [v13] docs: include mfa session option for ssh access control + (#29602) + * [v13] Postgres backend and Azure session storage backport + (#29705) + * Fix `create_host_user_mode` role reference (#29707) + * [v13] [Docs] Test and edit How to contribute to documentation + topic (#29642) + * bump docs to 13.2.3 (#29691) + * Update SQL Server guides to mention `sqlcmd` as default CLI + (#29543) (#29644) + * Added 07/27 Upcoming Releases Update (#29696) + * chore: Bump Buf to v1.25.0 (#29701) + * Fix MachineID not working behind L7 LB (#29692) (#29700) + * fix: Drop custom OS checking in device authn (#29629) + * Attempt to deflake TestLockInForce (#29681) + +------------------------------------------------------------------- +Thu Jul 27 06:27:58 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.2.5: + * Release 13.2.5 (#29668) + * [docs] Fixes ACM helm example (#29573) + +------------------------------------------------------------------- +Thu Jul 27 04:42:16 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.2.4: + * Release 13.2.4 (#29663) + * [v13] Add support for Amazon Linux 2023 to installer script and + Discover UI (#29654) + * fix (#29577) + * Clarify auto upgrades docs (#29211) (#29507) + * [v13] Add device owner and trusted device IDs to protos + (#29639) + * [v13] Allow creating a admin `ClusterRoleBinding` (#29559) + * Update Operator CRDs and add a Lint check to prevent drifts + (#29554) + * Fix NPD when the table status has an unspecified billing mode + (#29634) + * Update e (#29637) + * [v13] Port and refactor Mattermost from teleport-plugins + (#28989) (#29549) + * Remove upgrade suggestion alerts (#29631) + * Speed up Auth initialization (#29257) (#29571) + * Add CLI options for OpenSearch autodiscovery config. (#28147) + * [v13] feat: Login Rule support for email.local and + regexp.replace (#29611) + * [v13] Vendors in `jira` access plugin source (#29548) + * Athena: Support maxUniqueDaysInSingleBatch (#29604) + * Switch to upstream x/crypto (#28929) (#29601) + * Add --silent flag to teleport node configure command (#29587) + * feat(tctl): make `--type` parameter required for `auth crl` + command (#29591) + * [v13] etcd client pool (#29586) + * [v13] Describe using dynamic resources for DB Service HA + (#29542) + * [v13] update tsh db resource selection (#29163) + * [v13] Changes to ordered and unordered lists for lint warnings + (#29265) + * [v13] Docs: Update OIDC SSO Guide (#29408) + * [v13] Displays warning when SSO is used and username specified + (#29504) + * docs: update chart v12 migration to remove footgun (#29564) + * Defer setting up enhanced recording until after PAM has + completed (#29578) + * [v13] Document DynamoDB backend billing_mode option (#29359) + * adds public web addresses to self-signed cert (#29568) + * Add api ver to path in opsgenie client (#29553) + * docs: version update (#29492) + * Fix GCP joining for Machine ID in v13 (#29563) + * [v13] Athena: accept events without timestamp (#29383) + * athena: support dynamo keyset for migration (#29452) + * Display friendlier errors when an invalid login is provided + (#29273) (#29473) + * feat: support resource requests via tctl + * [v13] Docs: Jamf Pro (#29534) + * bump e on v13 (#29537) + * docs: minor updates for setting up TLS on Windows Server 2012R2 + (#29327) + * Fix a panic in the S3 uploader (#29470) + * [v13] Introduce the `UpdateAndSwapUser` function (#29477) + * web: clean up auth connector page (#29404) + * [v13] Add billing_mode option to the DynamoDB backend so + pay_per_request or provisioned billing can be configured + (#29351) + * [v13] Change how we cache the keys in backend.Reporter (#29330) + * [v13] `GenerateToken` should call `CreateToken` not + `UpsertToken` (#29391) + * Remove dependency of etcd from tctl (#29377) (#29394) + * EC2 Instance Connect Endpoint: add aws metadata to Nodes + (#29316) (#29407) + * [v13] add onboarding survey (#29397) + * Update e (#29400) + * Filter out cluster ID in Connect logs (#29387) + * [v13] Use the examples directory for example plugin code + (#29152) + * Remove gateways on logout (#29388) + * [v13] fix database dynamic labels (#29373) + * tctl: fix error reporting when server is down (#29322) + * Add Connect ads to tsh login and tsh proxy db (#29302) + * [v13] Moves tsh login browser parameter as env var (#29287) + * add saml apps to webui apps list (#28041) (#29371) + * Add in user login state. (#29365) + * Add GCP instances client (#28561) (#29333) + * Add discovery-side label reconciler (#27476) (#29334) + * [v13] tctl users add: Point towards `users update` on + AlreadyExists err (#29343) + * Make prettier a dev dep of root package.json (#29355) + +------------------------------------------------------------------- +Thu Jul 20 05:47:54 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.2.3: + * Release 13.2.3 (#29308) + * v13: dronegen: Switch linux-based push builds to GitHub + (#29297) + * [v13] Fix nil user group entries. (#29326) + * [v13] update discovery labels (#29269) + * Remove access list gRPC service from OSS, introduce + owner/member checks. (#29289) + * [v13] ALPN handshake test to account "unadvertised ALPN" error + (#29312) + * Upsert ServerInfos from discovery service (#27475) (#29277) + * [v13] Restores default API endpoint for PagerDuty plugin + (#29295) + * [v13] Record os_build_supplemental in the DeviceProfile + (#29263) + * v13: [ci] Change macOS GHA runner to `macos-latest-xl-arm64` + (#29282) + * [v13] Docs: clarify the value of 'host' key where needed + (#28800) + * [v13] Add an audit event for creating provisioning tokens + (#29105) + * Fix proxy protocol support for Kube access flow (#29268) + (#29274) + * AWS DBs Heartbeat: return IAM status (#28952) (#29196) + * Add the AccessList to the cache. (#29270) + * update config reference docs (#29236) + * [v13] Introduce AccessList gRPC service and calls. (#29255) + * [v13] Add ServerInfo and label API (#29237) + * docs: update github sso instructions for self-hosted to use new + parameters (#29258) + * Clean up access list protos, add in conversion functions tests. + (#29254) + * Access list backend service and marshal/unmarshal. (#29253) + * [v13] Introduce Access List internal object. (#29252) + * Fix reference to azure identity in GCP app (#29209) + * Introduce the Access List object. (#29251) + * add semicolon (#29154) + * docs: update version (#29217) + * Define the GetDevicesUsage RPC (#29089) (#29227) + * Fix certbot installation in AMI (#29103) + * upgrader monitoring and alerts (#28951) (#29206) + * [v13] Document --port and --login in `tsh config` (#29199) + * [v13] Allow custom enroll token expiration time (#29213) + * [v13] provide warning on tsh sso login with Teleport user + specified (#29221) + * [v13] Fix lint warning, make these unordered lists (#29160) + * Support non-gogo objects for auth service events. (#29207) + * Add ServerInfo type (#25281) (#29162) + * [v13] Clarify API GetDatabases vs GetDatabaseServers (#29136) + * [v13] Add assist fields to configuration reference (#29110) + +------------------------------------------------------------------- +Mon Jul 17 05:32:22 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.2.2: + * Release 13.2.2 (#29161) + * [v13] Allow login and port to be specified when using `tsh + config` to generate openssh configs (#29113) + * fix mutualtls textarea (#29091) + * Reduce embedding period to 20 minutes (#29153) + * Edit forScopes configurations and edit guides (#28742) + * [v13] assist: support recording non-interactive forwarded + sessions (#29137) + * [v13] Docs: Refresh Azure AD SSO Guide (#29138) + * upload completer: suppress stack trace for access denied errors + (#29078) + * [v13] tsh recordings export session-id desc update (#29128) + * [v13] [docs] add proxy_service.trust_x_forwarded_for option + (#29117) + * [v13] [doc] database labels reference (#29118) + * [v13] Allow relative file URIs to `sqlite` (#29130) + * [v13] v13.2.2 Assist backports (#29125) + * Extend DatabaseSessionStart posthog event (#28931) (#29106) + * [v13] resolveNetworkAddress: Listen for `close` instead of + `exit`; Fix FailedApp theme (#29108) + * [v13] [Assist] UI tweaks (#29067) + * docs: version update (#29096) + * Remove session condition from Firestore events query (#29114) + * [v13] Allow configuring number of parallel execution workers + (#29061) + * chore: Bump Buf to v1.24.0 (#29120) + * tsh play error handling (#29077) + * Minor clarifications in the Azure AD guide (#28802) + * [v13] helm: Add ingress support (#29084) + * [v13] Encode URI for `sqlite` properly (#29099) + * DeployService IAM Configure: unescape arguments (#29044) + * Log the value of EventsBufferSize instead of the pointer + address (#29082) + * Added 07/13 Upcoming Releases Update (#29064) + * [v13] chore: Bump Go to 1.20.6 (#29073) + * [v13] fix: suppress search events (#29063) + * [v13] update database and kube name validation (#29035) + * [v13] Add more details about specifying a CA pin (#28886) + * [v13] assist: fix flaky assist test (#29051) + * Correct the clock passed to `dynamicCredsConfig` (#29058) + * Document backend_write_requests_total (#28980) + * [v13] DeployService: use teleport-ent image for ent clusters + (#29045) + * docs: proxy peering out of preview (#29037) + * Add usage-based feature values for Device Trust (#28919) + (#28964) + * [v13] Add an option to bootstrap database service to `teleport + discovery boostrap` (#29002) + * [v13] [Assist] Only parse messages from Assist as markdown + (#28911) + * [v13] Deduplicate resources for `tsh request search` when + `replicas>1` (#28889) + * [v13] Update `e` ref to enable PagerDuty plugin (#28986) + * [v13] Add `ProxyGroup` support to reverse tunnels (#28930) + * Docs: Update/Refresh OneLogin SSO guide (#28444) (#28768) + * Add test that verifies sessions are unaffected by Auth restarts + (#29000) + +------------------------------------------------------------------- +Thu Jul 13 04:57:33 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.2.1: + * Release 13.2.1. (#29021) + * [v13] Dont allow cloud tenants to update certain cluster networking config fields (#28992) + * Ignore SIGQUIT in exec sessions. (#29020) + * fix operator crashing on first startup (#29013) + * Fix Azure join for identities across resource groups (#28961) + * remove alert maximums (#28967) (#28983) + * [v13] Mention agentless in the OpenSSH guide for better SEO + (#28923) + * Set lower temperature to ChatGPT calls (#28959) + * Install Script: don't enable Automatic Upgrades for non-systemd + systems. (#28987) + * tctl alerts ack: Make --reason optional (#28955) + * Fix listing servers when creating a new lock via webui (#28963) + * desktop access: clean up error handling (#28974) + * [v13] [Docs] Add missing 'resources' config field to + application service docs (#28971) + * [v13] include endpoint_url parameter for tctl sso configure + github (#28968) + * [v13] docs: openssh updates (#28726) + * docs: update version (#28933) + * supports newline and whitespace in motd: (#28937) + * feat(dbcmd): add `sqlcmd` support (#28944) + * Remove preview from several features (#28924) (#28928) + * Fix ssh env var parsing by checking after cf.AuthConnector is + guaranteed to be set. (#28922) + * Update tough-cookie and @grpc/grpc-js (#28914) + * [v13] add Athena URL parameter to configure AWS region (#28912) + * tctl alert ls: Always show alert ID (#28906) + * [v13] Backports PagerDuty hosted plugin (#28883) + * chore: Bump Buf to v1.23.1 (#28894) + * [v13] docs: Add clarification on event types in enhanced + recording mode (#28893) + * [v13] DeployService: auto upsert IAM Join Token (#28799) + * DeployService: use correct version when auto-upgrades are + enabled (#28874) + * Machine ID: Add guides to the Enroll Integration page (#28646) + (#28888) + * Add IDToken attributes to GCP join audit event (#28673) + (#28882) + * docs: use -o file instead of sudo tee (#28771) + * teleport-connect.mdx: Fix typo (you with -> you wish) (#28875) + * rework instance hbs to be more scalable and to track upgraders + (#27895) (#28847) + * Support specifying `assume_role_arn` for Kube cluster matchers + (#28282) (#28832) + * Minor wording change (#28778) + * Add redirects introduced by docs reorganization (#28822) + * Update keep_alive comments auth-service.yaml (#28820) + * typo correction (#28827) + * [v13] Fix theme not loading on first login & overflowing + command result summary (#28770) + * docs: bump cloud to 13.2.0 (#28788) + * removed cloud warning (#28815) + * Fix `tsh kube credentials` lock when no-login is required + (#28811) + * Edit playbook user in the Ansible guide (#28791) + * Use more restrictive S3 object permissions (#28765) + * Change signup links to mention Teleport Team (#28680) + * Fix Okta docs that mentioned "Application Service" (#28792) + * [v13] Fixed CPIO digest mismatch on RHEL 8 (#28794) + * Added 07/03 Upcoming Releases Update (#28796) + * Increased the gh-trigger-workflow polling period (#28783) + * [v13] update attributes to roles (#28695) + * [v13] document create_host_users_mode (#28639) + * Add t.Parallel() to several tsh tests (#28613) + * [v13] Update assist docs (#28732) + * [v13] Firestore backend improvements (#28737) + * [v13] Machine ID: GCP Delegated Joining support (#28762) + * add docs for idp-initiated sso for grafana (#28645) + * Document Jamf `exit_on_sync` toggle (#28394) (#28415) + * Support GCP joining when `google` claim is not present (#28759) + * Document Jamf service and auto-enroll (#28167) (#28393) + * [v13] Docs: Update GitLab SSO docs (#28693) + * specify enterprise in commercial prereq cloud tab... (#28524) + * [v13] Connect: Add docs for theme (#28407) + * docs: edits to the headless webauthn guide (#28733) + * docs: correct docker installation table (#28652) + * [v13] User groups in access requests will expand list of + applications. (#28603) + +------------------------------------------------------------------- +Thu Jul 06 07:24:27 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.2.0: + * Release 13.2.0 (#28696) + * Fix Machine ID guide index and adjust FAQ (#28700) + * Rename `database_labels` to `db_labels` (#28687) + * update eref (#28699) + * Update agentless mode description (#28682) + * Update `e` reference (#28684) + * improve startup with empty db or discovery config (#28622) + * `tsh db connect` should prefer mongosh (#28668) + * Script to configure IAM for the DeployService (#28436) (#28643) + * [v13] lib/teleterm: Remove misleading error log after + LocalAgent.GetKey (#28664) + * [v13] Move database validation to gRPC methods (#28638) + * Teleport Proxy Behind ALB support for IP Pinning (#26623) + (#28466) + * Add option to allow for host users not to be deleted (#28432) + * [v13] Update e ref. (#28615) + * [v13] Add custom component prop type for react-select (#28617) + * [v13] Web: Improve no access message and remove hard coded + color (#28550) + * [v13] Backport Assist related changes (#28480) + * Improve copy on the integrations page (#28611) + * [v13] Web related tweaks for access request user groups + (#28545) + * backport jamf default checks to branch/v13 (#28558) + * Update `e` (#28605) + * AWS OIDC - DeployService: configure IAM (#28088) (#28597) + * dynamodbbk: don't delete non-expired items on Get (#28600) + * [v13] Add light & dark themes to YAML editor (#28517) + * Change copy "Go To Dashboard" for "Go To Cluster" on new + account screen (#28434) (#28520) + * athena audit logs - add migration script (#28182) + * Disable disk-based logger for web tests (#28557) + * [v13] integrations/operator: Try to delete bot role (#28543) + * [v13] fix: Use correct sync defaults and validation (#28553) + * Fix header levels in the authorization docs page (#28495) + * Fix the username on self-hosted DB doc pages (#28521) + * clarify source of user cert TTL (#28534) + * remove sentence fragment and link (#28483) + * Added 06/29 Upcoming Releases Update (#28478) + * update device trust guide (#28365) (#28523) + * Add unauthenticated rate limiter constants (#28538) + * Promote IAC docs for agents and dynamic resources (#28526) + * docs: replace "Golang" with "Go" (#28171) + * [v13] Docs: Document that root clusters can't populate OS users + from leaves. (#28531) + * [v13] Discover: Add deployed method field to deploy service + event (#28507) + * [v13] Web terminal themes (light & dark) (#28408) + * Add omitempty to new ResourceMatcherAWS block for best + backwards compat (#28419) + * Emit default role `editor` changes (#28209) (#28481) + * docs: fix upcoming release descriptions (#28504) + * adding name to docker run command (#28502) + * [v13] Add security notes to the session recording guide + (#28462) + * Describe subject flags in Event Handler guides (#28431) + * [v13] Fix moderated session presence checking (#28456) + * Remove most t.Log() from tests (#28471) + * [v13] Docs: Update Google Workspace SSO Guide (#28475) + * docs: bump cloud to 13.1.5 (#28404) (#28450) + * Update tsh scp command description to match ssh node commands + (#28467) + * Replace xitongsys/parquet-go with segment-io lib (#28472) + * use teleport.sh instead of dashboard.goteleport.com for license + retrieval (#28426) + * [v13] Drain database connections on graceful shutdown (#28369) + * [v13] Expand Docker installation instructions (#28447) + * Machine ID: Add support for BotJoin analytics event (#28293) + (#28425) + * Clarify the disablesse S3 backend setting (#28401) + * copy edits (#28423) + * Hide wait subcommands (#28416) + * athena audit logs - use sqs attribute as oldest metric (#28274) + * chore: Bump Buf to v1.22.0 (#28381) + * [v13] k8s operator supports Okta import rules. (#28377) + * [v13] Machine ID: Add usage event for bot creation (#28366) + * Update `e` (#28406) + * [v13] Connect: Light theme (#28277) + * Teleport One Off Script (#27852) (#28347) + * [v13] Remove absolute goteleport.com/docs links (#28395) + * [v13] Add a note on the `admin` database permission requirement + for MongoDB (#28362) + * docs: update version (#28389) + * [v13] Add username to headless authentication backend key + (#28380) + * [v13] docs: backports (#28331) + * update installation video (#28370) + * Add opsgenie static credentials check and test (#27655) + (#28326) + * [v13] Restore resource requests guide with an admonition. + (#28348) + +------------------------------------------------------------------- +Wed Jun 28 06:13:22 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.1.5: + * Release 13.1.5 (#28364) + * [v13] Clarify permissions for Okta API tokens. (#28294) + * [v13] Fix TestSQSMessagesCollectorErrorsOnReceive flakiness + (#28184) + * [v13] Allow setting max_session_ttl from clusterauth + preferences (#28130) + +------------------------------------------------------------------- +Tue Jun 27 05:01:42 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.1.4: + * Release 13.1.4 (#28327) + * Fix audit log report of `kubernetes_users` and + `kubernetes_groups` (#28323) + * Docs: Update recommended role (#28278) + * Reduce debug log spam for TeleportReady events (#28319) + * Use the long-form --config flag in shell example (#28299) + * Pass teleport-reversetunnelv2 for auth connections (#28316) + * Returned Vars to the code output (#28225) + * only apply stripe csp for team/usage users (#28198) (#28308) + * docs: include desktops for cloud faq reverse tunnel (#28305) + * Respect client idle timeout setting (#28202) + * Don't add keys to agent during headless login. (#28236) + * [v13] Preserve applications original URL's query (#28218) + * Converts the default Content-Security-Policy representation to + a map (#27182) (#28307) + * [v13] Add associated applications and user groups to UI + objects. (#28303) + * Move "Device Trust" to a top-level docs item (#28108) (#28199) + * Improve the upload completer logs (#28211) + * [v13] Use supplied tarball when building AMIs (#28128) + * [v13] docs: default https ports for tsh login (#28288) + * Always collect `deny` arm of `kubernetes_resources` (#28285) + * Support `assume_role_arn` for database dynamic resources + (#28039) (#28210) + * [v13] Windows Device Trust documentation (#28050) + +------------------------------------------------------------------- +Mon Jun 26 06:58:12 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.1.3: + * Release 13.1.3 (#28243) + * [v13] bump e-ref (#28241) + * log why the TeleportReady event is not being emitted (#28239) + * Warn about clamshell-related touch ID unavailability (#28214) + * Added 06/22 Upcoming Releases (#28155) + * [v13] Edit the server access Getting Started guide (#28172) + * [v13] InstallScripts: pin teleport version using ServerVersion + (#28149) (#28208) + * [v13] update helm docs (#28068) + * [v13] Specify how host user creation invokes `useradd` (#28194) + * Bump 'e' ref (#28206) + * docs: fix kubernetes guide (#28164) + * docs: remove note about supporting any platform supporting Go + (#28178) + * [v13] Update teleport cloud faq.mdx (#28174) + * [v13] Add Opsgenie plugin (#28098) + * [v13] permission-warning.mdx: Advise NOT TO give access,editor + to users (#28132) + * [v13] docs: update macos tsh install instructions (#28135) + * [v13] Use the one-liner in install-linux.mdx (#27907) + * docs: Fix syntax error (#28142) + * bump docs to 13.1.1 (#28153) + * feat: add support for label expressions to k8s operator + (#28156) + * Correct the backend_requests metric help text (#28107) + * [v13] feat: adds motd to the ui (#27922) + * [branch/v13] Bumped `e` ref (#28144) + * Remove deprecated/unused device trust protos (#27975) (#28075) + * [v13] Integrate AMI buids into drone (#27354) (#28127) + +------------------------------------------------------------------- +Thu Jun 22 05:14:09 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.1.2: + * Release 13.1.2 (#28124) + * [v13] update message on empty tsh ls results (#28120) + * Add skip-confirm flag for headless approval. (#27823) (#27864) + * bump e (#28101) + * Fix invalid command example. (#28018) + * AWS OIDC Integration: Deploy DB Service in a single click + (#27035) (#28051) + * fix: Ignore staticcheck false positive on darwin (#28042) + * Update ssh-approval-slack.mdx (#28081) + * Add reviewer and requester roles. (#28076) + * [v13] Okta service docs only show in enterprise and cloud. + (#28069) + * [v13] Docs: Update Okta SSO Guide (#27950) + * docs: mention required scope for GitHub app (#27910) + * Provide client login IP when SSO initiated in a browser. + (#27896) + * [v13] Update e ref. (#28060) + * Add mapping between user groups and applications. (#27962) + * [v13] Add a delete confirmation step to SyncInventory (#27961) + * Add HasPluginType to plugins interface. (#28052) + * update eref (#28044) + * [v13] Fix `Assist` import so it does not break storybook + (#28047) + * [v13] Connect: Fix overlapping placeholder and keyboard + shortcut in the search bar (#28048) + * Reorder resource filters in the search bar (#28034) + * [v13] Update Electron to 25.1 and TypeScript to 5.1 (#28027) + * [v13] Fix `tsh` relogin on not found errors (#27974) + * add saml wizard to ui (#27949) + * [v13] Update e ref. (#28036) + * docs: include tsh install in connect your client tsh page + (#27971) + * [v13] Gracefully handle errors in Assist frontend (#27669) + (#27935) + * OpenSearch AWS autodiscovery (#27537) (#27942) + * [v13] helm: Use local auth server address in auth pod to + prevent extra connections (#27980) + * [v13] Vendors the `pagerduty` plugin source into `teleport` + (#27612) + * [v13] helm: add hostAliases support (#27880) + * [v13] docs: update cloud downloads (#27963) + * Make Teleport config instructions easier to follow (#27968) + * Add a diagram to the Linux Server guide (#27808) + * Temporarily ignore Device Trust deprecation warnings (#27969) + * Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions + (#27865) + * Add more accurate info to cloud download page re: `tbot` + (#27946) + * [v13] Device Trust: `tsh` privilege elevation for TPM + enrollment (#27959) + * [v13] Fixes the "Run as different user" window freezing + (#27874) + * design updates for team gated features (#27756) (#27897) + * [v13] Make use of keepAliveInterval in terminal handler + (#27914) + * [v13] CHANGELOG spelling fixes (#27955) + * [v13] Add Machine ID tip when `tctl auth sign` is used (#27928) + * chore: Bump golangci-lint to v1.53.3 (#27898) (#27911) + * [v13] MongoDB Atlas IAM authentication docs (#27493) + * Added 06/15 Upcoming Releases Update (#27901) + * docs: update version (#27917) + * [v13] Docs: Update ADFS SSO guide (#27891) + * [v13] Pass context through `UpsertAuthServer` (#27887) + * [v13] [Assist] New UI & rewrite (#27791) + * [v13] docs: document label expressions (#27878) + * [v13] Update e ref. (#27883) + * [v13] Add the notion of friendly names to access request + details. (#27803) + * [v13] docs: Fix more installation commands on Windows (#27877) + * [v13] chore: Bump Buf and Go versions (#27860) + * [v13] Omit empty fields from DeviceCredential resources + (#27869) + * Fix `TestDiagnoseSSHConnection` flakiness (#27762) (#27849) + * [v13] fix: Observe accurate `backend_read_seconds` duration + (#27857) + * [v13] Update Locking docs to refer `server-id` (#27845) + +------------------------------------------------------------------- +Wed Jun 14 18:37:49 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.1.1: + * [v13] Fix an issue ALPN handshake test does not respect + "HTTPS_PROXY" (#27810) + * Set default limit for ListResourcesRequest (#27839) + * [v13] Trim yum release version in install-linux.mdx (#27777) + * Move Cloud Matchers to proto (#27162) (#27530) + * [v13] bump e (#27818) + * [v13] Add Proto types for storing TPM Platform Attestation in + Collected Data (#27757) + * bump e (#27806) + * [v13] Delete proxy heartbeats on graceful shutdown (#27786) + * [v13] Fix an issue kube local proxy requirement is wrong in + separate port mode (#27732) + * Fix: time.Since should not be used directly after a defer + statement (#27795) + * Default to SymlinksTrySecure rather than SymlinksSecure + (#27784) + * [v13] bump e-ref (#27736) + * app access: fix broken docs link in error message (#27766) + * Don't use WithError() when logging "Missing session cookie" + (#27768) + * [v13] Docs: document labels for trusted clusters (#27738) + * [v13] Fix flaky test + `TestHeadlessAuthenticationWatcher_WaitForUpdate` (#27765) + * [v13] MongoDB Protocol Hardening (#27741) + * docs: Fix curl commands on Windows (#27759) + * remove confusing variable delineation (#27746) + * [v13] docs: update desktop session recording reference (#27749) + * [v13] Change Campaign to utm_campaign (#27706) + * Implement in-memory vector DB (#27587) + * Add UI `node` lock to use `server_id` instead (#27621) + * Fix Teleport Connect assume roles (#27723) + * [v13] Abort reverse tunnel connections early if the proxy is + already claimed (#27699) + * Add scaling warning re: DynamoDB (#27600) + * [v13] helm: Add conditional RBAC/ServiceAccount to + `teleport-kube-agent` post-delete hook (#27637) + * [v13] docs: update navigation instructions for sso audit log + troubleshooting (#27675) + * add styles to tooltip for team pages (#27417) (#27642) + * Set UID/GID for ARC runner builds (#27638) (#27689) + * Fix TestAuthorizeWithLocksForLocalUser flakiness (#27687) + * usagereporter: add context check in RunSubmitter (#27678) + * [v13] feat: label expressions (#27641) + * Bump vite from 4.2.0 to 4.2.3 (#27670) + * Fix redirects (#27593) + * add new CTA event property (#27216) (#27643) + * [v13] export etcd event processing metrics (#27220) + * Added 06/08 Upcoming Releases Update (#27631) + * [v13] Update description of Roles UI (#27539) + * Update e (#27640) + * [v13] Bump cloud version to v13.1.0 (#27633) + * [Docs] Assist built-in role access (#27602) + * [Docs] Assist - remove MFA section (#27603) + * [v13] Web: Plugin tweaks and new plugin icons #27427 (#27576) + * [v13] feat: label expression protobuf types (#26977) + * fix: record applied login rules in github login event (#27607) + * [v13] Add deprecation note to PAM user creation guide (#27626) + * [v13] update agentless docs to use 'teleport join openssh' + (#27624) + * [v13] Update docker images (#27502) + * [v13] docs: provide information on local user locks from login + attempts (#27609) + * Update `github.com/gravitational/predicate` to `v1.3.1` + (#27483) + * [v13] Docs: Trusted Clusters - Mention the correct expiration + time as per tctl command (Buddy PR) (#27498) + * [v13] use proxy port in openssh config (#27545) + * [v13] Proxy Templates overwrite CLI cluster value (#27581) + * docs: add headless auth as faq question (#27584) + * docs: adds configuration and helm chart to app access getting + started (#27529) + * [v13] Fix not being able to "login" with auth type set to sso + but no connectors set yet (#27589) + * Primarily changes "match: '^.