------------------------------------------------------------------- Fri Dec 15 06:33:22 UTC 2023 - Johannes Kastl - update to 14.2.3: * Prevent Cloud tenants from being a leaf cluster. #35687 * Added "Show All Labels" button in the unified resources list view. #35666 * Added auto approval flow to servicenow plugin. #35658 * Added guided SAML entity descriptor creation when entity descriptor XML is not yet available. #35657 * Added a connection test when enrolling a new Connect My Computer resource in Web UI. #35649 * Fixed regression of Kubernetes Server Address when Teleport runs in multiplex mode. #35633 * When using the Slack plugin, users will now be notified directly of access requests and their approvals or denials. #35577 * Fixed bug where configuration errors with an individual SSO connector impacted other connectors. #35576 * Fixed client IP propagation from the Proxy to the Auth during IdP initiated SSO. #35545 ------------------------------------------------------------------- Sat Dec 9 19:51:14 UTC 2023 - Johannes Kastl - update to 14.2.2: * Prevent panic when dialing a deleted Application Server. #35525 * Fixed regression issue with arm32 binaries in 14.2.1 having higher glibc requirements. #35539 * Fixed GCP VM auto-discovery not using instances' internal IP address. #35521 * Calculate latency of Web SSH sessions and report it to users. #35516 * Fix bot's unable to view or approve access requests issue. #35512 * Fix querying of large audit events with Athena backend. #35483 * Fix panic on potential nil value when requesting /webapi/presetroles. #35463 * Add insecure-drop host user creation mode. #35403 * IAM permissions for rds:DescribeDBProxyTargets are no longer required for RDS Proxy discovery. #35389 * Update Go to 1.21.5. #35371 * Desktop connections default to RDP port 3389 if not otherwise specified. #35343 * Add cluster_auth_preferences to the shortcuts for cluster_auth_preference. #35329 * Make the podSecurityPolicy configurable in the teleport-kube-agent chart. #35320 * Prevent EKS fetcher not having correct IAM permissions from stopping whole Discovery service start up. #35319 * Add database automatic user provisioning support for self-hosted MongoDB. #35317 * Improve the resilience of tbot to misconfiguration of auth connectors when generating a Kubernetes output. #35309 * Fix crash when writing kubeconfig with tctl auth sign --tar. #34874 ------------------------------------------------------------------- Fri Dec 1 06:22:19 UTC 2023 - Johannes Kastl - update to 14.2.1: * Fixed issue that could cause app and desktop session recording events to be written to the audit log. #35183 * Fixed a possible panic when downgrading Teleport roles to older versions. #35236 * Fixed a regression issue where tsh db connect to Redis 7 fails with an error on REDIS_REPLY_STATUS. #35162 * Allow Teleport to complete abandoned uploads faster in HA deployments. #35102 * Fixed error when installing a v13 node with the default installer from a v14 cluster. #35058 * Fixed issue with the absence of membership expiry circumventing membership requirements check. #35057 * Added read verb to suggested role spec when enrolling new resources. #35053 * Added more new "Enroll Integration" tiles for Machine ID guides. #35050 * Fixed default installer yum error on RHEL and Amazon Linux. #35021 * External Audit Storage enables Cloud customers to store Audit Logs and Session Recordings in their own AWS account. #35008 * Fixed IP propagation for nodes/bots joining the cluster and add LoginIP to bot certificates. #34958 * Fixed an issue tsh db connect does not give reason on connection errors. #34910 * Updated distroless images to use Debian 12. #34878 * Added new email-based UI for inviting new local users on Teleport Cloud clusters. #34869 * Fix an issue "Allowed Users" in "tsh db ls" shows wrong user for databases with Automatic User Provisioning enabled. #34850 * Fixed issue with application access requests and web UI large file downloads timing out after 30 seconds. #34849 * Added default database support for PostgreSQL auto-user provisioning. #34840 * Machine ID: handle kernel version check failing more gracefully. #34828 ------------------------------------------------------------------- Tue Nov 21 05:58:22 UTC 2023 - Johannes Kastl - update to 14.2.0: * New Features - Advanced Okta Integration (Enterprise Edition only) Teleport will be able to automatically create SSO connector and sync users when configuring Okta integration. - Connect my Computer support in Web UI The Teleport web UI will provide a guided flow for joining your computer to the Teleport cluster using Teleport Connect. - Dynamic credential reloading for plugins Teleport plugins will support dynamic credential reloading, allowing them to take advantage of short-lived (and frequently rotated) credentials generated by Machine ID. * Fixes and Improvements - Access list review reminders will now be sent via Slack #34663 - Improve the error message when attempting to enroll a hardware key that cannot support passwordless #34589 - Allow selecting multiple resource filters in the search bar in Connect #34543 - Added a guided flow for joining your computer to the Teleport cluster using Teleport Connect; find it in the Web UI under Enroll New Resource -> Connect My Computer (available only for local users, with prerequisites) #33688 ------------------------------------------------------------------- Fri Nov 17 06:05:32 UTC 2023 - kastl@b1-systems.de - Update to version 14.1.5: * Increased the maximum width of the console tabs in the web UI. #34648 * Fixed accessing dedicated Proxy Kubernetes port when TLS routing is enabled. #34645 * Fixed tsh --piv-slot custom PIV slot setting for Hardware Key Support. #34592 * Disabled AWS IMDSv1 fallback and enforced use of FIPS endpoints in FIPS mode. #34433 * Fixed incorrect permissions when opening X11 listener. #34617 * Prevented .tsh/environment values from overriding prior set values. #34626 * Changed access lists to respect user locking. #34620 * Fixed access requests to respect explicit deny rules. #34600 * Added Teleport Access Graph integration. #34569 * Fixed cleanup of unused GCP KMS keys. #34468 * Added list view option to the unified resources page. #34466 * Fixed duplicate entries in resources view when updating nodename #34236 #34453 * Allow configuring cluster_networking_config and cluster_auth_preference via --bootstrap. #34445 * Fixed tsh logout with broken key directory. #34435 * Added binary formatted parameters as base64 encoded strings to PostgreSQL Statement Bind audit log events. #34432 * Reduced CPU & memory usage, and logging in the operator, by reusing connections to Teleport. #34425 * Updated the code signing certificate for Windows artifacts. #34377 * Added IAM Authentication support for Amazon MemoryDB Access. #34348 * Split large desktop recordings into multiple files during export. #34319 * Allow setting server labels from tctl. #34137 ------------------------------------------------------------------- Thu Nov 16 14:24:38 UTC 2023 - kastl@b1-systems.de - Update to version 14.1.3: * Security Fixes - [Medium] Arbitrary code execution with LD_PRELOAD and SFTP Teleport implements SFTP using a subcommand. Prior to this release it was possible to inject environment variables into the execution of this subcommand, via shell init scripts or via the SSH environment request. This is addressed by preventing LD_PRELOAD and other dangerous environment variables from being forwarded during re-exec. * [Medium] Outbound SSH from Proxy can lead to IP spoofing If the Teleport auth or proxy services are configured to accept PROXY protocol headers, a malicious actor can use this to spoof their IP address. This is addressed by requiring that the first bytes of any SSH connection are the SSH protocol prefix, denying a malicious actor the opportunity to send their own proxy headers. * Other Fixes & Improvements - Fixed issue where tbot would select the wrong address for Kubernetes Access when in ports separate mode #34283 - Added post-review state of Access Request in audit log description #34213 - Updated Operator Reconciliation to skip Teleport Operator on status updates #34194 - Updated Kube Agent Auto-Discovery to install the Teleport version provided by Automatic Upgrades #34157 - Updated Server Auto-Discovery installer script to use bash instead of sh #34144 - When a promotable Access Request targets a resource that belongs to an Access List, owners of that list will now automatically be added as reviewers. #34131 - Added Database Automatic User Provisioning support for Redshift #34126 - Added teleport_auth_type config parameter to the AWS Terraform examples #34124 - Fixed issue where an auto-provisioned PostgreSQL user may keep old roles indefinitely #34121 - Fixed incorrectly set file mode for Windows TPM files #34113 - Added dynamic credential reloading for access plugins #34079 - Fixed Azure Identity federated Application ID #33960 - Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #33950 - Added support for formatting hostname as host:port to tsh puttyconfig #33883 - Added support for --set-context-name to tsh proxy kube - Fixed various Access List bookkeeping issues #33834 - Fixed issue where tsh aws ecs execute-command would always fail #33833 - Updated UI to automatically redirect to login page on missing session cookie #33806 - Added Dynamic Discovery matching for Databases #33693 - Fixed formatting errors on empty result sets in tsh #33633 - Added Database Automatic User Provisioning support for MariaDB #34256 - Fixed issue where MySQL auto-user deletion fails on usernames with quotes #34304 ------------------------------------------------------------------- Thu Nov 09 06:48:36 UTC 2023 - kastl@b1-systems.de - Update to version 14.1.2: * Release 14.1.2 (#34327) * docs: add team scope to automatic updates (#34343) * Document workload ID for AKS for the helm guide (#34323) * [v14] event fanout rework (#33841) * [v14] Add first step of guided flow for Connect My Computer in Discover (#34335) * chore: Bump golangci-lint to v1.55.2 (#34313) (#34336) * [v14] Return server's `subKind` from tshd (#34297) * Fix an issue MySQL auto-user deletion fails on usernames that requite quotes (#34258) (#34304) * [v14] Added Database Automatic User Provisioning support for MariaDB (#34256) * [v14] Add Connect My Computer tile to Discover (#34287) * [v14] Filter dangerous environment variables before reexec (#34274) * [v14] chore: Bump Go to v1.21.4 (#34308) * [v14] Fix an issue auto-provisioned PostgreSQL user may keep old roles indefinitely (#34121) * [v14] Fix Machine ID selection of Kubernetes Access address/port (#34283) * Update e (#34295) * [v14] Link to version-specific docs pages from the support page (#34261) * [v14] Tidy up pointer/value receivers in tbot (#34269) * Replace getPlatform implementation (#34193) * Add missing private key policy field to UserCertificateIssuedEvent.Anonymize. (#34264) * [v14] docs: update Server SSH getting started to SSH video (#34248) * use upgradeEnrollAlertID in error logs (#34219) * [v14] Database Automatic