*\.dev\.example\.com$'" to "match: + '^.*\.dev\.example\.com'" so that users aren't mistakenly + guided towards eliminating the implicit ":3389" from their + regex matches (#27516) + * Fix the default `teleport-kube-agent` upgrade server (#27572) + * Only fallback to SSH_TELEPORT_ env variables for proxy, user, + and cluster name when used with headless. (#27507) + * Support authenticating with AWS IAM role for MongoDB Atlas + (#26439) (#27494) + * Bump e (#27501) + * [v13] Implement leaf app access: `tsh app login --cluster=leaf` + (#27197) + * [v13] Backport hardened AMI resources (#27454) + * [v13] include changelog for docs tests (#27479) + * [v13] Docs: GCP join method (#27487) + * Fix SEO issues (#27242) + * [v13] Document all installer script template vars (#27482) + * Create api handler specifically for FormData (#27408) + * [v13] Docs: improve Postgres in GCP (#27471) + * Propagate proxy public addr in Web UI ssh session. (#27058) + (#27420) + * [v13] Document new Okta import rule regexes. (#27453) + * [v13] docs: add enterprise value for kube agent reference + (#27472) + * docs: update version (#27473) + * Extend host lock enforcement to other built in roles besides + `Node` (#27018) (#27442) + * Build change for when go caching should be used (#27209) + (#27284) + * chore: Bump golangci-lint to v1.53.2 (#27456) + * [v13] WebDiscover: Check for RDS length before setting a limit + for listing DBs (#27415) + * Jamf config for PluginSpecV1 (#26374) (#27459) + * [v13] loadtesting automation improvements (#27438) + * Add prometheus endpoint to tbot (#27432) + * [v13] Add docs for database auto user provisioning (#27289) + +------------------------------------------------------------------- +Mon Jun 12 20:37:19 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.1.0: + * Release 13.1.0 (#27418) + * [v13] [Assist] Do not parse event data is there is none + (#27435) + * [v13] Update e (#27430) + * [v13] Add Assist to the access role (#27424) + * [v13] Adds info on exporting requirements for impersonated + certs (#27403) + * chore: Bump Buf to v1.20.0 (#27400) + * [v13] Add IAM auth info to ElastiCache guide (#27306) + * Move and update Proxy Template docs. (#27350) + * specify supported architectures (#27279) + * [v13] docs: Formatting/grammar fixes for TLS routing (#27391) + * [v13] Update e ref. (#27388) + * tncon: Remove unused return variables (#27386) + * Add plugin static credentials getter. (#27301) + * Minor updates to Server Access Getting Started (#27253) + * [v13] WebPublicAddr includes user specified port. (#27376) + * [v13] Web: Emit integration events (aws oidc) and touch ups + (#27172) + * [v13] cache parsed role template expressions (#27326) + * add circle icon helper (#27185) (#27286) + * [v13] Update e ref (#27375) + * Reply with a user-friendly message on verification errors + (#27270) + * [v13] Assist docs (#27260) + * [v13] docs: update enrollment steps for active dir (#27357) + * Add endpoints to export AuditEvents as unstructured data + (#27290) + * [v13] Docs: Update GitHub SSO (#27273) + * Add kube credentials lockfile to prevent possibility of + excessive login attempts (#27366) + * [v13] Use the proper check for the SAML IdP session. (#27314) + * Get fresh cluster features to `config.js` (#26785) (#27362) + * [v13] Assist bug fixes (#27356) + * [v13] Get locks in tctl get all (#27294) + * [v13] flaky test detector: override skipped tests (#27274) + * Only wait for headless authentication watcher initialization in + tests. (#27298) + * [v13] Assist backport (#27243) + * Replace global testing variables for device trust with + pluggable ceremony interface. (#27239) + * [v13] Web: Fix local storage clearing (#27296) + * Disable GHA cache (#27305) (#27315) + * [v13] Pin golangci-lint to `v1.53.1` and upgrade `depguard` + config to `v2` (#27293) + * Speedup OpenSSL build (#27056) (#27261) + * tctl: allow creating desktops from YAML file (#27250) + * Fix TeleportClient.ConnectToProxy logic error with closed + context. (#27140) + * Dont load ForwardedPorts from profile, only recieve them from + the cli (#27208) + * backport device trust and okta provider docs (#27218) + * Ignore ENOENT error on group check (#27231) + * Add support for automatic database users for Postgres (#26555) + * [v13] lib/kube/proxy/server.go: Fix potential mutex deadlock on + error (#27237) + * docs: mention locking as an alternative to CA rotation for + revoking access (#27248) + * docs: add troubleshooting step for standard RDP security + (#27245) + * [v13] Fix headless server access requests (#27241) + * tncon.c: Switch all size variables to size_t (#27234) + * update access controls table (#27226) + * Add static credentials reference to plugin credentials. + (#27225) + * [v13] docs: update fluentd output and correct docs link + (#27202) + * Add elasticache:Connect AWS permission to auto-IAM (#27188) + * Updated Cloud SQL guides with more info about 'Allow only SSL + connections' option (#27224) + * docs: update version (#27219) + * Add information about the cert-format flag (#27167) + * Update cloud version to 12.4.5 (#27214) + * return an error if a moderated session is created for an + agentless node (#25721) + * [v13] Add docs for shell completion (#27093) + * add section for username_claim (#27006) + * [v13] helm: Switch custom deployment guide to standalone rather + than scratch (#27177) + +------------------------------------------------------------------- +Thu Jun 01 11:46:13 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.0.4: + * Introduce the Plugin Static Credentials object. (#27121) + (#27163) + * Added 05/25 Upcoming Releases Update (#26910) + * [v13] Update Terraform reference docs to 13.0.3 (#27034) + * Correct grammar in role removal error message (#27142) + * [v13] feat: label expression parser (#26970) + * [v13] docs: correction and note on direct mode for desktop + (#27149) + * TLS Routing behind ALB: tsh kube subcommands UX (#26305) + (#27155) + * [v13] helm: Tidy standalone cluster setup docs (#27154) + * [v13] `buf breaking` CI action (#26833) + * Fetch ClusterAlerts a single time during login (#27110) + * [v13] docs: remove duplicative k8s access guide (#27128) + * [v13] Update title for proxy peering architecture (#27041) + * Refactor test globals out of lib/devicetrust/enroll (#27133) + * Switch to recommending identity file in terraform guide + (#27068) + * [v13] Add `tsh kubectl` support for tracer exporter (#27130) + * [v13] docs: Update GSLB docs for changes missed from master + (#27132) + * chore: Bump OpenSSL to 3.0.9 (#27123) + * changes ldapDialTimeout from 5 to 15 seconds (#27045) + * Okta Import Rules use Teleport style regexes. (#27126) + * Fix `TestKube/Join` data race (#26619) (#27124) + * [v13] Refresh port descriptions (#26936) + * [v13] Support ElastiCache Redis IAM auth (#26990) + * Fix "unnecessary conversion" in lib/devicetrust/native (#27077) + * [v13] Automatically perform `tsh app login`. (#26820) + * docs: offer alternative aws methods for joining for aws db + guides (#26939) + * docs: update kube access for enterprise setting and agent + updates (#26941) + * [v13] Windows TPM Device Authentication (#27085) + * Close clients when done. (#27104) + * [v13] Expand Go docs for label prefixes (#27102) + * Update `e` (#27087) + * [v13] Update `kingpin` & allow autocompletion (#26238) (#26999) + * Device Trust: TPM Enrollment support EKCerts (#27070) (#27082) + * Remove initCommand from DocumentPtySession (#27003) + * Search user groups by description. (#27021) + * [v13] update lib/utils/parse to leverage lib/utils/typical + (#26967) + * use uri path for config dump (#26992) + * [v13] feat: library for building predicate parsers (#26915) + * [v13] Update kube operator with more details and + troubleshooting (#27050) + * Update CHANGELOG.md to include Helm image change (#26822) + (#27000) + * operator: allow operator to edit tokens (#27001) + * Docs: replace static mermaid images with rendered charts + (#23458) (#26094) + * Clean up LDAP error handling (#26984) + * docs: mention missing delete permission for GCS buckets + (#26735) + * Yarn updates for `terser` and `minimatch` (#26919) (#27025) + * Make tctl command descriptions consistent (#26937) + * Use root client for headless authentication. (#26878) + * [v13] remove warning on unpopulated ssh proxy address (#27015) + * [v13] update ui and config to refer to service as Teleport + Service (#27011) + * [v13] AWS Route 53 GSLB Multi-Region Proxy Peering High + Availability Deployment Guide (#26743) + * Add a guide to reviewing docs PRs (#26913) + * Use WIRE_JSON in buf breaking (#26793) + * docs: update version (#26988) + * fix console node list scroll and close session join dialog + (#26622) (#26906) + * [v13] athena audit logs - use otel traces in querier (#26900) + * [v13] Remove useProfileLogin from makeClient in tsh (#26975) + * [v13] athena audit logs - add metrics (#26920) + * [v13] helm: Fail to install if `clusterName` contains a colon + (#26973) + * Add a watcher for agentless EC2 nodes (#26888) + * [v13] Add MDM and TPM fields to device resources (#26838) + * Add integration enroll usage event (#26880) (#26930) + * Fix bug where the system agent is not forwarded in combination + with (#26929) + * Add diagrams to Access Request plugin guides (#26924) + * Update dependencies for `build.assets/tooling` (#26907) + (#26918) + * fix GitHub connector API endpoint URL path getting ignored when + making HTTP requests (#26863) + * [v13] Collect MDM data from macOS (#26897) + * [v13] integrations/operator: Use a dedicated scheme in tests + (#26883) + * Backport #26366 to branch/v13 (#26738) + * [v13] Web: Add back buttons and remove exit buttons (discover & + integrations) (#26727) + * [v13] skip rdpclient build in integration tests (#26526) + * [v13] Spawn gateway CLI client directly (#26751) + * bump cloud to 12.4.3 (#26899) + * correct discovery bootstrap command description (#26894) + * [v13] Add a codegen-focused buildbox (#26739) + * [v13] Proxy Templates update: cluster switching and tsh ssh + parity (#26852) + * app access: improve error logging (#26869) + * [v13] docs: include Enterprise in tctl version for ent, cloud + prereq (#26847) + * Bump github.com/docker/distribution (#26107) (#26855) + +------------------------------------------------------------------- +Thu May 25 06:35:23 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.0.3: + * Release 13.0.3 (#26846) + * add rbac for cluster alerts (#26423) (#26789) + * docs: correct faq answer on editions (#26842) + * [v13] use stable/cloud repo for cloud tenants (#26841) + * [v13] Add a few convenience toggles to genproto.sh (#26672) + * include db in tsh play and consistent description ends (#26816) + * add polyfill for randomuuid (#26611) + * athena audit logs - always pass utc to query (#26821) + * [v13] docs: update to machine-id file list and edits (#26800) + * Remove 'preview' from tcp app access guides (#26813) + * [v13] [docs] add image for moderated file transfer (#26808) + * Introduce group and app name Okta import rule regexes. (#26799) + * fix TestALPNProxyHTTPProxyBasicAuthDial flakiness (#26713) + * docs: add missing server_name to LDAP config (#26692) + * athena audit logs - sent checksum on s3 write (#26748) + * Amazon RDS converter: extract Subnets (#26621) (#26675) + * [v13] Don't unmount `cgroup2` when restarting (#26728) + * docs: update agent updates (#26731) + * Windows TPM enrollment support (#25801) (#26736) + * Fix link to CA Pinning information (#26690) + * [v13] Add mermaid diagram to the HA guide (#26697) + * docs: remove old starting from message (#26717) + * Describe `tsh ls` support for multiple labels (#26539) + * add upgrader to inventory hello (#26454) (#26479) + * Define the "jamf_service" configuration (#26478) (#26700) + * [v13] operator: ProvisionToken support (#26618) + * Fix port forwarding when using a label based target (#26701) + * [v13] Refresh Kubernetes Access Getting Started diagram (#26536) + * [v13] Edit the docs UI reference (#26533) + * [v13] refactor tsh db (#26651) + * Remove intel label from macOS (#26698) + * [v13] Make the Linux Server guide less SSH-centric (#26631) + * [v13] Adds an admonition about Teleport not currently + supporting Azure AD (#26556) + * [v13] Docs: Patch Register Cluster page (#26686) + * [V13] Add certificate rotation to `teleport join openssh` + oneshot command (#26674) + * [v13] docs: Add Msft SQL Server client examples and link in sql + server guide (#26558) + * docs: update reference to Teleport systemd (#26680) + * chore: Bump Buf to v1.19.0 (#26645) + * [v13] athena audit logs - pass teleport user as top level field + (#26661) + * Extend `kubectl auth can-i` support for `kubernetes_resources` + RBAC rules (#26584) + * Update e ref (#26664) + * [v13] auditlog - pass context and rework search params (#26587) + * expose firehose emulator host env in tests (#26592) + * [v13] Update SyncInventory RPC documentation (#26629) + * [v13] Add Teleport Team docs (#26639) + * [v13] Docs: mark Okta application access as preview (#26627) + * suggest machine id in plugins partial (#26624) + * [v13] docs: remove starting from messages older then 10.0 + (#26553) + * [v13] changes openssh addr validation to allow hosts (#26549) + * [docs] Amazon Athena guide for Application Access (#25329) + (#26505) + * [v13] Desktop access improvements (#26413) + * Add RoleInstance to + TestLocalServiceRolesHavePermissionsForUploaderService (#26597) + * Update backends.mdx to remove incorrect comment (#26600) + * Bump golangci-lint to v1.52.2 (#26593) + * Add in Okta plugin type. (#26458) + * [v13] Do not run the uploader with the MDM role (#26514) + * Show dev-related tools only in dev mode (#26495) + * update db and app service role permissions (#26519) + * [v13] WebDiscover: Revert deleting the app wizard (#26457) + * bump-e-ref (#26545) + * add AWS cross-account db access guide (#26468) + * docs: update version (#26509) + * Update `gravitational/protobuf` fork tag (#26373) (#26488) + * Add the JamfSpecV1 proto (#26391) (#26448) + * [v13] Add in extra Okta audit event fields. (#26370) + * Install Script: add Darwin ARM64 support (#26504) + * Update AMI usage instructions (#26453) + * [v13] Docs: Adjust curl examples (#26472) + * athena audit logs - integration tests (#26494) + * [v13] add assume_role_arn and external_id docs reference + (#26030) + * bypass lint and os-compatibility for md and mdx files (#26480) + * [v13] Add and map the MDM system role (#26471) + * Install Node Script: respect version variable (#26322) + * [v13] add list of applied login rules to user login event + (#26474) + * bump eref (#26465) + * bump docs for cloud to 12.4.2 (#26466) + +------------------------------------------------------------------- +Thu May 18 07:51:39 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.0.2: + * Release 13.0.2 (#26469) + * [v13] docs: include DynamoDB streams as required in storage + backend (#26381) + * changelog spellfixes (#26431) + * [v13] Web: Provide accurate actionable steps with duplicate db + name error (#26399) + * fix tsh db connect to active cassandra db (#26378) + * [v13] Add in plugin bearer token credentials. (#26436) + * [v13] docs: fix curl usage (#26411) + * athena audit logs - run on single auth (#26443) + * [v13] athena audit logs - delete from sqs (#26424) + * athena audit logs - parquet writer (#26240) + +------------------------------------------------------------------- +Wed May 17 04:58:46 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.0.1: + * Release 13.0.1 (#26418) + * bump eref (#26406) + * [v13] Change TestDeleteMFADeviceSync to do per-delete + assertions (#26390) + * Update version in tsh.app Info.plist (#26314) + * Remove the Adopters page (#26362) + * remove opened var when set to false (#26367) + * Update e ref (#26389) + * check for empty name part in role arn (#26376) + * Refresh the teleport-cluster Helm guide (#26172) + * update video banner (#26384) + * [v13] Web: Integrations touchups (#26152) + * Add params to CTA redirect URL (#26086) (#26340) + * [v13] fix azure db user auth check (#26317) + * [v13] Proto and Go module changes for Windows TPM support + (#26325) (#26348) + * Update config.json (#26258) + * bump e-ref (#26355) + * [v13] docs: add mongo port in high availability and k8s + operator doc (#26357) + * [v13] docs: enroll auto updates fixes (#26352) + * Remove our replacement for Logrus (#26241) (#26304) + * [v13] Update `electron` and `electron-builder` (#26327) + * [v13] Replace GetConnectCommandNoAbsPath with os.exec.Cmd.Args + (#26328) + * [v13] Disable "Open new terminal" if there's no active + workspace (#26333) + * athena audit logs - query rate limiter (#26221) + * Fix twoClustersTunnel flakiness (#26254) + * [v13] TLS Routing behind ALB: `tsh kube join` (#26283) + * Update e ref (#26306) + * Decrease test timeout (#26267) + * Allow aws svg icon to take on the themes main color (#26039) + * Revert usage of grpc error interceptors in `lib/client` + (#26271) + * [v13] docs: Make Amazon Linux name usage consistent (#26192) + * Make PAM user creation script copy/pasteable (#26275) + * [v13] docs: expand admonition for additional DB types (#26260) + * [v13] docs: add tip on Kubernetes resources (#26278) + * [v13] - Backport docker distribution update #26108 and #26109 + (#26249) + * [docs] Include File Transfers in moderated sessions docs + (#26032) (#26265) + * Restore Kubernetes Integration tests (#26186) + * [v13] Populate the time locked status value when local user + locked (#26255) + * [v13] Add GCP Join Method (#26165) + * athena audit logs - support athena engine v2 (#26222) + * [v13] docs: reword dynamic guides language to more active + (#26227) + * athena audit logs - sqs receive (#26220) + * Get rid of update on unmounted component in ResultList (#26230) + * [v13] Remove privileged APIs from window after app + initialization (#26213) + * [v13] only show windows domain in audit log ui if applicable + (#26078) + * athena audit logs - query (#24740) + * [v13] Add pprof diagnostics endpoints to `tbot` (#26117) + * docs: Fix link to standalone Windows auth service (#26179) + * Fix Helm chart Join token secret creation (#26055) (#26175) + * [v13] Fix panic when using proxy peering (#26174) + * [v13] Clarify Auth Service backend permissions (#26076) + * Update e ref (#26163) + * docs: fix invalid characters in kubernetes service example in + discovery troubleshooting (#26157) + * Modify error messages for customer portal to Teleport account + (#26139) + * TLS Routing behind ALB: access request Kube Pod search (#26128) + * Set Cloud version to 12.3.3 (#26036) + * [v13] Search bar: Take cluster filter into account when listing + offline clusters (#26127) + * Backport Assist UI (#26145) + * Move the favicon so Teleport serves the static file (#26144) + * [v13] Fix GoRoutine leak in `authclient.Connect` (#26125) + * [v13] docs: update plugin and docker version (#26113) + * [v13] provides info on Oracle Wallet location when using Oracle + Orapki generation (#26133) + * [v13] Fixes a SharedDirectoryAnnounce incompatibility (#26090) + * Return a better message on "lacks registered credentials" + errors (#26103) + * docs: add note about curl on Windows (#26088) + * [v13] Moderation Session docs update (#26082) + * [v13] Use os.UserHomeDir where possible (#25999) + * bump e-ref (#26101) + * [v13] [docs] TLS routing behind l7 load balancer preview + (#26077) + * [v13] usagereporter: split the `ssh_port` session start into + `ssh_port_v2`, `k8s_port` (#26062) + * push the feature check to ctx.init (#26007) (#26071) + * Use the correct value for DeviceAuthenticateEvent (#26068) + * [v13] Show resource search errors in search bar when fetching a + preview (#26073) + * create e-imports package (#25992) (#26044) + * [v13] docs: clarify host labeling for Windows desktops (#25524) + * Clean up staticConfig mocks (#26059) + * [v13] Document how to open a local terminal in Teleport Connect + (#26061) + * docs: AWS OpenSearch (#26051) + * Improve AWS OIDC Integration extensibility (#26050) + * [v13] tctl: improve alert ack flows (#26040) + * docs: Update MySQL Server Version (#26052) + * [v13] Add in Okta audit events. (#26000) + * Add docker cli to buildbox (#25975) + * gh-trigger-workflow: Retry transient server errors (#25972) + * [v13] Change Helm reference `--set` formatting (#25509) + * [v13] Okta assignment targets/statuses are human readable in + the CLI. (#26023) + * [v13] fix: truncate YubiHSM2 key IDs (#25816) + * [v13] Note that the SAML IdP now supports HSM. (#26005) + * [v13] fix: use errors.Is for all EOF comparisons (#26017) + * Install Scripts: add updater package (#25971) + * Provide client address information in transport request + (#25993) + * Add events to cta clicks (#25325) (#25986) + * [v13] TLS Routing behind ALB Connect support for SSH and + Database access. (#25899) + * [v13] Allow adding 'locked' features to menu items and routes + (#25952) + * [v13] Upgrade TypeScript to 5.0.4 (#25983) + * [v13] Introduce inventory service counts. (#25944) + * Remove test case which uses local profile. (#25969) + * [v13] add redirect to windows user creation instructions to + host user creation doc (#25965) + * build: Scope RUST_VERSION var to single target (#25962) + * [v13] warn about v13 repos not containing v14 Teleport (#25954) + * [v13] don't delete unit schedule file (#25943) + * Bump Buf to 1.18.0 (#25888) + * Update the supported versions table (#25902) + * helm: warn about teleportVersionOverride and scratch risks + (#25601) (#25914) + * [v13] docs: instruct users to use `apt`/`yum`/`dnf` instead of + `dpkg`/`rpm` (#25937) + * [v13] backport team plan CSP and RBAC (#25928) + * [v13] Okta documentation. (#25940) + * [v13] Team plan CTAs (#25073) (#25701) + * Add t_source to be standard (#25720) + * [v13] Add the debug command `tsh fido2 attobj` (#25923) + * Makefile: cache `go env` values (#25894) + * docs: document the updater (#24628) (#25913) + * [v13] check for correct kube and ssh listen address in starting + message (#25907) + * provide starting message for tar ball install (#25904) + * Add IsUsageBased to features and send it to web UI (#25465) + (#25860) + * [v13] Remove code related to the command bar from Connect + (#25898) + * Simplify the Getting Started experience (#25519) + * [v13] Make TS a dev dep of root package.json, fix design dev + deps (#25875) + * [v13] Fix flaky resolveNetworkAddress test (#25874) + * [v13] enable acl in single aws terraform s3 (#25854) + * Add ability to enable trace logging level (#25833) + * Remove `not a valid Unix login` logging (#25838) + * Fix application resource headers rewrite spec (#25863) + * Add ability to enable trace logging level (#25833) + * Remove `not a valid Unix login` logging (#25838) + * Fix application resource headers rewrite spec (#25863) + * Update docs version vars for v13 (#25352) + +------------------------------------------------------------------- +Thu May 11 12:52:08 UTC 2023 - kastl@b1-systems.de + +- Update to version 13.0.0: + changelog to big, please find it here: + https://github.com/gravitational/teleport/releases/tag/v13.0.0 +- BuildRequire go1.20 + (github.com/gravitational/teleport/lib/events/athena + +------------------------------------------------------------------- +Tue May 09 05:23:00 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.3.3: + * Release 12.3.3 (#25835)) + * Fix access to leaf resources (#25694) (#25862) + * fix auditlog error (#25843) + * [v12] Include teleport-windows-auth in OSS releases (#25846) + * make some chatty dynamodb logs trace (#25821) + * Update e ref (#25831) + * Correct SAML IdP session read permission. (#25798) + * Fix Web UI error message when host is offline (#25661) + * [v12] Update e ref. (#25812) + * [v12] Add `SetFeatures` method to modules (#25653) + * add agent config scaling section (#25796) + * Update change log to include desktop access fix in 12.3.2 + (#25793) + * [v12] docs: document "and" logic for labels (#25750) + * [v12] Log troubleshooting information when InvalidInstanceID + errors are found during EC2 discovery (#25641) + * [v12] docs: provide instructions on getting enterprise file + from new license Teleport Account (#25753) + * [v12] WebDiscover: Enroll RDS Databases and Hookup RDS flow + (#25604) + * Try to fix TestAgentPoolConnectionCount (#24616) (#25695) + * Support additional expected instance roles. (#25742) + * [v12] Use the GHA base container for Lint (Docs) (#25716) + * update eref (#25733) + * [v12] Add client compatibility to installation guide (#25685) + * [v12] Improve API client connection failure feedback (#25563) + * [v12] Refresh the HA guide (#25670) + * [v12] docs: fix claims to roles description in access controls + reference (#25633) + * Ensure useDocumentGateway creates the gateway only on mount + (#25626) + * [v12] docs: update cloud proxy service architecture language + (#25724) + * [v12] docs: move docs links from absolute to relative (#25736) + * [v12] use "google.golang.org/protobuf" to clone protobuf + messages (#25714) + * refactor theme in v12 (#25650) + * Add UserGroups to RequestableResourceKinds. (#25708) + * Don't report usage for KubeServiceV2 keepalives (#25656) + * docs: mention Machine ID where tctl auth sign is used (#25610) + * [v12] Update e-ref and icomoon library (#25665) + * backport missing deps (#25662) + * Update role-templates.mdx (#25628) + * Reuse auth connection for Okta client (#25622) (#25646) + * [v12] WebDiscover: Enroll aws integrations (#25594) + +------------------------------------------------------------------- +Fri May 05 05:09:38 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.3.2: + * Release 12.3.2 (#25647) + * Update e-ref (#25636) + * docs: correct gcp install headers (#25426) + * Define a new DeviceEvent proto with the usual embeds (#25353) + (#25555) + * Use new device event layout in Web UI (#25355) (#25558) + * [v12] Add specific message for network errors on app launch + (Web UI) (#25606) + * [v12] Add missing user groups entry to getEmptyResource state. + (#25612) + * Do not change proto user on make grpc (#24847) + * Update metrics docs (#25591) + * Make ProtoPostgres support PROXY protocol (#25529) + * [v12] Support UI methods for user groups, label match user + groups in API. (#25578) + * [v12] docs: update version (#25577) + * [v12] docs: update CloudHSM docs (#25570) + * Web:Discover Refactor resource selector screen (#23018) + (#25556) + * [v12] Team plan CTAs (#25073) (#25572) + * [v12] Add integrations access rule to user context (#25516) + * Disallow OktaAssignment deletion from tctl. (#25463) + * [v12] New Usage Events (#25493) + * add billing to navigation (#25192) (#25487) + * [v12] banner dependencies (#25194) + * [v12] Document HA for Access Request plugins (#25551) + * Capitalize Teleport in command/args (#25545) + * Remove Origin from cloud converters (#24977) (#25459) + * Updates distroless Dockerfile to handle fips realeases (#25451) + +------------------------------------------------------------------- +Wed May 03 04:48:12 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.3.1: + * Release 12.3.1 (amended) (#25517) + * [v12] darwin: Use notarytool to notarize instead of altool + (#25455) + * [v12] chore: Bump Go to 1.20.4 (#25506) + * Release 12.3.1 (#25502) + * Allow unknown fields when unmarshaling types.MFADevice (#25445) + * Fix backwards compatability of GenerateUserSingleUseCerts + (#25486) + * [v12] Update e ref. (#25474) + * Return friendly errors when sessions are prevented due to a + lock (#25482) + * docs: automatic user creation for windows desktops (#25364) + * Add missing Connection header for ALPN connection upgrade + (#25346) (#25411) + * [v12] WebAPI: thumbprint endpoint (#25338) + +------------------------------------------------------------------- +Tue May 02 05:32:47 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.3.0: + * Release 12.3.0 (#25443) + * [v12] Bump e-ref (#25440) + * [v12] docs: update YubiHSM2 docs (#25359) + * Fix issuing credentials for non SSH protocols (#25430) + * docs: remove dynamic database resource in example aws dynamodb + (#25340) + * webapi cleanup (#24363) (#25368) + * [v12] docs: update docker guide to allow for server access and + show troubleshooting (#25345) + * [v12] Windows user creation (#24780) (#25348) + * [branch/v12] Add building Windows Authentication Package to + Drone (#23811) (#25311) + * terraform: enable ACLs in the certs bucket (#25335) + * Define distinct types for all device events (#25320) + * docs: update onelogin screenshot (#25331) + +------------------------------------------------------------------- +Sun Apr 30 07:15:36 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.2.5: + * Release 12.2.5 (#25326) + * Integrations: AWS OIDC - ListDatabases action (#24877) + * Record and verify WebAuthn RPIDs (#25238) (#25289) + * [v12] Fuzz TDP protocol, fix two