User Provisioning support for Redshift (#34126) * Dynamic Discovery Matchers for Databases (#33693) * Remove nodeCount from Web server and UI (#34216) * fix step number (#34225) * [v14] Special case the subsystems handled by `teleport exec` (#34142) * [v14] include state of access request after review in audit log description (#34213) * Update e reference (#34210) * Web: Ease AWS integration with Discover Flow (#33777) (#34189) * Cherrypick 3b23d9d (#34206) * Fix Teleport update reconciliation on `status` updates (#34063) (#34194) * Fix links in the Predicate Language guide (#34160) * Consolidate context usage for client src/dst addresses into authz package (#34168) * [v14] Add Access List owners to suggested reviewers. (#34131) * docs: add join token in MySQL CloudSQL config (#34155) * Discover Kube Agent: use automatic upgrades version (#34145) (#34157) * [v14] Installer Scripts: use bash instead of sh (#34144) * [v14] [docs] troubleshooting for AWS Access SSM sessions (#34118) * chore: Bump golangci-lint to v1.55.1 (#34048) (#34127) * fix: Use octal mode for Windows TPM files (#34113) * [v14] terraform: Add/restore support for TELEPORT_AUTH_TYPE (#34124) * [v14] Show alert about insufficient permissions in Connect My Computer setup tab (#34064) * [v14] Access Plugins: Support dynamic credential reloading (#34079) * Clean up logging of watcher kinds (#33957) * Improve error messaging when instance is newer than auth (#34083) * [v14] Prevent SSO Redirects to other origins (#34077) * AWS OIDC IdP Configure script: remove region (#34061) * Fix agentless leaf node authorization (#33993) (#34053) * Fix potential SEO issues (#33948) * chore: Bump OpenSSL to 3.0.12 (#34066) * [v14] Connect My Computer: Implement in-app flow after deep link click (#34062) * [v14] Improve styling of the shared `UnifiedResources` component (#34059) * Fix non-interactive kube benchmark (#33560) * [v14] Update permissions required in Slack access request docs (#34047) * Fix Azure Identity federated Application ID (#33960) * [v14] DiscoveryConfig: fix `CheckAndSetDefaults` for matchers (#34024) * [v14] docker `v24.0.7+incompatible` update (#34043) * [v14] Fix discrepancies with dynamo events retention period (#34007) * Fix table alignment in `tctl tokens ls` examples (#34001) * Change deep links to include port number (#34027) * [v14] Make unified resources data fetching mechanism more flexible (#33976) * Unify auth server receiver names (#33994) * [v14] update-SSO-troubleshooting docs (#33897) * Automatically forward some spans from tsh to Cloud (#33329) (#33991) * [v14] Ignore shared aws config not found error (#33933) * [v14] Remove "Preview" designation (#33986) * [v14] Explain template variables wherever they appear (#33977) * [v14] Limit gRPC Active streams (#33985) * Bump github.com/crewjam/saml from 0.4.14-0.20230420111643-34930b26d33b to 0.4.14 (#33500) (#33989) * Ensure upload streams use the correct context (#33978) * Clarify Opsgenie prerequisites (#33970) * [v14] Use the correct error when inspecting Kubernetes session (#33950) * Fix git installation path on CentOS 7 docker image (#33132) * [v14] handle empty lists for yaml and json formatted lists in tctl (#33633) * [v14] docs: Add Docker to the PagerDuty access request plugin (#33829) * [v14] Await peristed state restoration before concluding UI initialization (#33914) * Return predicate failed message in unified resource requests (#33902) * [v14] Update Oracle DB docs and messaging (#33926) * Add a missing trace.Wrap to first time joining errors (#33894) * Fix an issue `tsh aws ecs execute-command` fails (#33833) * [v14] Add suggested reviewers as assingee to servicenow incidents (#33845) * [v14] Require SSH prefix in `router.DialHost` connections (#33729) * Fix flaky test by avoiding session recording test cleanup race condition. (#33906) * [v14] tsh: Add support for host:port combinations to tsh puttyconfig (#33883) * Enforce body size limits for http responses (#33768) (#33859) * [v14] Update docs with database user auto provisioning modes (#33901) * Add missing redirect (#33889) * [v14] Improve UX for headless kube proxy by giving user more time when reissuing expired certificates (#33855) * [v14] Web: Redirect to login upon missing session cookie (#33806) * [v14] Fix Assume Roles switch back, don't delete role if access list is using it. (#33834) * [v14] Refactor unified resources view (#33874) * [v14] Send deep link clicks to frontend app in Connect (#33878) * [v14] Add hosted plugin docs (#33881) * [v14] Parse deep links sent to Connect (#33740) * Disambiguate directory sharing's disabled and inactive states (#33814) * [auto] docs: Update version to v14.1.1 (#33848) * Remove unused docs images (#33268) * Fix title conflict (#33261) * [v14] Update manual AD configuration for desktop access (#33837) ------------------------------------------------------------------- Tue Oct 24 14:15:31 UTC 2023 - kastl@b1-systems.de - Update to version 14.1.1: * Release 14.1.1 (#33843) * [v14] Align titles in the introduction to topic sections, modify Desktop Access reference (#33826) * fix order (#33775) * [v14] Add headless mode to 'tsh proxy kube' (#33783) * Fix the top bar going outside the window (#33821) * docs: update local windows getting started to include all scopes (#33818) * Fix d3-color@3.1.0 breaking tests (#33813) * [v14] docs: reword tctl instructions (#33812) * Check if resource exists before making sort keys to delete (#33766) * [v14] [docs] Automatic user provisioning for MySQL (#33745) * Manually fire OpInit in NodeJoinWait test (#33692) * docs: fix YAML syntax for Grafana header rewrite (#33780) * Machine ID Docs Refactor (#31259) (#33714) * docs: Update service type for ACM deployments in Enterprise (#33774) * Update Jest to v29 and use custom env to expose TextEncoder & TextDecoder (#33741) * Always use lowercase when pinning resources (#33765) * [v14] snowflake/http: Limit Decompressed Request to 10MB (#33764) * Add MySQL auto-user deletion (#33520) (#33710) * remove preview from directory sharing button (#33757) * [v14] Add an Access Request configuration guide (#33756) * Pin d3-color version to ^3.1.0 (#33760) * Remove "Preview" from Resource Access Request page (#33664) * test(db): simplify active connections tests setup (#32923) (#33686) * Upgrade Vite + Vite dependencies (#33566) * Minor docs typo fix (#33589) * Bump rustix from 0.36.5 to 0.36.16 (#33707) * Extend rsync command timeout in tests. (#33673) * Clean up a few log entries (#33644) * Update Node.js to 18.18.2 (#33521) (#33624) * [v14] include url and saml connector name in entity descriptor url errors (#33667) * Extend test timeouts. (#33617) * bump docs to 13.4.3 (#33700) * [docs] add missing database matchers for discovery config reference (#33694) * docs: mention support for multiple AD domains (#33332) * [auto] docs: Update version to v14.1.0 (#33680) * [v14] DiscoveryConfig: WebAPI CRUD (#33380) * [v14] Configure Connect to intercept deep link clicks (#33684) * Update synchronization period in Okta docs. (#33638) * [v14] Add the ability to run a specific tool to Assist. (#33640) * Remove access list from unified watcher (#33685) * Add PostgreSQL auto-user deletion (#32792) (#33570) * [v14] Add docs for Connect My Computer (#33149) ------------------------------------------------------------------- Tue Oct 24 14:01:09 UTC 2023 - kastl@b1-systems.de - Update to version 14.1.0: Security fixes * Updated golang.org/x/net dependency. #33420 - swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487 * Updated google.golang.org/grpc to v1.57.1. #33487 - swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487 * Updated OpenTelemetry dependency. #33523 #33550 - OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142 * Updated babel/core to 7.3.2. #33441 - Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133 Changelog: * Release 14.1.0 (#33507) * Add private key policy to user login and certificate posthog events. (#33615) * [v14] allow https:// in proxy parameter in tsh (#33646) * docs: include all db protocols in faq and config (#33641) * [v14] docs: Reorganize and revise moderated sessions (#33545) * Add Docker to Slack access request plugin (#33393) * Select examples `api` dependency update (#33595) (#33601) * [v14] Update hardware key support docs (#33650) * Expand access list review audit entry. (#33573) * add security group picker to deployservice step (#33453) * Add Docker to MSFT teams plugin (#33387) * Add Docker to Mattermost plugin (#33390) * Deflake TestChaosUpload (#33610) * [v14] Update e (#33605) * docs: update okta service setup (#33464) * Update e (#33602) * Update generate-eventschema (#33598) * Fix a couple of typos and reword scenario descriptions (#33397) * [v14] Fix issue with ServiceNow incidents not including link to access request (#33593) * [v14] docs: Add timing for automatic agent updates to the cloud FAQ (#33400) * Fix hardware key support for sso web login (#33433) (#33548) * Add Hardware Key login audit event fields (#33254) (#33549) * [v14] Add Access Monitoring Ping Auth Response Feature flag (#33585) * Add nav title & packages for Access Monitoring (#33580) * [v14] Update e (#33530) * [v14] Fix assist audit query prompt (#33581) * [v14] Security Reports (#33459) * Propagate resource revision to/from the backend (#32040) (#33214) * [v14] Show Connect My Computer CTA only if versions are compatible (#33563) * Gracefully handle web socket closure by clients (#33480) (#33529) * [v14] Machine ID: Improve warning/error message when secure symlinks are not available (#33562) * [v14] Allow Bots to submit access request reviews (#33509) * [v14] Fix flaky test `TestWithRsync/with_headless_tsh` (#33557) * Add user certificates generated prometheus metric. (#33476) * [v14] Missed OpenTelemetry Updates (#33550) * docs: Add WinSCP to PuTTY client instructions (#32868) (#33092) * [v14] Prevent remote proxies from impersonating users from different clusters (#33539) * Notify CLI users when access lists need reviews. (#33468) * [v14] OpenTelemetry Updates (#33523) * [v14] Configure custom PIV slot for hardware key support - follow up (#33353) * [v14] AWS OIDC: Only consider Linux/UNIX when listing EC2 instances (#33515) * Update upcoming-releases.mdx (#33525) * Revert private key policy error handling in WebUI (#33237) (#33482) * [v14] Database Automatic User Provisioning support for MySQL (#33379) * [v14] Fix user login state gRPC client upsert. (#33451) * Make privateKeyPolicyEnabled an optional field. (#33481) * Update remaining `google.golang.org/grpc` to v1.57.1 (#33487) * Make initialization of Connect synchronous (#33508) * [v14] Update @babel/core to 7.23.2 and dedupe babel deps (#33441) * [v14] update e (#33493) * Configure custom PIV slot for hardware key support (#31732) (#33352) * [v14] Show resources in Slack notification for access requests (#33264) * Extend handshake read deadline to allow signature operations that require user input to be completed (hardware key touch/pin). (#32921) (#33348) * [v14] Add `pcscd` install instructions for hardware key support (#33376) * Add support for