issues. (#25308) + * Add option to override kube context on `tsh kube login` + (#25253) + * Fix `TestAuthSignKubeconfig` test (#25269) + * Update Electron to 22.3.6 (#25184) + * Fix cluster alerts timeout (#25300) + * Properly handle SAML IdP enable/disable. (#25309) + * Addresses #23554 (#25296) + * Do not try to verify PROXY signature for non-Teleport TLVs + (#25302) + * Bump gh-trigger-workflow timeout to 2h30m (#25174) + * [v12] Clean up Drone slack notifcations (#25217) + * Use the correct emitter in auth.TLSServer (#25272) + * Fix `underlying reader not a terminal` issues (#25102) (#25242) + * [v12] docs: Login Rule k8s operator docs (#25158) + * [v12] Show <1m for remaining tsh status valid time for last + minute (#25225) + * Move db cert renewal message to debug log (#25222) + * docs: add information on viewing status and logs for systemd + service (#25199) + * * Save ssh_service.public_addr values to Server.PublicAddrs + instead of discarding them (#25223) + * Add new field to license spec (#23194) (#25197) + * fix: avoid inadvertent deletion of active HSM keys (#25208) + * [v12] Update headless tsh command descriptions (#25148) + * [v12] Update e ref. (#25205) + * Connect: Fix logout sequence (#24978) (#25182) + * Avoid prompting users for mfa when using `tsh ssh --headless` + (#24701) (#25187) + * [v12] Simplify Okta assignment statuses. (#25189) + * Improve performance of MFA ceremony (#24804) + * Headless Login explicit username (#24689) (#25112) + * Alphabetize the GUI Client page (#25120) + * [v12] Document relative link paths in partials (#25117) + * [v12] docs: append cluster name for example ansible hosts list + (#25124) + * [v12] Order sudoers file lines by role name (#24792) + * [web] Add storeUser to console context (#24159) (#24809) + * Add login hooks. (#24828) (#25105) + * Join Script: fix tarball folder for ent builds (#25076) + * fix github url formatting (#25089) (#25098) + * Add key attestation to generate user certs to catch non-login + flows. (#24867) (#24956) + * add comment specifying kubernetes user (#24916) + * docs: Add warning about TLS multiplexing to Kubernetes IAM + joining (#24820) + * OktaAssignment and UserGroup in auth cache. (#25067) + * docs: fix spelling and remove misspelled word from spellcheck + skip (#25030) + * Add in group labels for role conditions. (#25080) + * Log informative messages for device authn failures (#24912) + * [v12] docs: Change `listen_addr` to `web_listen_addr` in custom + Helm deployment guide (#24974) + * docs: fix directory instruction for docs contributing (#24994) + * docs: Adds common Teleport configure,start and helm charts for + non-iam db access guides (#25001) + * Pass the auth.Server itself to inventory.NewController (#25007) + * [v12] local proxy not required for mysql separate port (#24827) + * replace 'machine' with 'host' or 'workstation' (#24986) + * clarify tctl command location and secret destination (#24982) + * Make tsh check SSH_ user, proxy, and cluster env variables if + not already set. (#24470) + * [v12] docs: update version (#24957) + * [v12] Proxy Client (#24734) + * docs: make adopters table markdown for cleaner look (#24951) + * Fix example API client imports (#24375) + * docs: remove unneeded sudo for removing user data dirs (#24919) + * [v12] Makes the `Per Role` per session mfa example accurate + (#24927) + * [v12] docs: remove duplicate content in oracle guide (#24907) + * docs: bump cloud to 12.2.3 (#24769) (#24843) + * [v12] docs: provide warning on Amazon Linux 2023 installations + (#24853) + * Update e ref (#24894) + * Use apt.releases to fetch pub key (#24875) + * [v12] Update crewjam/saml dependency. (#24898) + * [v12] Edit Homebrew installation instructions (#24824) + * Remove unnecessary sudo from Connect uninstall docs (#24888) + * Update Cloud FAQ doc to remove latency note (#24891) + * refactor how 'tsh scp' destinations are parsed (#24861) + * [v12] docs: provider faq answer for configurable maintenance + times for cloud (#24855) + +------------------------------------------------------------------- +Thu Apr 20 14:35:02 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.2.4: + * Release 12.2.4 (#24844) + * [v12] docs: document error with older SSM agent version + (#24833) + * OS packaging and auto updates backport - v12 (#24781) + * [v12] SFTP fixes (#24831) + * [v12] Checks proxy server and token set for join openssh + (#24745) + * [v12] Fix `TestHeadlessAuthenticationWatcher` flakiness + (#24705) + * [v12] docs: make consistent access request plugins helm + configuration and instructions (#24760) + * Add docs subsection about joining services (#24756) + * Update embedded video (#24699) + * [web] Add isModeratedSession flag to web ssh session (#24238) + (#24806) + * [v12] Backport Mac build GitHub Actions support (#24432) + * Backport --raw version flag (#24772) + * Acquire user certs from root cluster during web file transfers + (#24768) + * Fix memory leak on Kubernetes port-forwarding (#24763) + * [v12] Use CompareAndSwap for OktaAssignments instead of lock. + (#24748) + * Tweak protogen to not change protos from cloud (#24688) + (#24739) + * Tweak messaging to anticipate a new linter (#24411) + * docs: Login Rules Terraform docs (#24674) + * [v12] reduce cache retry load (#23025) (#24719) + * Change port-forwarding completion logs to debug (#24658) + * [v12] Make audit log details dialog larger. (#24722) + * stop handling SIGINT, SIGTERM in tctl (#24681) + * Add Okta assignment update statuses to Okta access point. + (#24735) + * [v12] docs: remove ignored user parameter in tsh login example + (#24624) + * [v12] Check Okta action transitions during update, allow failed + -> pending. (#24685) + * Prevent multiple discovery agents to race against each other + (#24214) (#24716) + * Document `discovery_group` parameter (#24713) + * Add cleanup time and last transition time to OktaAssignment. + (#24725) + * Add in a Okta assignments copy method. (#24694) + * refresh vscode guide (#24697) + * helm: fix `teleport-kube-agent` telemetry (#24471) (#24680) + * allow redundant security release alert suppression (#24692) + * [v12] Tag output from teleport configure as ERROR or WARNING if + applies (#24676) + * [v12] Introduce an OktaAssignmentsGetter and use it in the + watcher. (#24584) + * Ensure that proxy services join by dialing auth (#24668) + * docs: update audit results faq for cloud (#24633) + * Pull kube proxy address from proxy ping endpoint (#24516) + * docs version (#24622) + * [v12] docs: kubernetes joining guide + reference (#24545) + * [v12] docs: update k8s gke discovery to use zone variable + consistently (#24613) + * [v12] Hosted plugins frontend / user-facing parts (#24597) + * Make the OpenSSH guide more prominent (#24568) + * Edit the SSH Key Extensions guide prereqs (#24537) + * Add top-level redirects to intro pages (#24565) + * Add architectural clarity to the AD guide (#24569) + * [v12] Renders user auth types in User List in expected + capitalization (#24604) + * [v12] docs: simplify tokens generation examples (#24497) + * [v12] Update relcli to fix publishing of release notes (#24438) + (#24529) + * [v12] Fix authenticated conn metrics for http reporter (#24570) + * only call 'user.Current' when we really need to (#24573) + * update aws configurator (#24362) (#24494) + +------------------------------------------------------------------- +Fri Apr 14 06:52:08 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.2.3: + * Release 12.2.3 (#24546) + * Machine ID: Add ability to request RouteToCluster in generated + certs (#23838) (#24544) + * Update e reference (#24550) + * [v12] spelling fixes and ignore adds (#24539) + * Added 03/13 Upcoming Releases Update (#24547) + * Document alert acknowledgement (#24489) + * Add info to the Directory Sharing guide (#24487) + * Update e ref. (#24542) + * Fix IP pinning for SSO login (#24541) + * [v12] docs: include Amazon Linux in BPF-supported distributions + (#24480) + * Allow the Okta role to read the cluster name. (#24540) + * Integrations: web API and tctl (#24145) (#24458) + * [v12] Ensure the Okta service can connect through the reverse + tunnel. (#24524) + * Update FAQ for on-prem data collection (#24512) + * Support app servers on different types of tunnels. (#23749) + (#24525) + * Attempt ssh connections with and without mfa at the same time + (#24371) + * Fix relaxed moderator joining for Kube Access (#23674) (#23993) + * [v12] Hosted plugin manager prerequisites (#23922) (#24390) + * Add check for nil auth.local in ping response. (#24490) + * Docs: adjust Active Directory (manual) guide (#24071) (#24462) + * Docs: Standardize prerequisite partial use. (#23394) (#24452) + * Create a partial for Event Handler role/user (#24469) + +------------------------------------------------------------------- +Thu Apr 13 07:08:02 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.2.2: + * Release 12.2.2 (#24478) + * docs: bump cloud to 12.2.1 (#24475) + * Unlock keychain in drone (#24474) + * [v12] Add CA, Role, Lock AuthPreference RO persmissions to + RoleOkta. (#24397) + * Add caveat re: the audit event list (#24406) + * helm: support setting proxyListenerMode to emptystring (#24426) + * Clarify that "local" is not an auth connector (#24455) + * [v12] Integration: add service to server and client (#24133) + (#24439) + * [v12] Return enroll_status unspecified for empty status + (#24435) + * [v12] docs: correct rds proxy policy example (#24423) + * Restore MajorVersion template var for Installers (#24388) + (#24434) + * [v12] usagereporter: enable on-prem user activity reporting + (#24433) + * reduce log spam when AWS Aurora engine name is not recognized + (#24413) + * [v12] Distroless doc updates (#24036) + * * Fix Hardware Key support docs when scoped for Open Source. + (#24408) + * * Add --mlock flag with auto, off, best_effort, and strict + options. (#24236) (#24410) + * Add new `reporting` license flag (#21928) (#24396) + * Fix log output in aggregating.Reporter (#24391) + * Move docs builds down in GitHub Actions (#24385) + * Remove unnecessary query string (#24289) + * [v12] Updates access plane to access platform and operator def + (#24389) + * Expose CopyAndConfigureTLS. (#24384) + * [v12] Fields in WebAuthn comments (#24354) + * chore: Bump Buf from 1.16.0 to 1.17.0 (#24351) + * * Fix headless authentication watcher race condition on wait + condition (#24361) + * Add longer meta descriptions to high-traffic pages (#24334) + * Update e reference. (#24341) + * [v12] Support spellchecking in docs content (#24304) + * Allow Okta role to heartbeat app servers. (#24329) + * Constrict app.FindPublicAddr client. (#24331) + * docs: correct header in changelog (#24308) + * [v12] Update to Teleport Access Platform name in teleport,tctl + (#24300) + * purge extra newlines (#24283) + * fix protocol name for elasticsearch guide (#24280) + * [v12] Fixes to metrics docs (#24290) + * add Datadog to audit events index (#24274) + * Make react-router-dom and @types versions consistent (#24201) + (#24272) + * docs: use teleport systemd include for start mongodb (#24258) + * [v12] Fix package names for v1 protos, misc proto changes + (#24183) (#24263) + * Connect: Do not include staging feedback address in prod CSP + (#24189) + * Add missing continue and handle error in the test echo SSH + server (#24243) + * Added 04/03 Upcoming Releases Update (#24215) + * [v12] Bump cloud docs to 12.1.5 (#24204) + * Include correct identity in post-renewal log message (#24246) + * docs: use teleport systemd include for start (#24248) + * update Makefile to use cargo sparse protocol in all cargo + commands (#23856) (#24225) + * GHA: Update path filters to include workflow files and Makefile + (#24252) + * Lowercase "Teleport Service" (#24219) + * [v12] Disable `build-macos` and `build-windows` on PR (#24233) + * bump teleport version in docs (#24205) + * usagereporter: on-prem dial home (#23916) (#24196) + * Fix tctl test timeouts (#24216) + * [v12] Add configuration options for hosted plugin runtime + (#22320) (#24112) + * [v12] [docs] Add documentation page for IP pinning (#23897) + * Integrations service for CRUD operations (#23989) (#24144) + * Add local guidance for Linux Server guide users (#24140) + * [v12] Fix panic when incoming request is nil (#24199) + * Fix panic for when `/web/launch` is requested (#24132) + * Add systemctl instructions to Connecting Apps (#24137) + * Make TestTeleportProcess_reconnectToAuth less flaky (#24191) + * ClusterItem: Remove usage of colors.secondary.lighter (#24182) + * add `set -eu` to discovery installer (#24034) + * Clarify how to decide undocumented style questions (#24085) + * update eref (#24165) + * [v12] docs: update mfa docs (#24157) + * Include year in cert rotate examples docs (#24153) + * Send tunnel reconnects before waiting for sessions to drain + (#24141) + * [v12] Fix improper report of status on success (#24155) + * refactor theme (#23876) + * update eref (#24148) + * helm: Propagate securityContext and nodeSelector to Job hooks + (#24012) (#24134) + * Remove no longer used Teleport enterprise yaml example (#24150) + * Remove the Access Controls FAQ (#24081) + * fix flaky tests (#24126) + * [V12] Integration resource: proto (#24057) + * Fix TestTerminal_KillUnderlyingShell (#24125) + * [v12] Docs: Remove Details block from tctl partial. (#24072) + * docs: Oracle Database Access (#24119) + * [v12] Update gosaml2 to 0.9.1 (#24079) + * Bump Cloud SLA to 99.9% (#24093) + +------------------------------------------------------------------- +Thu Apr 06 03:50:15 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.2.1: + * Release 12.2.1 (#24098) + * [v12] helm: Add support for imagePullSecrets to + teleport-cluster chart (#24017) + * [v12] chore: Bump Go to 1.20.3 (#24062) + * Show the server name (instead of UUID) in errors (#23724) + (#23935) + +------------------------------------------------------------------- +Thu Apr 06 03:29:52 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.2.0: + * Release 12.2.0 (#24056) + * fix joining moderated sessions in ui (#24018) + * revert marshal database tls mode (#24063) + * helm: delete hook-related resource on re-apply (#24068) + * Fix listing of participant modes in UI (#24029) + * [v12] Add a guide to creating Teleport roles via the API (#24003) + * docs: correct mongodb atlas example config (#24044) + * Add Azure auto-join docs (#23944) + * Replace "Spotlight Search" with "Cross-Cluster Search" (#24049) + * Recommend Proxy Service in event-handler guides (#23937) + * Add missing `join_method` in azure joining docs (#24031) + * [v12] docs: device trust edits (#24025) + * [v12] Define an explicit device resource as DeviceV1 (#24024) + * [v12] Connect: Collect protocol origin (#24039) + * [v12] docs: update version (#24027) + * Close auth clients in tctl tests (#24014) + * docs: add description of config versions (#23936) + * [v12] Headless Login (#23360) + * [v12] tsh: Fix redundant error in PPK generation on relogin + (#23984) + * Allow getting client ip from ProxyHelloSignature for + compatibility (#23419) + * Update e reference (#24006) + * [v12] docs: include enable teleport service in systemctl start + (#23988) + * [v12] Docs: prefer `curl .../auth/export` instead of `tctl auth + export` (#23982) + * [v12] docs: Add advisory and troubleshooting on non-tls mode + for machineid kube (#23951) + * [v12] Backport IP pinning for Kube and DB access (#23418) + * Update e reference (#23994) + * [v12] GitLab Delegated Joining docs (#23981) + * Add Support for Oracle protocol (#23892) + * [v12] Metrics: add IsSSO to Discover Events (#23902) + * [v12] Add Docker Hub login to Drone's Kubernetes pipelines + (#23958) + +------------------------------------------------------------------- +Mon Apr 03 13:17:55 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.1.5: + * Release 12.1.5 (#23945) + * Reduce DefaultIdleTimeout to 30s (#23950) + * [v12] Update e ref. (#23939) + * Backport #22817 to branch/v12 (#23881) + * split and notate new vs existing mysql user (#23930) + +------------------------------------------------------------------- +Mon Apr 03 13:06:43 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.1.4: + * Release 12.1.4 (#23929) + * [v12] feat: Operator support for Login Rules (#23885) + * Backport #23405 to branch/v12 (#23883) + * [v12] Prevent unknown ssh requests from terminating sessions + (#23904) + * Allow a tsh aws to proxy any command (#19941) (#23835) + * Return exit code from SFTP subsystem (#23729) + * [v12] Allow Okta service reverse tunnel access. (#23853) + * chore: Bump Buf from 1.15.1 to 1.16.0 (#23870) + * [v12] Add gRPC service definition for Plugin resources (#21750) + (#23780) + * Added 03/30 Upcoming Releases Update (#23868) + * Expose process.OnHeartbeat. (#23852) + * Add Copy to AccessRequest. (#23638) (#23712) + * Update e ref (#23845) + * [v12] Remove `push` workflow for jobs that already run on PR + and merge (#23862) + * Machine ID FIPS support (#23563) (#23850) + +------------------------------------------------------------------- +Mon Apr 03 13:03:05 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.1.3: + * Release 12.1.3 (#23847) + * update makefile (#23818) + * support readable enum values in database tls mode (#23601) + (#23808) + * [v12] Fix the navigation only ever linking to the root cluster + (#23708) + * [v12] Improve fluentd exported by configuring buffer (#23841) + * [v12] docs: Add Uninstall Instructions for Teleport Connect + (#23822) + * [v12] Reduce time spent setting ssh session envs (#23834) + * docs: modify teleport binary reference to non-path specific in + ec2 discovery (#23812) + * Allow app server origin of Okta if added by Okta built in role. + (#23794) + * Add cluster flag to `tsh kube sessions` (#23825) + * ALPN handshake test improvements (#23348) (#23798) + * docs: Remove Open Source from Try out Teleport on a linux + server (#23744) + * docs: label enterprise prereq as Teleport Enterprise, not just + Teleport (#23792) + * [v12] docs: use commercial pre-req for enterprise only windows + only users (#23803) + * [v12] Use stable/cloud when Automatic Upgrades is on (#23395) + (#23752) + * Add Okta import rules, Okta assignments, and user groups to + CLI. (#23722) + * Clarify wording of Connect's Telemetry FAQ (#23413) (#23739) + * Expose SingleProcessModeResolver and GetRotation. (#23772) + * helm: Clarify port requirement for publicAddr (#23743) + * Add new status to OktaAssignment, supporting service methods. + (#23714) + * Fix multiple profile handling for kube credentials (#23716) + * [v12] Create an OktaAssignment watcher. (#23721) + * Prevent races creating web api session context (#23691) + (#23733) + * Correct linux download name of Teleport Connect (#23604) + (#23737) + * [docs] Change scrollback_length to scrollback_lines (#23725) + * reorder prehog credential events (#23254) (#23640) + * [v12] Add SFTP subsystem fails note to server access FAQ + (#23362) + * Fix H1 Issues in Docs (#23328) (#23690) + * Docs: Overhaul Okta SAML guide. (#23053) (#23673) + * Docs: fix saml role addition partial. (#23186) (#23701) + * feat(aws/config): Support configuring + auth_service.proxy_listener_mode (#23678) + * docs: Mention lack of signing with Homebrew (#23681) + * Improve performance of `ListResources` (#23534) (#23596) + * [v12] usagereporter: resource heartbeats (#23632) + * [docs] Change ui_config to ui (#23672) + * Cherry pick from v11 Backport of dependabot CVE updates + (#23580) (#23582) + * docs: configure windows service to listen on all interfaces + (#23664) + * Ignore unused-parameter on revive/golangci-lint (#23656) + (#23661) + * Bump cloud version to 12.1.2 (#23410) + * [v12] fix: close all proxy listeners (#23647) + * update github.com/pelletier/go-toml to v1.9.5 (#23658) + * docs: point to release 12.1.1 for exe download for windows + local users (#23629) + * [v12] Increase DialTimeout when testing SSH Connection + Diagnostics (#23635) + * [v12] Remove the Houston enforcer (#23633) + * Use RUNNER_TEMP to download teleport bins + * Revert resty to a version to match teleport-plugins + * Rename 'operator' pipeline file to 'integrations' + * [v12] Vendor slack plugin and supporting libraries (#23045) + * Add integrations/ + * Fixed profiling documentation. + * Updated Application Access documentation. + * Added docs for Auth/Proxy LB configuration + * Updated Cloud FAQ for IP allowlists. + * Updated Cloud FAQ + * [v12] Spell fix (#23594) + * [v12] Allow for resource limits and requests for pre-deployment + jobs (#23126) + * docs: Remove note about not supporting Win Server 2022 (#23584) + * [v12] Refactor UserGroups local service to use generic service. + (#23579) + * Fix agent pool test flakiness (#23572) + * Attempt to build the docs in "Lint (Docs)" (#23530) + * [v12] Add application RW permissions to the Okta role. (#23566) + * allow users to specify separate API URL for github connectors + (#23568) + * Fix JSON reference in Azure Command (#23562) + * [v12] Fetch kubernetes git version with disabled service + account (#23559) + * Update generated protos (#23545) + * chore: Bump protoc-gen-go and protoc-gen-grpc-go (#23326) + * Refactor data dir config params for `tbot` to support memory + (#23447) (#23495) + * Add missing GetPriority function to Okta import rules. (#23501) + * minor refactor to replace localProxyOpts with + alpnproxy.LocalProxyConfigOpt (#23302) (#23468) + * [v12] support postgres cancel request (#23467) + * Add Azure join method docs (#23526) + * GHA: Cache tweaks (#23540) + * Added Teleport Usage Script (#23543) + * Validate proxy peer identity (#23506) + * Enable minimal web handler when proxy protocol is enabled + (#22753) (#23487) + * Add hardware key support guide to access control guide list. + (#23488) + * improve aws utils and database validation (#23157) (#23482) + * Plugins service no longer accepts getBackend(). (#23520) + * [v12] Spell fix IAM docs (#23521) + * docs: indicate which role options are enterprise only (#23298) + * Add Teleport 12 features to comparison matrix (#23484) + * Add proxy peering metrics to docs (#23015) (#23393) + * [v12] Spell fix API comments (#23499) + * Use GitHub camelcase for UI, examples and Messages (#23490) + * [v12] Fix ProvisionToken incompatibility with + BootstrapResources (#23474) + * Handle getBackend() or backend argument for plugins. (#23438) + * [v12] Add the Okta origin constant. (#23456) + * docs: clarify directory sharing audit events (#23295) + * add webui page with active session section (#23398) + * Include teleport-msteams start in plugin docs (#23459) + * [v12] update tsh proxy db cert and key file flags (#23466) + * [v12] Add the Okta access point for the Okta service. (#23463) + * Introduce Okta objects into the cache. (#23377) + * Add `srv.ConnectionMonitor` to unify connection monitoring + logic (#23465) + * [v12] Add EKS guide to install agents using IAM joining + (#23451) + * docs: clarify app access debug app (#23297) + * Add Okta client import for Okta service. (#23437) + * [v12] Set serviceStarted if enterprise services are enabled. + (#23402) + * [v12] Docs: Update Terraform reference (#23439) + * [v12] Filter out internal teleport defined logins (#23411) + * [v12] Fix incorrect report of active sessions (#23444) + * Do not log errors if metadata extraction fails (#23424) + * Add user group read/write access to the Okta role. (#23370) + * [v12] - Deprecate `site` param in `auth/export` HTTP endpoint + (#23309) + * [v12] Machine ID trusted cluster enhancements (#23390) + * Fix links with long redirect chains (#22503) + * Support Azure delegated joining for Machine ID (#23112) + (#23391) + * App Agent adjust connection noise logs (#23365) + * Expose process ID for enterprise services. (#23383) + * [v12] [Docs] Fix documentation for the `roles` field in the + Moderated Sessions join policy reference (#23313) + * Update e reference. (#23381) + * Disable application launch in minimal handler (#22816) (#23332) + * Fix docs mentioning connectors updates without secrets (#23344) + * Include year in tctl status dates (#23371) + * Fix tsh kube credentials fails on remove cluster for the first + time (#23252) (#23354) + * Add Headless SSO note to upcoming releases (#23339) + * [v12] Use Helm DynamoDB policy in Backends reference (#23183) + * Remove unused Expires column for tsh database list in verbose + (#23318) + * [v12] Fix DB Query always return success false in audit log + (#23274) + * App access: rewrite redirects to public app address from leaf + cluster. (#21067) (#23220) + * Fix docs link in changelog (#22452) + * Export additional functions for enterprise use. (#23245) + * Remove older-versions from docs (#23246) + * Remove extraneous subheading in DB guides page (#23208) + * Add Okta service configuration. (#23236) + * fix link for troubleshooting (#23241) + * [v12] build.assets Dockerfiles: Remove unnecessary ENV + NODE_URL, pass fsSL to curl (#23188) + * [v12] doc: add troubleshooting for RDS maximum policy size + exceeded errors (#23231) + * [v12] Access Mgmt Login Rule and IDP doc updates (#23217) + * [v12] Notification improvements (#23223) + * Fix navigation redirecting to the wrong page on category change + (#23213) + * Improve error message to label Enterprise version as FIPS for + fips error (#23214) + * [v12] Connect: Allow config customization (#23197) + * GitLab Delegated Joining (#22705) (#23191) + * adding video to k8s doc (#23171) + * Allow webauthn to be passed when issuing certs for web-based + scp (#22864) (#23195) + * fix heartbeatv2 test (#23203) + * Add anonymized device ID to tp.user.login event (#23055) + * Decouple SkipLocalAuth, UseKeyPrincipal, and static auth + methods. (#21182) (#23198) + * Establish the Okta service role. (#23173) + * [v12] Make Desktop Acess setup script idempotent (#23176) + * Updated config to include HA guide (#23155) + * [v12] tsh: Silent webauthnwin warning on app init (#23161) + * [v12] Support App access behind load balancer (#23054) + * [v12] Backport of `crypto` update (#23150) + * [v12] Bump Cloud to 12.1.1 (#23129) + * Use serverUID for web scp target (#23124) (#23152) + * Add `app_server` support to tctl get/rm commands (#23136) + * [v12] docs: Add instructions on uninstalling Teleport (#23135) + * Added 03/15 Upcoming Releases Update (#23127) + * Remove ossfuzz from CI (#23113) + * Update Rust to 1.68.0 (#23101) + * [v12] Introduce the Okta service. (#23071) + * [v12] Backport Access Request plugin guide (#23085) + * [v12] Backport #23024 and #23079 (#23080) + * Changed Upcoming Releases format. (#23020) + * Update docs version (#23083) + * add bypasses for lint go and lint docs (#23078) + * [v12] Document that GitHub username is added to internal.logins + (#23060) + * [v12] Backport #23008 and #23006 (#23021) + * Introduce Okta gRPC and client interfaces. (#22733) (#23057) + * [v12] chore: Bump Go to 1.20.2 (#22997) + * [v12] Update the docs style guide (#23001) + * Provide more context in the docs intro page (#23003) + * [v12] usagereporter: Use the batched event ingest RPC (#23027) + * Update Electron to 22.3.2 (#23048) + * Add a getter for the backend in `auth.GRPCServer`. (#23043) + * Log Connect version on startup (#23036) + * [v12] Fix uncaught exception handling in Connect's shared + process (#22986) + * [v12] Backport Distroless OCI builds (#22814) + * [v12] Fix unresponsive terminal in Connect on Windows Server + 2019 (#22996) + * Fixed enterprise and fips OS packages not uploading to OS + package repositories when promoting in the context of private + git repos (#21163) (#23012) + +------------------------------------------------------------------- +Tue Mar 21 08:51:11 UTC 2023 - Johannes Kastl + +- BuildRequire go1.19 + +------------------------------------------------------------------- +Tue Mar 14 07:12:37 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.1.1: + * Release 12.1.1 (#23016) + * [v12] Hide upgrade-related alerts from dashboards (#22991) + * Hide download center when not on dashboards and prevent license + gRPC endpoint from being called (#22965) (#22980) + * Web-Discover: Add support for connection testers with + per-session MFA enabled (#22529) (#22943) + * [v12] Add docs for Connect usage reporting (#22661) + * fix leave session command (#22795) + * Fix usagereporter tests (#22968) + * [v12] Remove docs reference and video that users can + approve/deny within PagerDuty (#22939) + * [v12] Export CRL and Database CA in DER format (#22896) + * docs: include a separate page for OSS access requests (#22946) + * macOS-compatible grep (#22759) + * Use 13px font size in a `Notification` (#22870) + * [v12] Swap out select for poll (#22676) and Loop for poll + (#22746) (#22798) + * [Web] Make language on mfa verify step dialog more clear + (#20825) (#22924) + * Fix panic when AuditWriter fails on moderated sessions (#22930) + * [v12] Add per-session mfa support to connection testers + (#22918) + * update eref (#22937) + * fix select box sizing (#22686) + * Make the NodeWatcher more robust (#22910) + * Add idle connection timeouts to http clients and servers + (#22885) (#22908) + * Remove the permissions alias. (#22909) + * [v12] chore: Bump gci and golangci-lint (#22900) + * Drop local_auth/second_factor warning (#22859) + * Update e ref. (#22905) + * [v12] Connect: Provide prehog address for prod env (#22876) + * [v12] Emit new `AgentMetadataEvent` (#22879) + * chore: Bump Buf to v1.15.1 (#22856) + * Ensure that the `webclient` closes connections + (#22832) (#22893) + * [v12] Connect: Remove leftovers from resource cache removal + (#22884) + * docs: mention how to get the correct API version (#22812) + * [v12] Return Public Web Port in TLS mode for postgres when + listen addr specified. (#22889) + * Idp Docs Fixes (#22853) + * Added 03/09 Upcoming Releases Update (#22846) + * [v12] Add documentation for tsh --trace-exporter (#22837) + * Move the authorizer into its own package. (#22825) + * [v12] Interface for processing SAML IdP request signing on + auth server. (#22801) + * Do not check os groups when user exits (#22805) + * [v12] Deduplicate multiplexer detection errors over 1-minute + windows (#22802) + * Validate static labels assigned to Kubernetes service + (#22701) (#22777) + * [v12] AWS Terraform doc updates (#22786) + * Cherry-pick 6c58a9e (#22785) + * usagereporter: Allow multiple batch submissions in a row + (#22711) (#22788) + * [v12] Use the teleport-ent package on enterprise clusters in + the discovery installer (#22769) + * Add correct link in place of placeholder for Telemetry docs + (#22781) + * Docs teleport and golang version (#22765) + * [v12] Docs: Fix AWS Terraform Snippets (#22743) + * The SAML IdP CA will be handled during auth.Init. (#22721) + * [v12] Improve error messages for tsh login connectivity and ssh + port (#22763) + * [v12] Reorganize the config reference (#22271) + * [v12] chore: Bump Go to 1.19.7 (#22725) + * [v12] SAML identity provider docs. (#22625) + * NodeJoin Script: clear yum repo cache (#22585) + * Improve tctl auth export docs/help (#22681) + +------------------------------------------------------------------- +Tue Mar 07 05:48:42 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.1.0: + * Release 12.1.0 (#22694) + * (v12) Downgrade Go to 1.19.6 (#22691) + * Add MaxRetryPeriod for cachePolicy config to use in tests + (#22656) (#22692) + * [v12] temporarily disable TestHSMDualAuthRotation (#22682) + * [v12] Docs: Add Datadog guide. (#22677) + * Update node listing troubleshooting (#22678) + * [v12] Update access request enterprise description (#22621) + * [v12] Machine ID Agent Anonymous Analytics (#22658) + * test keyword frontmatter (#22666) + * Machine ID telemetry docs (#22541) (#22660) + * SCP - Change file attrs only when requested (#22579) (#22609) + * Fix broken Teleterm stories (#22665) + * spell fixes and discord config fix (#22617) + * Remove network I/O from database_service collection apply + (#22588) + * [v12] Add OSS repo name to github actions trigger (#22653) + * Update e (#22608) + * Refresh remote cluster connection status periodically (#22575) + * bump cloud version (#22542) + * fix typo in image (#22138) (#22552) + * Bump e ref. (#22602) + +------------------------------------------------------------------- +Sat Mar 04 08:45:41 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.0.5: + * Release 12.0.5 (#22599) + * Add SAML IdP service providers to default allow rules. + (#22600) + * [v12] node hb and watcher scalability improvements (#21495) + * Add in SAML IdP service provider session metadata to auth + attempts. (#22544) (#22562) + * update eref (#22596) + * [Web] Refactor serverside filtering and pagination + (#20823) (#22432) + * fix video link (#22576) + * Use `btree.BTreeG` directly in memory backend (#22409) + * [v12] Add GCP Service Account parameter to tctl users add + reference (#22543) + * [v12] Add Telnet into docker to test connectivity for cloud + getting started (#22570) + * Allow all alert severities to be acknowledged (#22582) + * add github.com/google/go-attestation/attest to e imports #2 + (#22465) + * Fix compilation on ARM (#22569) + * [v12] Refresh the Access Controls menu (#22523) + * [v12] update e ref to latest branch/v12 (#22566) + * Added 03/02 Upcoming Releases Update (#22547) + * [v12] Enable BPF on ARM64 (#22550) + * Teleport 12 Videos (#22527) + * Add Azure auto-joining (#21087) (#22521) + * [v12] Unify x86/ARM64 build process (#22495) + * Fix pickDefaultAddr not respecting HTTPS_PROXY (#22492) + * Set `create_as_resource` in device-related `tctl` RPCs + (#22415) (#22518) + * Improve `tsh kube credentials` read operations (#22508) + * [v12] SAML IdP audit events. (#22510) + * [v12] `lib/usagereporter` refactor and consolidation (#22512) + * [v12] Make curl fail on server error when downloading binaries + in buildbox (#22380) (#22442) + * add known STS endpoint for ap-southeast-4 (#22486) + * [v12] Server Access RBAC Docs page (#22500) + * Okta local service. (#22434) (#22513) + * chore: Bump Buf to v1.15.0 (#22430) (#22472) + * [v12] Allow devices writes with resource-like semantics + (#22470) + * Initial Okta objects. (#22151) (#22431) + * [v12] Update to libbpf 1.0.1 (#22424) + * Automatically parse entity ID from SAML SP during CLI creation. + (#22101) (#22368) + * [v12] Add static and dynamic web ui configuration options + (#22422) + * [v12] feat: add LoginRule methods to api/client (#22426) + * [v12] Add docs steps to create machine-id data dir and systemd + enablement (#22477) + * [v12] Remove non-applicable roles from teleport start --roles + reference (#22311) + * [v12] Use developer-friendly and precise technical language in + docs (#22412) + * docs: use approved terminology for desktop access w/ local + users (#22418) + * [v12] Add CLI doc changes after new client only parameter for + tsh version (#22392) + * Export runtime traces from tsh (#22406) + * [v12] fixes #21970 - remove broken config validation check in + scratch mode (#22423) + * [v12] sshserver: Correctly handle PuTTY winadj channel requests + (#22420) + * Docs: Device Trust role and locking support (#21915) (#22416) + * [v12] update e-ref (#22381) + * Install libbpf 1.0.1 in buildboxes (#22317) + * [v12] Update to default k8s deployment docs (#22396) + * Update docs Teleport version and golang (#22384) + * Add caching to web assets (#22183) + * [v12] Connect: Remove resource cache (#22316) + * Machine ID readme example script fix (#22394) + * Add Azure join method (#22204) + * [v12] Bump versions in docker images to 12 (#22375) + * Updates to enable merge queue (#22370) + * Fix incorrect login options for Windows Desktops + (#22118) (#22333) + * [v12] Update eref (#22343) + * Add WEBASSETS_SKIP_BUILD to Makefile (#22337) + * Always include webassets_embed when building teleport (#22339) + * Add `isDashboard` to web config object (#20830) (#22329) + * [v12] [Web] Add custom element support to SearchPanel (#22325) + * Fix SAML IdP service provider CLI bug. (#22322) + * [v12] [web] Move filtering out cloud and tcp apps to the + frontend (#22324) + +------------------------------------------------------------------- +Tue Feb 28 07:52:01 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.0.4: + * Release 12.0.4 (#22321) + * Terminate the local shell when a session closes (#22222) + * Ignore all node_module paths when running shellcheck lint. + (#22233) + * [v12] Enable xterm links and clean up MFA modal (#22278) + * [v12] Web: Fix regression for not able to create or reset + users (#22267) + * Mark Proxy Peering as in Preview (#22209) + * [v12] helm: allow to set security contexts in + `teleport-kube-agent` (#21535) + * Format collected data in the device tctl resource nicely + (#22198) (#22258) + * Fix `disconnect_expired_cert` and `client_idle_timeout` + description (#22255) + * spell fix kubernetes resource doc (#22259) + +------------------------------------------------------------------- +Tue Feb 28 06:52:22 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.0.3: + * Release 12.0.3 (#22250) + * [v12] Fix Kube impersonation header overwrite when dealing + with remote clusters (#22244) + * Fix an issue Redis protocol not handling nil response + (#22200) (#22228) + * preserve explicit local auth disable + * Create a generic local backend service. (#22236) + * [v12] Adds `kubernetes_resources` references (#22217) + * User group API and cache. (#21956) (#22147) + * [v12] Provide flag to only display tsh binary version (#22167) + * [v12] Extend security context to proxy init container + wait-auth-update. (#22064) + * createPtyProcess: Return early on error (#22190) + * ClustersService: Remove internal logins when syncing root + clusters (#22187) + * [v12] Implement tctl resource commands for Device Trust + (#22157) + * Added 02/23 Upcoming Releases Update + * [v12] Add docs for Device Trust tctl commands (#22201) + * Inherit `kubernetes_resources` from roles when using access + requests to kube_cluster + * [v12] Add service for "plugin" resources (#21210) (#22185) + * [v12] Add Security-Kerberos Event Log for Desktop + Troubleshooting (#22170) + * add MFA type and Login flow to register challenge event + (#22112) (#22159) + * add bypassses for UI GHA's (#22105) (#22141) + * Add expire time to SAML session creation. (#22135) + * [v12] Add Plugin resource schema, methods (#20990) (#22177) + * [v12] Connect: Enable font configuration (#22122) + * Update e (#22156) + * Spell fix previews page (#22152) + * Add in WrapContextWithUserFromTLSConnState. (#22136) + * [v12] Bump cloud version to 11.3.4 (#22114) + * disable MFA TTL limit for local proxy tunnel (#21661) + * [v12] Document silent install of Connect on Windows (#22119) + * Clarifications in Okta SSO doc (#22036) + * [v12] Docs: update fluentd guide (#22077) + * Remove usage of lodash methods (#21567) (#22102) + * Discover: install ent image when cluster is enterprise + (#22109) + * [v12] Install deb/yum repos when using node-join script + (#22108) + * Ensure UpdateRemoteCluster updates all fields (#22024) (#22088) + * fix: improve tsh logs when skipping auto Access Request + (#22094) + * Add DatabaseService KeepAlive type (#22042) (#22087) + * SAML IdP sessions added to the API and cache. (#22098) + * Correctly handle LOCAL command of PROXY protocol v2 in + multiplexer (#22092) + * Import jest-canvas-mock in teleport tests which import xterm + paths (#22074) + * Refresh Introduction Page (#21261) (#22032) + * [v12] Add non-HA Teleport cluster to Deploy with Helm links + (#22039) + * Emit usage events for `port`, `kube.request`, `sftp` + (#21740) (#22016) + * Relay child exit code in g-build (#21898) + * [v12] [Web:Discover] Add missing checks (#22029) + * Align AWS assume-role request duration with cert expiration + (#21670) (#21994) + * Support assumed roles for "tsh proxy aws" (#20568) (#21990) + * [doc] Update app access reserved headers X-Teleport-* + (#21000) (#21993) + * [v12] Change init logger to include timestamp for debug level + (#21996) + * Add minor improvements to `lib/kube/proxy` (#21917) + * [v12] Support proxy reading of SAML IdP CA. (#22030) + * Mention --mfa-mode in the `tsh mfa add` flow (#22018) (#22034) + * [docs] add a note on `rds:DescribeDBClusters` (#22007) (#22025) + * Improve formatting for TLS cert requests (#22013) + * CI: bypass OS compatibility check for some changes + (#21989) (#22021) + * [v12] Updates to windows getting started (#22019) + * [v12] SAML IdP access checker. (#21955) + * Expose access point in web handler. (#21957) + * Include Enterprise in output of tctl version for commercial + pre-req (#22004) + * [v12] Fix Moderated session on leave pause action. (#21974) + * [v12] [Web] Fix missing --request-id= flag in UI for Kubernetes + login instructions (#21445) + * [v12] Connect: Use SSH server UUID instead of hostname for file + transfer (#21962) + * [v12] Fix uncaught errors in Desktop's Discover flow (#21756) + * Added 02/16 Upcoming Releases Update + * Add metrics to track connection ingress (#19734) (#21771) + * Switch CodeQL to scheduled (#21942) + * Refer to tsh apps subcommand (#21857) + * Adjust clientIP/pinnedIP fields according to IP pinning RFD + (#21906) + * Update Go toolchain to 1.20.1 (#21931) + * [v12] Docs/TF: Identity as b64 (#21933) + * Docs: Remove Jira Custom Field reference (#21908) + * Update role > lock and add missing word." (#21897) + * Reduce etcd requests performed by a KeepAlive (#21926) + * Update Teleport Enterprise Cloud compare description (#21922) + * [v12] Update teleterm README (#21879) + * Disable instance heartbeats by default (#21901) (#21905) + * [v12] Add docs references to `tsh request search --kind=pod` + (#21887) + * [v12] Add more info re: AWS credentials to the docs (#21776) + * [v12] Include enterprise in tctl prereqs for ent and cloud + (#21890) + * Initial user group object. (#21657) + * [v12] Add SAML query functions to auth preferences. (#21825) + * SAML IdP session objects. (#21758) + * [v12] Update troubleshooting docs (#21762) + * [v12] Change error response formatting for "/version" endpoint + (#21846) + * Update download link (#21674) + * use Enterprise over Commercial (#21370) + * Improve webpack "exclude" expressions (#21663) (#21725) + * [doc] allow either role name or full ARN for AWS IAM role + db_users (#21240) (#21837) + * helm: fix proxy and auth config referring to the same subdict + (#21768) + * Fixup teleport db configure create (#20968) (#21690) + * spell fixes (#21855) + * Bump Buf to v1.14.0 (#21842) + * Run reviewers check on (un)labeled PR events (#21814) (#21819) + * [v12] docs: login rule docs (#21829) + * Remove deprecated warning when proxy starts (#21817) + * [v12] Move CentOS 7 assets to GitHub repo (#21784) + * feat: early feedback for successful security key taps (#21780) + * set SessionExpires on new sessions (#21688) (#21733) + * [v12] Skip deleting server heartbeats during in-process restart + (#21807) + * Remove code related to restarting lib/teleterm gateways (#21533) + * AWS IAM role matching for database users (#20610) (#21251) + * Add device lock support (#21667) (#21751) + * [v12] Turn off parallelization of teleterm's integration tests + (#21737) + * [v12] Remove support for DEBUG_ASSETS_PATH (#21473) + * Remove required cluster name when using `tsh kube login --all` + (#21765) + * [v12] Moderated sessions request is