deploy service agent auto updates (#31982) (#33313) * * Use lowercase for sort keys in unified cache (#33475) * [v14] Include 'nextAuditDate' in 'CreateAccessListReview' method (#33485) * fix oidc test race (#33432) * [v14] docs: update macos app remove command to delete dir and correct fips debug container address (#33367) * [v14] Add a duration for starting notifications to access lists. (#33474) * [docs] clarify RDS/Aurora databases getting modified (#33410) * [v14] Prevent double registration of Kubernetes GVK for older Kube clusters (#33402) * [v14] Web: Add notification store (#33381) * Web: add identity management nav section (#33423) * Add usage events for desktop access (#33455) * Wait for nodes to be availble in disconnection tests (#33446) * Use searchAsRoles in unified requests (#33427) * Show Connect My Computer button in empty state in Connect (#33440) * Remove Connect My Computer feature flag (#32850) * Refactor desktop audit event emission (#33316) * [v14] Bump golang.org/x/net Backport (#33420) * Fix an issue `tsh` fails to connect Proxy behind TLS-terminated loadbalancer in separate port mode (#33406) * Add resource pinning to Unified Resource cards (#32980) (#33404) * [v14] PIV refactors (#33349) * [v14] Fix access list audit log formatting (#33383) * Allow access requests to use user login state. (#33350) * join_sessions overrides the deny rule for sessions a user is allowed to join (#33161) * Allow for Windows PKI operations to target a different domain (#33275) * [auto] docs: Update version to v14.0.3 (#33361) * Downgrade `@teleport-access-approver` to `v6` (#33354) * [v14] Pinned Resources backend (#33277) * Remove access lists and members from the cache. (#33322) * Added 10/11 Upcoming Releases Update (#33309) * Make system roles case-insensitive in provision tokens (#33260) * docs: include servicenow and opsgenie in plugin index (#33292) * [v14] docs: Reduce the use of capitalized trusted clusters and a few other fixes (#33310) * Add Docker to email plugin (#33321) * [v14] Add param `extraContainers` to `teleport-cluster` and `teleport-kube-agent` (#33299) ------------------------------------------------------------------- Tue Oct 24 11:52:47 UTC 2023 - kastl@b1-systems.de - skipping non-existent release 14.0.2 - Update to version 14.0.3: * Release 14.0.3 (#33290) * [v14] Remove check that enforces slack oauthProviders are set (#33141) * [v14] Report exit code of rsync processes if they fail in TestWithRsync (#33262) * DiscoveryConfig: init service and add resource to `tctl` (#32399) (#33289) * Update e (#33280) * [v14] re-add agentless node manual installation docs (#32811) * chore: Bump google.golang.org/grpc to v1.57.1 (#33265) * [v14] [buddy] docs: minor typos and improvements in the description of the Teleport Proxy Service (#33184) * [v14] utils.RecursiveChown: Fix for Privilege Escalation due to following symlinks (#33248) * Reword Troubleshooting section in Connect docs (#33201) * Add server troubleshooting to left nav (#33224) * fix watcher setup in oidc test (#33258) * [v14] docs: role definition update and update networking ports info (#33223) * [v14] docs: Caveat for token permissions not scoped to any resource context (#33166) * disable TestHSMDualAuthRotation (#33251) * Backport changes to Restrict Access to Privileged Accounts topic (#33238) * [v14] Fix `tsh kube credentials` when root cluster roles don't allow Kube access (#33210) * [v14] chore: Bump Go to v1.21.3 (#33229) * Yarn replacement version bumps (#33023) * [v14] [docs] Attempt to clarify ElastiCache/MemoryDB auth methods (#33215) * [v14] docs: Add Docker to partials and update the discord access request plugin (#33163) * Fixes emitting wrong events for ec2 discover flow (#33185) * Fix Kubernetes agent updater helm chart reference to bool (#33212) * [v14] Fix Proxy Kube listener behavior regarding PROXY protocol usage (#33135) * DiscoveryMatchers: move checkandset to types package (#32857) (#32959) * [v14] Split RDS Proxy guides per protocol (#33145) * [v14] Header `Connection: close` causes `kubectl` to fail exec (#33172) * Web: Add EC2 name when listing instances in Discover flow (#33179) * [v14] Add support for gap prop to Button (#33196) * Fix self-signed cert validity on macOS systems (#33156) * fix leaf SSH sessions not getting recorded (#33102) * [v14] OneOff Script: use ent build if cluster is Enterprise (#33148) * Add helper for generating request TTL options (#33041) * Track connections to direct dial nodes across clusters (#33045) * Add initial command to session trackers (#33112) * [v14] docs: include info for accessing database audit activity (#33093) * [v14] docs: Draft of troubleshooting topics for Server Access (#32876) * [v14] docs: update fips docker address and internal address listing (#33087) * [v14] Fix --debug flag in Connect & enable devtools in debug mode (#33137) * [v14] Web: add link to CloudShell on EICE/EC2 Discover flow (#33079) * Fix some Rust lint warnings caught by Clippy 1.73.0 (#33098) * [v14] Reliability improvements for HSM tests (#33091) * docs: title zypper enterprise linux install tab (#33074) * [v14] docs: Update HA Terraform reference and add starter cluster reference (#33085) * [v14] Update e ref. (#33066) * [v14] Add cost optimized pagination search for athena (#33007) * [v14] Add the Access List review backend. (#33070) * Update cloud docs to 13.4.2 (#33071) * [v14] AWS OIDC - EICE: improve error when EC2 does not accept SSH connections (#33057) * Update e ref (#32990) * Downgrade Electron to 25.9.0 (#33058) * Fix switch condition in Proxy listeners setup (#32966) * Allow breaker tripped error to be configurable (#33036) * Fix `kubectl log` commands when they refer to deployment instead of pod (#32962) * [v14] chore: Bump Go to v1.21.2 (#33046) * Add in audit review recurrence presets. (#32960) * [v14] chore: Pin golangci-lint and buf, bump buf to v1.27.0 (#33034) * fix: improve reconnection reliability after process reloads (#32807) * Add sort index trees to unified resource cache (#33027) * [v14] chore: Address crypto/elliptic package deprecations (#32929) * update --db-user and --db-name docs (#32888) * Remove unused bloat bypass workflow (#32984) * Track user connections across clusters (#32967) * [v14] Web: Create (re-use) step navigator for general use (#32979) * Added 10/04 Upcoming Releases Update (#32981) * Fix desktop listener PROXY mode setting (#32937) * Web build: fix circular dep warnings (#32975) * [v14] Yarn dependency upgrades (#32977) * [v14] `removeSecure()` should close the file before removing it on Windows (#32963) * [v14] Special case TestOpenFileLinks on macOS (#32957) * update cloud docs to 13.4.0 (#32951) * Bump zod from 3.21.2 to 3.22.3 (#32954) * Update error message on GitHub OSS (#32914) * [v14] Connect My Computer: Improve copy and UI consistency (#32890) * MenuIcon: Support arbitrary icon through Icon prop (#32889) * Update e (#32931) * Add new methods to AccessResourcesGetter interface (#32862) * [v14] docs: change open source/OSS references to community edition (#32877) * [v14] Replace Access Plane with Access Platform (#32878) * Bump webpki from 0.22.1 to 0.22.2 (#32883) (#32907) * [v14] docs: Add how to verify the binaries are FIPS-compliant #32169 (#32882) * [v14] Pin Teleport Terraform Provider to Teleport major version (#32898) * [v14] Fix max_duration when session TTL is short (#32817) * [v14] puttyconfig: Switch to string-based Validity format and deprecate MatchHosts (#32856) * [v14] Add the internal access list review resource. (#32861) * [v14] docs: update tctl tsh version location in prereqs (#32858) * [v14] docs: remove old versions ref (#32865) * Convert `examples/teleport-usage` to use distroless image (#32666) * Sort cloud label names to the back (#32691) * Use Proxy gRPC API when creating tracing client (#32663) * Use Proxy gRPC API during log in (#32662) * Prevent Kube proxy from set the default Kube impersonation headers (#32848) * Add support for Client ID to Azure VM auto-discovery (#32800) * Use a context with a different scope for diagnostic trace upload (#32838) * Update e ref (#32812) * Add connection information to multiplexer logs so it's easier to investigate (#32738) * [v14] DiscoveryConfig: add service with rbac support (#32719) * add usage events for eice discover (#32815) * [v14] Check to make sure defaultAllowRules matches preset roles. (#32793) * Added 09/27 Upcoming Releases Update (#32680) * Improve RDS MySQL IAM auth error message (#32803) * Add promoted access list title to teleterm access request (#32717) * [v14] Improve Connect My Computer UI & logout experience (#32791) * [v14] Fix remote pool of signed certs when exec into leaf clusters (#32768) * [v14] Improve explanation of `TBOT_GITLAB_JWT` config in GitLab guide (#32797) * [v14] Fix data race in Postgres engine on connection close (#32783) * [auto] docs: Update version to v14.0.1 (#32621) * [v14] Properly apply `client_idle_timeout` to database access sessions (#32720) * [v14] Add access request promotion state and suggestion API changes (#32710) * allow teleport to start when some etcd nodes are unreachable (#32779) * Cut CI unit test runtime in half (#32774) * conditionally show assist popover (#32267) (#32765) * [v14] fix: Fix panic on `tsh device enroll --current-device` (#32756) * add eice discover flow (#32760) * [v14] Web: Add disabled state to RadioGroup and add new icon (#32758) * [v14] Add Access Review gRPC service methods and messages. (#32549) * bump e (#32752) * Fix the in-product link to trusted cluster docs (#32749) * Remove reference to use a load balancer (#32695) * Leverage marketing params on Discover (#31648) (#32515) * [v14] Make spacing of Connect My Computer status more consistent (#32736) * docs: helm updates (#32705) * [v14] docs: update Teleport Team prereqs (#32697) * DiscoveryConfig: add service and client (#32562) * [v14] Web: Extract re-usable parts and add new icons (#32713) * Connect My Computer: Agent compatibility fixes (#32477) (#32648) * Update e (#32722) * [v14] Update config reference for proxy_protocol field. (#32667) * Fix label name mismatch (#32569) * [v14] Fixed issue where prerelease container image tags can overwrite production container image tags (#32701) * [v14] docs: remove multi level claim reference (#32673) * Drain unused SSH channels (#32676) * Fix usage of ClusterName from config when starting Auth server (#32682) * [v14] Connect: Add --debug flag, don't pass --insecure flag in dev mode by default (#32657) * remove docs for deprecated flags (#32670) * Fix overflow in dropdown menu (#32647) * Move `lib/utils/prompt` to `api/utils/prompt` (#32334) (#32576) * [v14] [docs] DB access troubleshoot sts:AssumeRole not authorized (#32661) * Bump graphql from 16.6.0 to 16.8.1 (#32635) * [v14] Fix Access List Members cache and eventing. (#32649) * [v14] fix: Let users without a useable device issue register challenges (#32430) * Fix enterprise version check (#32554) (#32631) * Update the supported versions table for v14 (#32585) * Make UUIDs used in test helpers less random (#32564) * [v14] Update copy of Connect My Computer setup & misc improvements (#32565) * Simplify LockTarget.IsEmpty implementation (#32607) * Added 09/26 Upcoming Releases Update (#32599) ------------------------------------------------------------------- Tue Oct 24 11:44:42 UTC 2023 - kastl@b1-systems.de - Update to version 14.0.1: * Release 14.0.1 (#32611) * Fix issue Teleport Connect Kube terminal throws internal server error (#32612) * Fix install-linux.mdx (#32586) * docs: oracle guide steps (#32582) * Remove mention of reversetunnel_connected_proxies (#32572) * [v14] docs: add faq answer for using oss or ent release for agents (#32520) * [v14] Remove non-file path links from partials (#32234) * ExtendWebSession: Update roles on req.ReloadUser (#32541) * Correct grammar error in PagerDuty integration notification (#32537) * Use cluster name from ServerIdentity for Auth multiplexer (#32352) * athena: configure limits in examples (#32543) * [v14] Add support for Protobuf Enums into Operator CRDs (#32557) * Add alignSelf to Button (#32561) * Remove Preview from Connect title bar (#32560) * [v14] Bump UI Role version to `v7` (#32341) * fix(regular): combine static and dynamic labels for session metadata (#32382) * [v14] Connect My Computer: Add progress bar to the setup screen (#32475) * [v14] DiscoveryConfig: add proto and gRPC methods (#32313) * `compareSemVers` should return 0 if values are equal (#32459) * [v14] Updated packer version to fix tag builds (#32526) * Update getting started (#32517) * docs: Flip Github connector examples for OSS vs Commercial (#32507) * Add posthog events for discovered Kubernetes Apps (#32379) * [v14] Update reduce-blast-radius.mdx (#32397) * Dynamically generate unifiedId (#32263) * Fill in missing CHANGELOG info (#32416) * [v14] docs: remove v10 references (#32491) * [v14] docs: helm install agent updates (#32503) * [v14] docs: Root access is insecure: draft for expanded security admin topics (#32423) * [v14] Update e ref. (#32496) * [v14] Allow sudoer files to be created separately from host user creation (#32400) * Remove gravitational/configure dependency (#32487) * Fix incorrect CA in Machine ID database access guide (#32465) * Add small delay to display shimmer boxes (#32482) * [v14] Refresh resources after Connect My Computer setup (#32484) * [v14] docs: remove duplicate warning (#32478) * [v14] Secure File Removal Improvements (#32435) * [v14] Prevent duplicate Access List owners. (#32481) * Connect My Computer: Store agent logs (#32044) (#32458) * pgbk: remove CREATE PUBLICATION (#32474) * Enforce use of IMDSv2 for AMI builds (#32418) * Fix bugs with GCP project ID + default installer (#32316) * docs: remove guidance on version warning older then v11 (#32408) * Move Discovery Matchers to their own files (#32368) * Connect My Computer: Keeping compatibility promise (#31951) (#32394) * [v14] docs: Oracle Audit Logs (#32282) * [v14] ci: clarify failure on `go mod tidy` (#32389) * [v14] Provide error message if process file is unavailable due to permissions for teleport start (#32348) * Upgrade TypeScript to 5.2.2 (#32375) * [v14] Connect My Computer: Remove the agent (#32369) * [v14] Add initial ServiceNow plugin docs (#32268) * Application access header rewrites should be a list (#32340) * [v14] Remove unused servicenow rotation code and rotas from recipient (#32363) * Add interactive tonal primary colors (#32007) (#32319) * [v14] Fix repeated ServiceAccount in `teleport-kube-agent` chart (#32338) * [v14] Update e (#32366) * Add Access List usage events, emit event for userloginstate Generator. (#32297) * post-release: update the docs version (#32308) * [v14] Define and add `IneligibleStatus` fields for access list members and owners (#32278) * Update token parameter description to be consistent (#32330) * [v14] pgbk: docs for change_feed_conn_string and warning against OLAP workloads (#32283) * Fix issues in Azure VM auto-discovery docs (#32317) * Implement waiting for Connect My Computer node to join cluster (#32295) * Allow including only traits when doing a JWT rewrite (#32291) * Move Upcoming Releases to v14 (#32300) * docs: include SLES install with zypper repo in ent install (#32305) * docs: update version (#32292) * [docs] fix Postgres auto-user provisioning role group (#31967) * [v14] Add initial servicenow plugin (#32131) * [v14] Execute time-bound graceful shutdowns on `SIGINT`/`SIGTERM`. (#32189) * Fix double counting of auth server (#32270) ------------------------------------------------------------------- Tue Oct 24 09:46:50 UTC 2023 - kastl@b1-systems.de - Update to version 14.0.0: very large changelog, please check it here: https://github.com/gravitational/teleport/releases/tag/v14.0.0 Breaking changes and deprecations * SSH node open dial no longer supported Teleport 14 no longer allows connecting to OpenSSH servers not registered with the cluster. Follow the updated agentless OpenSSH integration guide to register your OpenSSH nodes in the cluster’s inventory. You can set TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes environment variable on Teleport proxy to temporarily re-enable the open dial functionality. The environment variable will be removed in Teleport 15. * Proxy protocol default change Starting from version 14, Teleport will require users to explicitly enable or disable PROXY protocol in their proxy_service/auth_service configuration using proxy_protocol: on|off option. Users who run their proxies behind L4 load balancers with PROXY protocol enabled, should set proxy_protocol: on. Users who don’t run Teleport behind PROXY protocol enabled load balancers, should disable proxy_protocol: off explicitly for security reasons. By default, Teleport will accept the PROXY line but will prevent connections with IP pinning enabled. IP pinning users will need to explicitly enable/disable proxy protocol like explained above. See more details in our documentation. * Legacy deb/rpm package repositories are deprecated Teleport 14 will be the last release published to the legacy package repositories at deb.releases.teleport.dev and rpm.releases.teleport.dev. Starting with Teleport 15, packages will only be published to the new repositories at apt.releases.teleport.dev and yum.releases.teleport.dev. All users are recommended to switch to apt.releases.teleport.dev and yum.releases.teleport.dev repositories as described in installation instructions. * Cf-Access-Token header no longer included with app access requests Starting from Teleport 14, the Cf-Access-Token header containing the signed JWT token will no longer be included by default with all app access requests. All requests will still include Teleport-JWT-Assertion containing the JWT token. See documentation for details on how to inject the JWT token into any header using header rewriting. * tsh db CLI commands changes In Teleport 14 tsh db sub-commands will attempt to select a default value for --db-user or --db-name flags if they are not provided by the user by examining their allowed db_users and db_names. The flags --cert-file and --key-file for tsh proxy db command were also removed, in favor of the --tunnel flag that opens an authenticated local database proxy. * MongoDB versions prior to 3.6 are no longer supported Teleport 14 includes an update to the MongoDB driver. Due to the MongoDB team dropping support for servers prior to version 3.6 (which reached EOL on April 30, 2021), Teleport also will no longer be able to support these old server versions. * Symlinks for ~/.tsh/environment no longer supported In order to strengthen the security in Teleport 14, file loading from home directories where the path includes a symlink is no longer allowed. The most common use case for this is loading environment variables from the ~/.tsh/environment file. This will still work normally as long as the path includes no symlinks. * Deprecated audit event Teleport 14 deprecates the trusted_cluster_token.create audit event, replacing it with a new join_token.create event. The new event is emitted when any join token is created, whether it be for trusted clusters or other Teleport services. Teleport 14 will emit both events when a trusted cluster join token is created. Starting in Teleport 15, the trusted_cluster_token.create event will no longer be emitted. ------------------------------------------------------------------- Thu Oct 19 05:46:50 UTC 2023 - kastl@b1-systems.de - Update to version 13.4.4: * Release 13.4.4 (#33622) * Select examples `api` dependency update (#33595) (#33599) * Expand access list review audit entry. (#33572) * add security group picker to deployservice step (#33454) * [v13] Add support for deploy service agent auto updates (#31982) (#33311) * Add Docker to Slack access request plugin (#33392) * [v13] docs: Reorganize and revise moderated sessions (#33546) * Deflake TestChaosUpload (#33611) * [v13] Update e (#33606) * docs: update okta service setup (#33465) * Add Docker to MSFT teams plugin (#33386) * Add Docker to Mattermost plugin (#33389) * docs: Fix a couple of typos and reword scenario descriptions (#33398) * docs: Add agent updates follow the cluster upgrade to the FAQ (#33401) * Remove sending tracingContext in NewClientConn (#33584) * [v13] OpenTelemetry Update Backport (#33551) * Gracefully handle web socket closure by clients (#33480) (#33532) * Allow Bots to submit access request reviews (#33375) (#33510) * [v13] Prevent remote proxies from impersonating users from different clusters (#33540) * Notify CLI users when access lists need reviews. (#33469) * [v13] Missed v13 golang backport updates (#33527) * Update e (#33531) * [v13] AWS OIDC: Only consider Linux/UNIX when listing EC2 instances (#33514) * [v13] Update e (#33526) * fix oidc test race (#33431) * [v13] Fix user login state gRPC client upsert. (#33450) * [v13] Bump `google.golang.org/grpc` to v1.57.1 (#33488) * [v13] Update @babel/core to 7.23.2 and dedupe babel deps (#33442) * Update e (#33494) * [v13] Add `pcscd` install instructions for hardware key support (#33377) * Web: Fix passing in color to wrong field name (#33489) * [v13] Include 'nextAuditDate' in 'CreateAccessListReview' method (#33484) * [v13] Add a duration for starting notifications to access lists. (#33473) * [v13] docs: update macos app remove command to delete dir and correct fips debug container address (#33368) * [docs] clarify RDS/Aurora databases getting modified (#33411) * [v13] Web: Add notification store (#33382) * Add usage events for desktop access (#33456) * Web: add identity management nav section (#33409) (#33425) * [v13] Bump for word-wrap and semver (#33452) * Allow for Windows PKI operations to target a different domain (#33276) * [v13] Bump golang.org/x/net Backport (#33447) * Remove "aurora" engine from db fetcher (#30572) (#33236) * Refactor desktop audit event emission (#33336) * Fix an issue `tsh` fails to connect Proxy behind TLS-terminated loadbalancer in separate port mode (#33407) * [v13] Fix access list audit log formatting (#33384) * Allow access requests to use user login state. (#33351) * join_sessions overrides the deny rule for sessions a user is allowed to join (#33160) * [auto] docs: Update version to v13.4.3 (#33360) * Remove access lists and members from the cache. (#33324) * docs: include servicenow and opsgenie in plugin index (#33293) * Add Docker to email plugin (#33320) ------------------------------------------------------------------- Thu Oct 12 06:03:55 UTC 2023 - kastl@b1-systems.de - Update to version 13.4.3: * Release 13.4.3 (#33291) * Add param `extraContainers` to `teleport-cluster` and `teleport-kube-agent` (#32953) (#33300) * Update e (#33281) * Backport changes to Restrict Access to Privileged Accounts topic (#33255) * [v13] [buddy] docs: minor typos and improvements in the description of the Teleport Proxy Service (#33183) * Add server troubleshooting to left nav (#33222) * [v13] utils.RecursiveChown: Fix for Privilege Escalation due to following symlinks (#33247) * Reword Troubleshooting section in Connect docs (#33202) * fix watcher setup in oidc test (#33259) * [v13] docs: Add Docker to partials and update the discord access request plugin (#33168) * [v13] docs: role definition update and update networking info (#33225) * Disable golangci-lint action cache (#30780) (#33240) * [v13] chore: Bump Go to v1.20.10 (#33230) * Fixes emitting wrong events for ec2 discover flow (#33186) * [v13] [docs] Attempt to clarify ElastiCache/MemoryDB auth methods (#33216) * [v13] docs: Caveat for token permissions not scoped to any resource context (#33165) * [v13] Fix `tsh kube credentials` when root cluster roles don't allow Kube access (#33211) * Fix Kubernetes agent updater helm chart reference to bool (#33213) * Yarn replacement version bumps (#32982) (#33024) * Fix --debug flag in Connect & enable devtools in debug mode (#33204) * [v13] Split RDS Proxy guides per protocol (#33146) * Web: Add EC2 name when listing instances in Discover flow (#33178) * [v13] Add support for gap prop to Button (#33199) * [v13] fix leaf SSH sessions not getting recorded (#33104) * [v13] OneOff Script: use ent build if cluster is Enterprise (#33147) * Fix self-signed cert validity on macOS systems (#33157) * Add initial command to session trackers (#32947) (#33113) * [v13] docs: update fips docker address and internal listing (#33088) * [v13] docs: include info for accessing database audit activity (#33094) * [v13] Web: add link to CloudShell on EICE/EC2 Discover flow (#33078) * Fix some Rust lint warnings caught by Clippy 1.73.0 (#33097) * Update e (#33105) * Add promoted access list title to teleterm access request (#32718) * docs: title zypper enterprise linux install tab (#33075) * Add the Access List review backend. (#33069) * [v13] Add cost optimized pagination search for athena (#33006) * Update cloud docs to 13.4.2 (#33072) * [v13] Access request promotion (#33029) * [v13] Update e ref. (#33067) * Downgrade Electron to 25.9.0 (#33059) * Allow breaker tripped error to be configurable (#32869) (#33037) * [v13] chore: Bump Go to v1.20.9 (#33047) * Correct typo in Makefile. (#33052) * [v13] chore: Move golangci-lint and buf to GHA, bump versions (#33038) * Add in audit review recurrence presets. (#32961) * [v13] Track user connections across clusters (#32996) * Web: Create (re-use) step navigator for general use (#32939) (#32985) * Web: fix passing in color into wrong field (#32992) * Web build: fix circular dep warnings (#32976) * [v13] `removeSecure()` should close the file before removing it on Windows (#32964) * update cloud docs to 13.4.0 (#32950) * Bump zod from 3.21.2 to 3.22.3 (#32955) * Update error message on GitHub OSS (#32915) * Update e (#32935) * [v13] Fix: Add access list field to web usercontext ACL (#32917) * [v13] docs: Draft of troubleshooting topics for Server Access (#32875) * [v13] Replace Access Plane with Access Platform (#32879) * Change Open source and OSS to Teleport Community Edition (#32884) * Bump webpki from 0.22.1 to 0.22.2 (#32883) (#32906) * MenuIcon: Support arbitrary icon through Icon prop (#32891) * Pin Teleport Terraform Provider to Teleport major version (#32897) * re-add agentless node manual installation docs (#32813) * Add the internal access list review resource. (#32864) * [v13] docs: update tctl tsh version location in prereqs (#32859) * [v13] docs: remove old versions ref (#32866) * Cut CI unit test runtime in half (#32851) * Use Proxy gRPC API when creating tracing client (#32664) * [v13] [docs] DB access troubleshoot sts:AssumeRole not authorized (#32660) * Use a context with a different scope for diagnostic trace upload (#32837) * Add connection information to multiplexer logs so it's easier to investigate (#32739) * add usage events for eice discover (#32617) (#32816) * [v13] Check to make sure defaultAllowRules matches preset roles. (#32794) * Improve RDS MySQL IAM auth error message (#32802) * [v13] Improve explanation of `TBOT_GITLAB_JWT` config in GitLab guide (#32796) * [v13] Update Okta SDK to v2.20.0 (#32782) * add eice discover flow (#32202) (#32766) * [auto] docs: Update version to v13.4.1 (#32606) * allow teleport to start when some etcd nodes are unreachable (#32778) * conditionally show assist popover (#32267) (#32764) * [v13] fix: Fix panic on `tsh device enroll --current-device` (#32757) * Web: Add disabled state to RadioGroup and add new icon (#32762) * move aws region selector to shared and add types and endpoints (#32096) (#32754) * [v13] fix: Let users without a useable device issue register challenges (#32668) * bump e-ref (#32759) * Fix the in-product link to trusted cluster docs (#32750) * [v13] Leverage marketing params on Discover (#31648) (#32514) * Web: Extract re-usable parts and add new icons (#32529) (#32716) * Remove reference to use a load balancer (#32693) * [v13] Add Access Review gRPC service methods and messages. (#32548) * docs: helm updates (#32732) * docs: update Teleport Team prereqs (#32700) * Properly apply `client_idle_timeout` to database access sessions (#32485) (#32725) * Add textTransform override for resource launch buttons (#32686) * Add alignSelf to Button (#32641) * Update e (#32723) * Fix label name mismatch (#32570) * [v13] Fixed issue where prerelease container image tags can overwrite production container image tags (#32703) * [v13] docs: remove multi level claim reference (#32674) * Fix usage of ClusterName from config when starting Auth server (#32683) * Drain unused SSH channels (#32677) * [v13] Connect: Add --debug flag, don't pass --insecure flag in dev mode by default (#32656) * Fix overflow in dropdown menu (#32646) * Add PROXY header getter to the grpc proxy client (#32178) * Move `lib/utils/prompt` to `api/utils/prompt` (#32334) (#32577) * [v13] Fix `TestEC2Hostname` (#32665) * Bump graphql from 16.6.0 to 16.8.1 (#32636) * Fix enterprise version check (#32554) (#32633) * Fix Access List Members cache and eventing. (#32651) * Update the supported versions table for v14 (#32584) * Simplify LockTarget.IsEmpty implementation (#32608) * Fix install-linux.mdx (#32587) - skip non-existent release 13.4.2 ------------------------------------------------------------------- Wed Sep 27 04:37:00 UTC 2023 - kastl@b1-systems.de - Update to version 13.4.1: * Release 13.4.1 (#32594) * [v13] Remove unused FIPS infrastructure (#32539) * Remove mention of reversetunnel_connected_proxies (#32573) * [v13] docs: add faq answer for using oss or ent release for agents (#32521) * Add gRPC error interceptors to API client. (#31009) * Correct grammar error in PagerDuty integration notification (#32538) * [v13] Add support for Protobuf Enums into Operator CRDs (#32556) * fix(regular): combine static and dynamic labels for session metadata (#32383) * Allow sudoer files to be created without host users (#32404) * `compareSemVers` should return 0 if values are equal (#32315) (#32462) * [v13] Updated packer version to fix tag builds (#32527) * docs: helm install agent updates (#32508) * docs: Flip Github connector examples for OSS vs Commercial (#32506) * [v13] Update reduce-blast-radius.mdx (#32396) * [v13] docs: Root access is insecure: draft for expanded security admin topics (#32424) * [v13] docs: remove v10 references (#32492) * [v13] Update e ref. (#32497) * Remove gravitational/configure dependency (#32488) * Secure File Removal Improvements (#32260) (#32437) * [v13] docs: remove duplicate warning (#32479) * [v13] Prevent duplicate Access List owners. (#32480) * Fix incorrect CA in Machine ID database access guide (#32466) * [v13] Improve AWS CLI Access performance by caching AWS session credentials (#32414) * Fix data race when calling Uploader's `Close` and `Serve` simultaneously (#30360) (#32395) * Enforce use of IMDSv2 for AMI builds (#32419) * Support AWS EC2 IMDSv2 for installer and inventory metadata (#31134) * docs: remove guidance on version warning older than v11 (#32410) * [v13] Use the instance role for the upload completer (#32346) * [v13] Provide error message if process file is unavailable due to permissions for teleport start (#32349) * [v13] ci: clarify failure on `go mod tidy` (#32390) * Upgrade TypeScript to 5.2.2 (#32376) * Application access header rewrites should be a list (#32339) * Add interactive tonal primary colors (#32007) (#32320) * [v13] Fix repeated ServiceAccount in `teleport-kube-agent` chart (#32337) * [v13] update e (#32367) * Add Access List usage events, emit event for userloginstate Generator. (#32298) * Make access list membership check fn public (#31355) (#32362) * [v13] Define and add `IneligibleStatus` fields for access list members and owners (#31857) (#32279) * Bump UI Role version to `v6` (#32335) * Update token parameter description to be consistent (#32331) * pgbk: docs for change_feed_conn_string and warning against OLAP workloads (#32079) (#32284) * Allow including only traits when doing a JWT rewrite (#32290) * docs: include SLES install with zypper repo in ent install (#32306) * [docs] fix Postgres auto-user provisioning role group (#31968) * Fix double counting of auth server (#32269) * [auto] docs: Update version to v13.4.0 (#32276) ------------------------------------------------------------------- Thu Sep 21 04:39:02 UTC 2023 - kastl@b1-systems.de - Update to version 13.4.0: * Release 13.4.0 (#32179) * [v13] Revise desktop access-Active Directory script-driven (#32156) * Leave access intact if access list has not been reviewed by review date. (#32261) * Fix the userloginstate generator if the user has no traits. (#32258) * [v13] Omit WithError for "proxy already claimed" (#32242) * Fix variable in Azure AD docs (#32247) * [v13] convert protobuf's zero time into go's zero time (#32127) * Add access list to default allow editor preset role (#32253) * Add systemd instructions to the Jamf Pro guide (#32244) * docs: include postgresql in ha docs (#32239) * Prevent zombie sessions being left behind for web sessions (#32200) * Fix incorrcect use of apostrophe in discover UI (#32149) * Stop implicitly loading global tsh config on Windows (#32223) * Validate SAMLIdPServiceProviders ACS endpoints (#32220) * Verify expected token properties in WithProvisionTokenAuth. (#32215) * Manually create the users HOME rather than letting useradd do it (#32210) * [v13] pgbk: specify the schema name in wal2json's add-tables (#32198) * Respect MongoDB max message size (#31963) (#32144) * chore: Bump OpenSSL to 3.0.11 (#32160) * [v13] AWS OIDC: command to configure IAM for listing databases (#31980) * Update e (#32177) * [v13] docs: Trusted cluster root certificates for access to leaf clusters security issue (#32152) * [v13] docs: rewrite trusted clusters overview, how-to, and related topics (#32154) * [v13] support discovered name match in tbot outputs (#32111) * Web: Fix user signup flow and auto focus login form transition issues (#31510) (#31965) * Add btmp support for user accounting (#32054) * Add error to Attempt in useAsync (#32118) * helm: fix deletion hook serviceAccount in the agent chart (#31877) * Update helm-deployments.mdx (#32041) * [v13] Fix Kubernetes selected cluster (#32087) * [v13] tsh kube ls ux (#32084) * [v13] handle discovery renaming when listing resource in `tctl` text … (#32083) * [v13] Deflake `TestListKube` (#32082) * Updated OS package repo docs (#31541) (#32103) * Fix issues in GCP auto-discovery docs (#31826) (#31976) * docs: mention how to register a Windows desktop with tctl (#31986) * fix awsoidc tests (#32003) * Prevent trusted clusters in Cloud (#31874) * [v13] Apply various small BPF refactors (#31995) * Remove unused bot_token.create event (#31973) * Upgrade node-abi to 3.47.0 (#31960) * Fix focus background in passwordless user prompt in Connect (#31934) * correct tsh recording command description (#31949) * Make LogWriter's not implemented error message more obvious (#31930) * [v13] pgbk: add change_feed_conn_string option (#31938) * [v13] WebAPI: Include new DB RDS fields (vpc and subnet) (#31817) * [v13] Fix directory sharing for non-ascii directory names (#31924) * Fix typo in HSM docs (#31910) * Ignore Vagrant folder (#31908) * [v13] Fix JSON marshalling for Audit struct (#31329) * [v13] Add AccessList with member upserting functionality (#31608) * Web: Add new supported aws region (il-central-1) to selector (#31840) * Update Electron to 26.2.1 (#31802) (#31860) * [v13] document OIDC connector 'max_age' field (#31887) * Extend EC2 joining for `Okta`, `Discovery` and `MDM` services (#31894) * [v13] AWS OIDC - List RDS: add Subnet and VPC for aurora clusters (#31879) * [v13] Update e ref. (#31884) * return an error when attempting to join a session of an OpenSSH node (#31844) * Add access list audit events. (#31443) (#31872) * [v13] Use builtin auth checker for upsert app server. (#31782) * [v13] Validate unknown AWS regions from discovery matchers (#31830) * Expose aggregating.ClearAlert() for use by e (#31848) * athena: modify time range when query with keyset (#31864) * [v13] AWS OIDC: Set up integration with a single command (#31790) * Wait for headless watcher to initialize in tests instead of using a retry mechanism. (#30060) (#31851) * [v13] docs: Rough draft of troubleshooting for apps (#31823) * Update config.json (#31820) * Update upcoming-releases.mdx (#31807) * add device enroll and license limit event to prehog (#31779) * Increase timeout on usage event check (#31785) * [v13] Bump github.com/jackc/pgx/v5 to a real release (#31795) * [v13] AWS OIDC - List SecurityGroups: add Inbound and Outbound Rules (#31624) * Validate desktop names (#31766) * fix: device trust enroll current device command (#31757) * Switch from `mozilla.org/pkcs7` to `digitorus/pkcs7` (#30704) (#30717) * Remove internal access list object members field in spec. (#31665) * Make the WebAuthn error message a bit more explicit (#31632) * [v13] Kubernetes External Joining: `static_jwks` implementation (#30225) (#31703) * Increase lock release timeout in RunWhileLocked (#31742) * [v13] [buddy] docs: Machine ID with ansible, use CanonicalDomain (#31734) * [v13] pgbk: derive ID from revision (#31692) * [v13] integrations/operator: Add pprof support (#31707) * [v13] differentiate discovered resource names (#30456) * Increase timeout on usage event assertions (#31726) * [v13] [Docs] Update documentation for max duration feature in access requests (#31680) * Improve logging for the upload completer (#31571) * [v13] Docs: Update terraform docs to 13.3.8 release (#31696) * Deflake TestTeleportProcessAuthVersionCheck (#31710) * Use the regions in teleport config instead of ENV for bootstrap (#31701) * Update the auto-discovery and discovery installers to support SUSE (#31428) * [v13] Upgrade Node.js to v18 (#31626) * Fix incorrect autofill in safari (#31611) * React to version updates faster (#31651) * [v13] Update e ref. (#31639) * Remove members from access list spec. (#31635) * Make `TestIntegrations/ReconcileLabels` a unit test (#31124) (#31594) * Make internal changelog links relative (#31305) * [v13] Edit the app access DynamoDB guide (#30781) * [v13] helm: Optionally add publicAddr to cert-manager certificate requests (#31603) * Adds default Github API urls to SSO connector. (#31480) * post-release: specify base branch for docs PR (#31499) (#31575) * Make sure Teleport sessions use the user login state. (#31363) (#31614) * [v13] Deflake `TestIntegrations/Discovery` (#31595) * fix terminal resizing (#31586) * Fix typo in teleport-kube-agent Chart Reference (#31536) * docs: minor updates to aws opensearch and azure sql server guides (#31531) * [v13] Ensures the canvas stays at a fixed size (#31524) * Perform rate limiting on all user-initiated LLM calls in assist (#31438) (#31567) * Fix not being able to search for locks in table (#31581) * docs: update docker image versions (#31562) * [v13] Bump cloud version (#31551) * remove margin on OIDC/SAML connectors (#31503) * [v13] update ToolTipNoPermBadge component (#31488) * Edit Server Access intro guide architecture info (#31493) * [v13] Azure HA Teleport deployment guide (#31501) * [v13] chore: Bump Go to v1.20.8 (#31506) * [auto] docs: Update version to v13.3.8 (#31473) * [v13] Update download links on support page (#31492) * AWS OIDC - DeployService: add optional Security Groups (#31268) * [v13] pgbk: partial backports #31358 #31426 (#31449) * [v13] docs: use branch link instead of master (#31467) * docs: include sudo for example commands (#31463) * docs: Fix typo in JSON (#31452) * [v13] docs: include ent cloud version for faq question on sso (#31455) ------------------------------------------------------------------- Wed Sep 06 05:23:21 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.8: * Release 13.3.8 (#31442) * Added 08/31 Update (#31301) * desktop discovery: unmap IPv6 addresses (#31434) * fix: Skip known bad asset tags on Windows (#31412) * [v13] Update device trust docs (#31328) * MySQL: avoid tiny writes to improve performance in read-heavy scenarios (#31402) * Periodically refresh Azure cloud credentials (#31164) * Periodically refresh Azure cloud credentials (#31164) * AWS OIDC - List EC2: add instance id as label (#31436) * Update product change log link (#31424) * Fix webauthnwin c types size (#31420) * Preserve query params in cross-cluster app redirect. (#31379) * [v13] AWS OIDC: List Security Groups (#31272) * Update e (#31384) * Remove note about canceled requests not being supported (#31318) * [v13] docs: describe dedicated account dashboard for ent (#31336) * Fix plugin screen not wrapping tiles (#31365) * AWS OIDC EICE: fix connection set up (#31209) (#31362) * Web: return user traits with getUser request (#31331) * [v13] skip motd in UI if request initiated from tsh headless auth (#31205) * Recommend writing the client secret to a file (#30954) * bump eref (#31308) * [v13] docs: add prompt field definition for OIDC auth connector (#31294) * [v13] docs: update db getting started and mongodb atlas (#31299) * [docs] update TLS routing curl test with --no-alpn (#31239) * [v13] [buddy] Add an optional PodMonitor to the teleport-kube-agent chart (#31247) * [v13] docs: update labels documentation (#31110) * Fixed typo in error message for terminal params (#31288) * Clarified default cryptographic primitives (#31263) * Add known STS endpoint for il-central-1 (#31282) * use active db cert principals when available (#31250) * Fix the access list lockName in the backend service. (#31290) * docs: use variables for proxy addresses in Kube access (#31241) * post-release: pass GITHUB_TOKEN for gh CLI use (#31225) (#31280) * UsageEvents: add OpenSSH EC2 Instance Connect Endpoint Nodes (#31266) * AWS OIDC - List RDS: add VPC ID (#30971) (#31274) * Move the `tsh` config file guidance (#30953) * [v13] Refactor IsOwner/IsMember and use AccessListMember object. (#31234) * Allow configurable Okta service synchronization duration. (#31251) * [v13] Ensure access list data integrity. (#31233) * docs: update version (#31221) * [v13] AWS OIDC: Create EC2 Instance Connect Endpoint (#31198) * Fix ui trace forwarding (#31223) * [v13] tctl acl command uses separate member calls. (#31212) * [v13] Remove dead KNNRetriever class (#31189) * [v13] Fix flaky tests (#31163) * Fix flaky tsh export test (#31167) * [v13] Don't set additional groups on darwin (#31152) ------------------------------------------------------------------- Tue Sep 05 14:18:59 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.7: * Release 13.3.7 (#31172) * Allow Azure/IAM join over reverse tunnel (#31000) * [v13] wait for disconnect in tests (#31160) * docs: include sudo for db configure create examples (#31049) * docs: mention that the GitHub connector requires team slugs, not display names (#31154) * Use Amazon EICE to connect into EC2 instances (#30632) (#31021) * add custom theme and logos (#30823) (#31149) * Fix Oracle Windows Path Separator (#31129) * fix unbackported breakpoints (#31151) * Get accessInfo based on user on access request drop (#31136) * Update headless modal to show both Reject and Cancel (#31135) * Use 127.0.0.1:3080 as Vite default proxy target (#31148) * add feature hiding license flag (#30083) (#30936) * Respect `[HTTP(S)|NO]_PROXY` envs when dialing directly to Kube via SPDY (#30624) (#31133) * [v13] Dynamic identity file reloading support for API Client (#31076) * add OSS CTA for auth connectors (#30713) (#31083) * docs: update version (#31064) * docs: update cloud version (#31079) * ci: Use "post-release" environment in update-docs post-release workflow (#30937) * Fix flaky test TestDatabaseRootLeafIdleTimeout (#31100) * [v13] AWS OIDC: Add StateMessage and DashboardLink to List EICE (#30949) * [v13] oss CTAs for support, access reqs & moderated sessions (#31030) * docs: add page on revoking access (#30682) * [v13] Fix leaking connection monitor instances. Expand comment with a warning. (#31042) * Web: Add calendar icon, export select style, and add type to validation rule (#30817) (#31036) * Add access list members to the cache. (#30837) (#30919) ------------------------------------------------------------------- Tue Sep 05 14:07:46 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.6: * Release 13.3.6 (#31031) * Ensure that DNS errors in desktop discovery fail fast (#31032) * [v13] docs: include example service account JSON in the Google workspace guide (#30807) * Remove exported webauthn test functions. (#31008) * Improve proxy address sourcing for VM auto-discovery (#31001) * Fetch metadata