not forwarded into the leaf + cluster (#21612) + * Role access requests available for all scopes (#21752) + * Update docs link to master db access rfd (#21736) + * Cache etcd lease ttl (#21496) + * Fix linter issues (#21748) + * [v12] Update Go toolchain to 1.20 (#21680) + * Add Pod resource search web API (#21595) + * Update docs version (#21744) + * [v12] Make UsageSessionStart report TCP app access separately + (#21711) + * [v12] Connect: Link to docs in `UsageData` dialog (#21730) + * Delete assets/aws/cloudformation directory (#21696) + * lib/utils/fs.go: Do not remove lockfiles on Windows + * Update SQL Server library (#21065) (#21638) + * Update database config samples (#21480) (#21543) + * Change debug commands during discover flow (#21557) + * [v12] Ask for job role on the second launch (#21640) + * Correct namespace name in k8s doc (#21589) + * Remove version warnings for EOL Teleport versions (#21665) + +------------------------------------------------------------------- +Mon Feb 13 15:53:03 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.0.2: + * Release 12.0.2 (#21679) + * Bump cloud version to 11.3.3 (#21672) + * Fix kube agent shutdown during upgrades (#21617) + * [v12] Updates port validation to restrict to valid port numbers 1-65535 (#21651) + * Improve listing resources across clusters (#21003) (#21577) + * [v12] Skip deleting database servers on agent shutdown during binary upgrade (#21635) + * [v12] Update JS grpc-tools to 1.12.4 (#21532) + * capture custom role creation in prehog (#21123) (#21599) + * Verify if proxy can handle application requests when creating session (#21615) + * Extract entity ID when creating SAML service provider. (#21603) + * Allow invalid namespaces in role templates (#21573) + * Remove GCB checks (#21593) + * [v12] Compare TLS and SSH principals independent of order (#21578) + * [v12] Skip device authz when issuing App or Windows certs (#21571) + * fix link in troubleshooting guide (#21581) + * [v12] Use test IP addresses for auth_proxy_test. (#21576) + * Remove unused `CheckResourceUpsertableByError` function (#21562) + * refactor db local proxy logic (#21335) + * Add field to user cert request (#21474) + * Fix k8s docs links (#21553) + * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#21514) + * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#21513) + * [v12] Update e-ref (#21547) + * [v12] Add SAML IdP service providers to the cache and CLI. (#21471) + * [v12] Improve error message when trying to rename resource (#21179) + * [v12] Remove Auth/Proxy instructions from DB guides (#21333) + * properly resolve conflict (#21409) + * [v12] Update okta.mdx (#21410) + * [v12] helm-docs: Separate cert-manager and ACM values for clarity in AWS guide (#21361) + * Rename protoEqual and add a big warning (#21505) + * [v12] Connect: return logged in user in `ListRootClusters` (#21467) + * Run go mod tidy in CI (#21140) (#21482) + * Align the Okta and Auth Connector configuration examples in Okta SSO guide (#21475) + * [v12] Add in file configuration for the SAML IdP. (#21486) + * improve 'tsh scp' error message when no remote path is specified (#21373) + * Add `tsh request search --kind=pod` support (#21456) + * Removes the "overflow: auto" from StyledXterm (#20868) + * fix partial links (#21470) + * Reduce CPU usage in enhanced session + * update contribute instructions to use major version (#21462) + * [v12] [Docs] update Desktop Access introduction for v12 (#21458) + * Update the version support table for v12 (#21428) + * single-source access control guides list (#21415) + * [v12] Move Connect-specific MenuLogin story out of shared package (#21386) + * Fix flaky tctl UT - allocate network listener (#21390) + * Add RBAC labels for Database Services access (#21093) (#21244) + * Enable role-based device authz for DB, k8s and SSH (#20640) (#21432) + * [v12] Bump OpenSSL and libcbor (#21425) + * [v12] Require flag for dynamic resources matching "tsh db configure create" (#21395) + * [v12] Allow role-based device verification in AccessChecker (#20846) + * Bump forked go-libfido2 (#21175) + * fix k8s docs links (#21414) + * Show enterprise installs for Cloud scope MacOS Installs (#19669) (#21368) + * Update docs version to 12 (#21418) + * [v12] Add missing license headers to files. (#21405) + * correct tsh scp docs (#21378) + * Docs: AWS RDS Proxy Guide (#21322) (#21401) + * [v12] Update security information in docs. (#21358) + * Updated Dronegen for v12 release (#21355) + * [v12] Fix the navigation not listening to the back button (#21236) + * Spelling fix and app access link fix (#21397) + * [v12] Remove deprecated `/webapi/nodes/token` endpoint (#21152) + * Add gRPC Kubernetes Service (#21359) + +------------------------------------------------------------------- +Wed Feb 08 08:08:12 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.0.1: + * Release 12.0.1 (#21372) + * Fix operator build (#21369) + * fix lint-breaking spacing (#21356) + * [v12] Preview Page (#21283) + +------------------------------------------------------------------- +Wed Feb 08 07:53:13 UTC 2023 - kastl@b1-systems.de + +- Update to version 12.0.0: + Full changelog is available at + https://github.com/gravitational/teleport/releases/tag/v12.0.0 + + Teleport 12 brings the following marquee features and improvements: + - Device Trust (Preview, Enterprise only) + - Passwordless Windows access for local users (Preview, Enterprise only) + - Per-pod RBAC for Kubernetes Access (Preview) + - Azure and GCP CLI support for Application Access (Preview) + - Support for more databases in Database Access: + - AWS DynamoDB + - AWS Redshift Serverless + - AWS RDS Proxy for PostgreSQL/MySQL + - Azure SQLServer Auto Discovery + - Azure Flexible Servers + - Refactored Helm charts (Preview) + - Dropped support for SHA1 in Server Access + - Signed/notarized macOS binaries + + * Azure and GCP CLI support for Application Access (Preview) + In Teleport 12 administrators can interact with Azure and GCP APIs through + Application Access using `tsh az` and `tsh gcloud` CLI commands, or using + standard `az` and `gcloud` tools through the local application proxy. + * Support for more databases in Database Access + Database Access in Teleport 12 brings a number of new integrations to AWS-hosted + databases such as DynamoDB (now with audit log support), Redshift Serverless and + RDS Proxy for PostgreSQL/MySQL. + On Azure, Database Access adds SQLServer auto-discovery and support for Azure + Flexible Server for PostgreSQL/MySQL. + * Refactored Helm charts (Preview) + The “teleport-cluster” Helm chart underwent significant refactoring in Teleport + 12 to provide better scalability and UX. Proxy and Auth are now separate + deployments and the new “scratch” chart mode makes it easier to provide a custom + Teleport config. + “Custom” mode users should follow the migration guide: + https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/ + * Dropped support for SHA1 in Server Access + Newer OpenSSH clients connecting to Teleport 12 clusters no longer need the + “PubAcceptedKeyTypes” workaround to include the deprecated “sha” algorithm. + * Signed/notarized macOS binaries + Users who download Teleport 12 Darwin binaries would no longer get an untrusted + software warning from macOS. + * tctl edit + tctl now supports an edit subcommand, allowing you to edit resources directly in + your preferred text editor. + * Breaking Changes + Please familiarize yourself with the following potentially disruptive changes in + Teleport 12 before upgrading. + - Helm charts + The teleport-cluster Helm chart underwent significant changes in Teleport 12. To + upgrade from an older version of the Helm chart deployed in “custom” mode, use + the following migration guide: + https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/ + Additionally, PSPs are removed from the chart when installing on Kubernetes 1.23 + and higher to account for the deprecation/removal of PSPs by Kubernetes. + - tctl auth export + The tctl auth export command only exports the private key when passing the + --keys flag. Previously it would output the certificate and private key + together. + - Desktop Access + Windows Desktop sessions disable the wallpaper by default, improving + performance. To restore the previous behavior, add `show_desktop_wallpaper: true` + to your windows_desktop_service config. + +------------------------------------------------------------------- +Thu Feb 02 06:59:38 UTC 2023 - kastl@b1-systems.de + +- remove non-breakable-space character from changes file +- Update to version 11.3.2: + * Release 11.3.2 (#21121) + * Update ec2-tags.mdx (#21115) + * Fix MongoDB readHeaderAndPayload BSON max size (#21113) + * [v11] Fix direct node dial from WebUI (#20928) + * Update docker-compose docs (#21045) + * Use CDN links for install node scripts (#20985) (#21057) + * [v11] Remove CentOS6 and RHEL6 as valid distros (#20986) + * Skip TestBot_Run_CARotation (#20944) + * Use `SameSiteNoneMode` for application access cookies (#21049) + * Fix data race when closing listener (#21040) + * Conditionally build the UI if there are changes. (#20489) (#21018) + * [v11] Use the webassets directory at the root of the project for the web ui. (#21016) + * remove quotes from messages in makefile (#20740) + * Open Support links in UI to new page (#20984) + * [v11] Merge backports (#20997) + * [v11] Enable building teleport with the new UI location (#20965) + * Elasticsearch: explicitly require `--db-user`. (#20695) (#20919) + * Use concurrent streams for SFTP connections (#20953) + * update docs version (#20973) + * Disable disk-based logging for TestResizeTerminal (#20871) + * Fix language for try out teleport intro (#20948) + * Use a GitHub app for the check and backport workflows (#20873) (#20958) + * [v11] Add node and yarn to the buildboxes in preparation for the webapps merge (#20952) + * Hardware Key UX fixes (#20949) + * Update Rust to 1.67.0 (#20883) + * [v11] chore: Bump Buf to v1.13.1 (#20921) + * Added 01/26 Upcoming Releases Update + * [v11] fix `tsh proxy aws --endpoint-url` (#20880) + * Temporarily ignore the web directory when linting for license headers. + * [v11] Migrate AppLauncher tests into webapps. (#1532) + * Rearrange buildbox layers for faster updates (#20838) + * Use ghcr image for doc tests (#20876) + * Update app tests for rewritten headers (#20801) + * [v11] Add support for Moderated Sessions in the Web UI (#1540) + * [v11] [Discover] Enable mysql flow (#1539) + * [v11] feat: login rule audit events (#1537) + * [v11] Connect: Add useWorkspaceLoggedInUser (#1536) + * [v11] Update eref (#1534) + * Decode URL encoded values from AppLauncher's ARN. (#1530) + * Update e ref (#1528) + * Add --quiet to eslint package.json script (#1510) (#1523) + * Update webapps.e reference to latest commit (#1522) + * Fix clipboard permissions apparent inconsistency (#1509) (#1513) + * Change the application access authentication flow (#1515) + * capture additional prehog events (#1508) + * [v11] backport #1505 (Revert "Use sessionStorage for Authentication Bearer Token) (#1506) + * Add lazy loading for desktop sessions (#1503) + * Add lazy loading for session playback (#1502) + * Update e ref (#1500) + * Make trusted cluster screen hidden based on user roles (#1484) (#1494) + * Update Electron to 22.0.0 (#1498) (#1499) + * [v11] Discover: Implement Day 1 Database Postgres Flow (#1487) + * Update sessionPath value to new endpoint (#1486) (#1492) + * [v11] [Connect] requestableRoles and suggestedReviewers on LoggedInUser (#1485) + * [v11] Make bundled tsh available outside of Connect (#1488) + * Connect: Add missing modal stories, misc modal fixes (#1479) (#1482) + * Include session id in Session Uploaded event display (#1476) + * awaits the file write and close to avoid data corruption (#1471) (#1472) + * Fix websocket close (#1463) (#1470) + * [v11] add app access dynamodb event (#1462) + * [v11] backport #1275 (Use sessionStorage for Authentication Bearer Token) (#1458) + * Adds a status code to the closing of the tdp client's websocket (#1442) (#1455) + * [v11] [Connect] Use resourcesList in review access request table (#1456) + * Add support for InstanceJoin and BotJoin audit events (#1414) (#1440) + * Update electron-builder to 24.0.0-alpha.5 (#1434) (#1438) + * Connect: Use typed URIs (#1394) (#1436) + * Fix Connect stories (#1422) (#1435) + * Connect: Implement tshd event handlers for db cert renewal (#1383) (#1416) + * Add `recoveryCodesEnabled` (#1408) (#1419) + * Add subject value to app sessions (#1413) (#1426) + * alert convention matches grpc (#1424) (#1425) + * [Connect] Async autocomplete (#1406) (#1423) + * Fix large file corruption (#1382) (#1421) + * capture events from webapps (#1344) (#1411) + * Connect: Tell fpm to not use symlinks when building the rpm package (#1407) (#1410) + * useAsync: Add support for abort signal (#1377) (#1409) + * Update xterm to 5.0.0 (#1400) (#1401) + * [v11] backport #1321 (Add checkbox component to design package) (#1393) + * Lazy load Telemetry only when needed (#1399) + * Fix alerts from not disappearing on route changes (#1395) (#1397) + * Display `verb`, `request_path` & `response_code` in `kube.request` events (#1384) (#1391) + * [v11] Use a single websocket for SSH connections (#1361) (#1392) + * Pass clusterUri rather than documentUri to retryWithRelogin (#1385) (#1386) + * [v11] [Connect] Use server side search in resource tables (Advanced Search) (#1381) + * [v11] Forward SSH agent (#1366) (#1370) + * [v11] Update to Electron 21 (#1351) (#1360) + * Fix iterating over null array for sshLogins from fetched nodes (#1356) + * [Discover] Refactor SetupAccess Screens (#1310) + * Prevent non-https protocol from opening external windows (#1343) (#1345) + * Shared Directory Audit Events (#1290) (#1348) + * Connect: Set up tshd events server for tshd-initiated communication (#1285) (#1339) + * [v11] retryWithRelogin: Enable use outside of document context (#1341) + * Show all kinds of active sessions (#1337) + * [v11] Log shared process `stdout` and `stderr` (#1046) (#1336) + * [v11] Discover: Add back button for `TestConnection` screens (#1329) + * Update ensureBaseUrl to use URL constructors only (#1328) (#1330) + * Update ensureBaseUrl conditional (#1320) (#1322) + * [v11] Handle private key policy errors and config (#1298) (#1311) + * Warn user when desktop is active (#1297) (#1312) + * Connect: Use gap instead of margins for