for heartbeat in background (#30999) * Additional safety with `X-Forwarded-Host` handling (#30980) (#31027) * bump e (#31012) * Fix flaky TestResizeTerminal (#30983) * [v13] Reduce memory leakage in API client caused by `otelgrpc` interceptors (#30991) * [v13] AWS OIDC: Configure IAM for EC2 Instance Connect Endpoint (#30948) * Added PostgreSQL enablement to documentation (#31006) * [v13] Use the most recent user object for the bot generation label. (#30996) * Issue certficate for desktop connection before actual connection (#30963) * [v13] helm: Use cert-manager secret or tls.existingSecretName for ingress when enabled (#30984) * docs: update version (#30959) * Flesh out the Application Access intro (#30958) * Add package manager Enterprise install steps (#30777) * Add secure credentials for API client tests (#30518) (#30870) * docs: update agent joining when to use (#30961) * [v13] Remove ScopedBlocks from the docs (#30805) * [v13] Metrics: expose install method counter (#30683) * Add `DeleteClusterMaintenanceConfig` for terraform (#30667) * reduce alert log spam (#30849) (#30904) * Fix access list enterprise tests. (#30931) * Expose AuthorizeContextWithVerbs. (#30917) * [v13] Changes to Discord plugin for running in hosted mode. (#30826) * [v13] Include consistent installation info (including Helm) across Access Request plugin docs (#30449) * Set cloud version to v13.3.4 (#30926) * Update eks helm guide for AWS PCA (#30633) * [v13] Include file option description in token, session-id parameters (#30928) * Emit event for auto-discovered VMs (#29285) (#30923) * [v13] Add in the next audit date to access lists. (#30912) * List EC2 instances: add subnet id field (#30692) (#30897) * [v13] Add preset device trust roles (#30908) * [v13] Machine ID: Support for JSON log formatting (#30763) * [v13] Add FeatureRecommendationEvent to Prehog (#30875) * add option to force re-authentication for OIDC connectors (#30877) * crdgen: handle OIDCConnectorSpecV3.MaxAge as a special case (#30879) ------------------------------------------------------------------- Tue Sep 05 13:40:29 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.5: * Release 13.3.5 (#30832) * [v13] Update access duration logic and tests for dry run requests (#30885) * [v13] Update the docs UI reference (#30857) * docs: remove default designation in cloud proxies (#30868) * Update e ref (#30848) * Respect `[HTTP(S)|NO]_PROXY` envs when dialing directly to Kube (#30583) (#30615) * [v13] [buddy] 🐛 issue #30400 fixing missing billing_mode param in teleport-cluster helm chart fo dynamodb autoscaling (#30841) * [v13] Web: Remove all cap and bolding for LabelInput used with inputs (#30845) * AWS OIDC - DeployService: use debug log level for service (#30606) * fix (#30824) * feat(helm/teleport-kube-agent): custom annotations in the Secret (#30838) * [v13] Embedded Assist SSH (#30811) * ci: Pass secrets from post-release to update-ami-ids (#30754) * Update e (#30814) * Add in access list member backend and gRPC methods. (#30800) * Add required title to access list resource (#30782) * [v13] docs: updates to cloud api docs (#30801) * Add a link to Teleport Labs in the landing page (#30482) * fix typo in s3 completemultipartupload metric (#30710) * Added Week of 08/17 Update (#30625) * [v13] AWS OIDC: List EC2 Instance Connect Endpoints (#30752) * Drop etcd from buildbox (#30700) (#30765) * Generate user login state from access lists and integrate into certificates. (#29364) (#30628) * Add `--current-device` capabilities to `tsh` (#30636) (#30702) * [v13] Enable limited Access Requests feature for the Team plan (#29866) (#30570) * [v13] Fixed an issue with `tsh aws ssm start-session` (#30668) * Ensure the correct stderr is used for ssh sessions (#30684) * [v13] Split up the CLI reference (#30371) * [v13] docs: include openssh instrs for jetbrains setup (#30470) * Correct DynamoDB table config instructions (#30675) * Web: Add access_list rule to usercontext and access list related icons (#30564) (#30658) * Drop gcloud SDK from buildbox (#30640) (#30696) * Drop custom gRPC chain functions (#30685) * docs: update gitlab and azuread sso docs (#30680) * [v13] Review Requests: prevent reviews after request is resolved (#30690) * Update docs version automatically (#30670) * [v13] Add initial servicenow client (#30611) * Deflake `TestNodeWatcher` tests (#30676) * [v13] Add initial rough opsgenie docs (#30609) ------------------------------------------------------------------- Tue Sep 05 13:27:27 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.4: * Release 13.3.4 (#30666) * Remove exported Webauthn functions (#30420) (#30650) * [v13] Fix node equality check in embedding processor (#30325) (#30608) * Begin separating access list members from access list resources. (#30627) ------------------------------------------------------------------- Tue Sep 05 13:16:56 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.3: * Teleport Release 13.3.3 (#30614) * Add Teleport agent pod readiness checks to docs (#30362) * Discovery service panics on GKE clusters without labels (#30643) (#30647) * Isolate MFA prompt into a new package (#30379) (#30599) * Deflake discovery tests (#30474) (#30641) * Make TestWebClientClosesIdleConnections more stable (#30637) * [v13] Add user login state to the cache. (#30219) * Add Teleport Connect to Headless docs. (#30594) * [v13] Add `teleport_proxy_db_active_connections_total` gauge. (#30604) * Build version checker - multiple fixes (#30580) (#30595) * [v13] bump e ref (#30613) * [v13] [docs] TLS routing FAQs (#30610) * events emitter: improve logging on failed emits (#30185) * [v13] small change to tsh error messages (#30575) * bump e (#30592) * [v13] Add Teleport Connect to Headless docs (#30476) * [v13] fix forwarding a SSH agent in a Cygwin environment (#30582) * [v13] fix `tsh db connect` and `tsh proxy db` with logged in certs (#30563) * update tsh db env/config ux (#30571) * [v13] Partially backport: add metrics for database service (#28150, #30121). (#30429) * Work around go-ldap's lack of errors.Is support (#30560) * update onboarding UI styles (#29917) (#30558) * [v13] Re-add ServerInfo reconciler with better backend performance (#30495) * [v13] discover personalization (#30557) * docs: correct double quotes in tctl devices add example (#30559) * Discover RDS: remove aurora engine (#30548) * OneOff: add success message (#30540) * [v13] Remove temporary type aliases from `lib/auth/webauthn` (#30551) * Teleport Connect headless approval - Skip Confirmation (#29875) (#30475) * [v13] Database Service to validate URL of database resources from Discovery Service (#30462) * Semver version validation (#30538) * pam: free conversation buffer on error (#30521) * [v13] [Docs] Teleport Team getting started, Fix comparison pointer to Teleport Enterprise/Enterprise Cloud (#30430) * [v13] docs: hsm minor corrections (#30506) * [v13] Update e ref. (#30502) * [v13] Remove `lib/auth/webauthn` dependency from `webauthncli` (#30498) * Fix PIV support for tsh proxy kube and Teleport connect (#30205) (#30477) * docs: update faq for proxy recording mode support (#30491) * Refactor AWS db mocks (#30086) (#30461) * Redirect directly to Okta apps from proxy. (#30489) * chore: Bump golangci-lint to v1.54.1 (#30435) (#30483) * [v13] Update 11 eol date (#30467) * Fix SAML certificate decoding when data is padded (#30450) * Improve LDAP desktop discovery (#30383) * fix: Explicitly mention OTPs on tsh/Windows logins (#30444) * integrations/access: Make the plugins exit when the connection breaks instead of retrying infinetly and hanging (#30039) (#30431) * [v13] Fixed "user is not managed" error when accessing ElastiCache and MemoryDB (#30353) * [v13] Adjust indentation in Assist YAML conf reference (#29195) (#30375) * [v13] Adds Discord settings to API types. (#30316) * [v13] chore: Bump Buf to v1.26.1 (#30329) * Error if users attempt to do `tsh login --headless` (#30298) (#30307) * Mention Discord and ServiceNow integrations on previews page (#30373) * [v13] Document `jwt_claims` app rewrite option (#30366) * Version ID check on Amazon Linux2023/rhel installs (#30310) * Set network restrictions static fields upon update (#30324) * AgentMetadataEvent: add AWS OIDC Deploy Service install method (#30328) * [v13] Add device authentication event to prehog (#30303) * Fix AccessDenied not recognized for MemoryDB/RSSL API calls (#30286) * [v13] EC2 Instance Connect Endpoint: List EC2 Instances (#30258) * [v13] Add option to configure JWT claim rewriting (#30280) * Added 08/10 Upcoming Releases Update (#30283) * changelog: Update distroless debug image name (#30305) * Fix resources being deleted from Firestore on update (#30287) * Fix desktop access connecting to direct dial nodes (#30275) * chore: Bump gci to v0.11.0 (#30228) (#30261) * chore: Bump golangci-lint to v1.54.0 (#30222) (#30265) * [v13] Adjust max session duration in web sessions (#30153) * Fix matcher AssumeRoleARN not appied to DiscoveryResourceChecker (#30260) * docs: update version (#30257) * [v13] Add a quick note about AWS and FIPS (#30240) * Support auditing chunked SQL Server packets (#29228) (#30243) * integrations/access: fix infinite retry on already resolved requests (#30231) * Add in the access list tctl command. (#30238) * chore: Bump golang.org/x/net to v0.14.0 (#30234) * [v13] docs: use a consistent intro in the DB guides (#30204) * Promote EKS and AKS discovery to GA (#30209) * [v13] refactor label string formatting (#30223) * [v13] Allow host users to be created with a specific UID or GID (#30178) * Add in paginated access list endpoint. (#30132) * [v13] Use distinct prompts during Windows WebAuthn registration (#30215) * [v13] [Docs] Fix the table of contents and edit content (#30067) ------------------------------------------------------------------- Tue Sep 05 11:30:56 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.2: * Release 13.3.2 (#30192) * Revert "Add discovery-side label reconciler" (#30198) * [v13] integrations/operator: Fix a bug that caused ProvisionToken.spec.github.allow rules to be ignored (#30179) * Add the `hcl` label to Terraform snippets (#30147) * EC2 Instance Connect Endpoint: HTTP endpoint to create Nodes (#29370) (#30189) * Backported OS repo publishing changes to v13 (#30154) * [v13] Tests: run `lib/integration` and `lib/auth/integration` (#30173) * fix: Save device keys on os.UserCacheDir (#30177) * [v13] Add initial auto approval flow for opsgenie plugin (#30161) * [v13] Improve "tsh kube login" message for proxy behind l7 lb (#30174) * docs: update version (#30162) * AWS configurator support for OpenSearch (#30085) * Refactor database `DiscoveryResourceChecker` (#30056) * Add support for templating to kube's `--set-context-override` (#30157) * [v13] dronegen: Build Teleport Connect for amd64 push build (#30021) * [v13] Bumps `e` version to include hosted Jira integration (#30117) * [Docs] Add the max-duration role option to documentation (#30148) * [v13] [buddy] Allow setting storage class name for auth component (#30145) * Add imagePullSecrets to predeploy tests (#30142) * Ensure Helm deployment guides match the sidebar (#30007) * Use test server context to ensure headless watcher is closed once the test completes. (#30138) * Add docs for the new Slack helm chart values (#30130) * List supported URI schemas in the audit error messages (#30080) * Stablize backend test suite (#30074) * [v13] Changes to the Jira plugin required to run as a hosted integration (#30040) * [v13] Add GCP auto-discovery docs (#30052) * update e-ref (#30069) * Backport #29757 to branch/v13 (#30015) * [v13] docs: document browser env var for tsh (#30057) * [v13] Improve backend `testKeepAlive` (#30053) * [v13] Stop piping child process output into logger only after close (#30025) * chore: Bump Buf to v1.25.1 (#30046) * bump e (#30045) * [v13] Fix authorization rules to the Assistant and UserPreferences service (#29961) * add oss support for existing user onboard survey (#29535) (#29983) * [v13] Add Kubernetes Access FAQ and Troubleshooting docs (#29857) * Drop subtests from `addOneOfEachMFADevice` helper (#30036) * [v13] Tighten discovery service permissions (#29994) ------------------------------------------------------------------- Fri Aug 04 06:29:52 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.1: * Release 13.3.1 (#30016) * Update e (#30012) * [v13] [Mattermost] Lax requiring recipients and set raw recipients on cfg init (#30009) * Fix `tool.tsh.common.TestKube/list_kube` flaky test (#29998) * Added Prometheus metric for created access requests (#29761) (#29991) * Fix rough edges with usage script (#29982) * Add Prometheus metrics to Kubernetes Access (#29363) (#29970) * pgbk: ensure TOASTed values in the change feed (#29975) * [v13] WebDiscover: Enable auto deploy and skip IAM policy screen on condition (#29978) * [v13] WebDiscover: Partially implement auto deploy database server view (#28629) * Hardware Key Support docs - additional troubleshooting info (#29147) (#29956) * Use enum to describe `IAMPolicyStatus` instead of a bool (#29721) (#29951) * [v13] ci: Fix post-release calling update-ami-ids (#29886) * [v13] Add Kubernetes/Helm instructions to the RDS guide (#29920) * terraform-agent-pool: Fix token provisioning and add expiry (#29943) * fix: Bump libcrypto version in pkgconfig files (#29947) * [v13] Add Headless Polling to Teleport Connect (#28975) * [v13] docs: add client tools download section (#29891) * propagate tctl verbose flag (#29870) * docs: update version (#29884) * [v13] Postgres and Azure Blob Storage backend docs (#29912) * Add support for deleting proxy resources to tctl (#29903) * chore: Bump openssl to 3.0.10 (#29876) (#29908) * [v13] chore: Bump Go to 1.20.7 (#29904) * web: Ignore .swc directory when computing web SHA (#29897) * Postgres: reduce logging level for individual messages. (#29847) * [v13] Add docs on how to impersonate Kubernetes ServiceAccounts (#29868) * lib/teleterm TestStart: Increase timeout, improve error handling (#29852) ------------------------------------------------------------------- Wed Aug 02 07:11:14 UTC 2023 - kastl@b1-systems.de - Update to version 13.3.0: * Release 13.3.0 (#29796) * ALPN upgrade with custom X-Teleport-Upgrade header (#29683) (#29829) * [v13] Link to example Login Rules from Login Rules guide (#29802) * [v13] Vendors Discord plugin source into Teleport (#29841) * refactor(services): skip ad validation for rds proxy mssql (#29233) * fix race condition where a headless watcher subscriber would overwrite a more recent update. (#29617) (#29838) * [v13] Explain how to start new services on an agent (#29653) * docs: include gke in Kube Discovery config list (#29758) * [v13] fix tsh db connect with active mysql cert (#29826) * [v13] Fix tsh db login exact db name (#29825) * bump e ref (#29821) * [v13] docs: simplify Terraform sections and convert to steps. (#29714) * Update e (#29817) * add backwards compatibility for listing apps (#29816) * display survey for existing users (#29378) (#29713) * assist: add classification code and emit even on execution (#28492) (#29811) * [v13] Long living approval (#29754) * assist: Refactor token counting (#29753) * Fix data race in TestAuth_RegisterUsingToken (#29756) * [v13] update e ref (#29747) * [v13][tctl] Adds option to write tarred `tctl auth sign` output to stdout (#29666) * docs: document strings.split for Login Rules (#29748) * use correct session recording mode in session start and end events (#29584) (#29689) * docs: update version (#29723) * helm: add azure support (#29734) * [v13] Add shield alert icon (#29570) * Bump Helm version in the buildbox (#29739) * docs: Content fixes regarding SOC 2 (#29740) * [v13] Fix Kubernetes Legacy Proxy heartbeats (#29738) * Add GCP VM auto-discovery (#28562) (#29612) * Hold Auth init lock for the duration of initialization (#29706) * update e ref (#29719) * [v13] docs: include mfa session option for ssh access control (#29602) * [v13] Postgres backend and Azure session storage backport (#29705) * Fix `create_host_user_mode` role reference (#29707) * [v13] [Docs] Test and edit How to contribute to documentation topic (#29642) * bump docs to 13.2.3 (#29691) * Update SQL Server guides to mention `sqlcmd` as default CLI (#29543) (#29644) * Added 07/27 Upcoming Releases Update (#29696) * chore: Bump Buf to v1.25.0 (#29701) * Fix MachineID not working behind L7 LB (#29692) (#29700) * fix: Drop custom OS checking in device authn (#29629) * Attempt to deflake TestLockInForce (#29681) ------------------------------------------------------------------- Thu Jul 27 06:27:58 UTC 2023 - kastl@b1-systems.de - Update to version 13.2.5: * Release 13.2.5 (#29668) * [docs] Fixes ACM helm example (#29573) ------------------------------------------------------------------- Thu Jul 27 04:42:16 UTC 2023 - kastl@b1-systems.de - Update to version 13.2.4: * Release 13.2.4 (#29663) * [v13] Add support for Amazon Linux 2023 to installer script and Discover UI (#29654) * fix (#29577) * Clarify auto upgrades docs (#29211) (#29507) * [v13] Add device owner and trusted device IDs to protos (#29639) * [v13] Allow creating a admin `ClusterRoleBinding` (#29559) * Update Operator CRDs and add a Lint check to prevent drifts (#29554) * Fix NPD when the table status has an unspecified billing mode (#29634) * Update e (#29637) * [v13] Port and refactor Mattermost from teleport-plugins (#28989) (#29549) * Remove upgrade suggestion alerts (#29631) * Speed up Auth initialization (#29257) (#29571) * Add CLI options for OpenSearch autodiscovery config. (#28147) * [v13] feat: Login Rule support for email.local and regexp.replace (#29611) * [v13] Vendors in `jira` access plugin source (#29548) * Athena: Support maxUniqueDaysInSingleBatch (#29604) * Switch to upstream x/crypto (#28929) (#29601) * Add --silent flag to teleport node configure command (#29587) * feat(tctl): make `--type` parameter required for `auth crl` command (#29591) * [v13] etcd client pool (#29586) * [v13] Describe using dynamic resources for DB Service HA (#29542) * [v13] update tsh db resource selection (#29163) * [v13] Changes to ordered and unordered lists for lint warnings (#29265) * [v13] Docs: Update OIDC SSO Guide (#29408) * [v13] Displays warning when SSO is used and username specified (#29504) * docs: update chart v12 migration to remove footgun (#29564) * Defer setting up enhanced recording until after PAM has completed (#29578) * [v13] Document DynamoDB backend billing_mode option (#29359) * adds public web addresses to self-signed cert (#29568) * Add api ver to path in opsgenie client (#29553) * docs: version update (#29492) * Fix GCP joining for Machine ID in v13 (#29563) * [v13] Athena: accept events without timestamp (#29383) * athena: support dynamo keyset for migration (#29452) * Display friendlier errors when an invalid login is provided (#29273) (#29473) * feat: support resource requests via tctl * [v13] Docs: Jamf Pro (#29534) * bump e on v13 (#29537) * docs: minor updates for setting up TLS on Windows Server 2012R2 (#29327) * Fix a panic in the S3 uploader (#29470) * [v13] Introduce the `UpdateAndSwapUser` function (#29477) * web: clean up auth connector page (#29404) * [v13] Add billing_mode option to the DynamoDB backend so pay_per_request or provisioned billing can be configured (#29351) * [v13] Change how we cache the keys in backend.Reporter (#29330) * [v13] `GenerateToken` should call `CreateToken` not `UpsertToken` (#29391) * Remove dependency of etcd from tctl (#29377) (#29394) * EC2 Instance Connect Endpoint: add aws metadata to Nodes (#29316) (#29407) * [v13] add onboarding survey (#29397) * Update e (#29400) * Filter out cluster ID in Connect logs (#29387) * [v13] Use the examples directory for example plugin code (#29152) * Remove gateways on logout (#29388) * [v13] fix database dynamic labels (#29373) * tctl: fix error reporting when server is down (#29322) * Add Connect ads to tsh login and tsh proxy db (#29302) * [v13] Moves tsh login browser parameter as env var (#29287) * add saml apps to webui apps list (#28041) (#29371) * Add in user login state. (#29365) * Add GCP instances client (#28561) (#29333) * Add discovery-side label reconciler (#27476) (#29334) * [v13] tctl users add: Point towards `users update` on AlreadyExists err (#29343) * Make prettier a dev dep of root package.json (#29355) ------------------------------------------------------------------- Thu Jul 20 05:47:54 UTC 2023 - kastl@b1-systems.de - Update to version 13.2.3: * Release 13.2.3 (#29308) * v13: dronegen: Switch linux-based push builds to GitHub (#29297) * [v13] Fix nil user group entries. (#29326) * [v13] update discovery labels (#29269) * Remove access list gRPC service from OSS, introduce owner/member checks. (#29289) * [v13] ALPN handshake test to account "unadvertised ALPN" error (#29312) * Upsert ServerInfos from discovery service (#27475) (#29277) * [v13] Restores default API endpoint for PagerDuty plugin (#29295) * [v13] Record os_build_supplemental in the DeviceProfile (#29263) * v13: [ci] Change macOS GHA runner to `macos-latest-xl-arm64` (#29282) * [v13] Docs: clarify the value of 'host' key where needed (#28800) * [v13] Add an audit event for creating provisioning tokens (#29105) * Fix proxy protocol support for Kube access flow (#29268) (#29274) * AWS DBs Heartbeat: return IAM status (#28952) (#29196) * Add the AccessList to the cache. (#29270) * update config reference docs (#29236) * [v13] Introduce AccessList gRPC service and calls. (#29255) * [v13] Add ServerInfo and label API (#29237) * docs: update github sso instructions for self-hosted to use new parameters (#29258) * Clean up access list protos, add in conversion functions tests. (#29254) * Access list backend service and marshal/unmarshal. (#29253) * [v13] Introduce Access List internal object. (#29252) * Fix reference to azure identity in GCP app (#29209) * Introduce the Access List object. (#29251) * add semicolon (#29154) * docs: update version (#29217) * Define the GetDevicesUsage RPC (#29089) (#29227) * Fix certbot installation in AMI (#29103) * upgrader monitoring and alerts (#28951) (#29206) * [v13] Document --port and --login in `tsh config` (#29199) * [v13] Allow custom enroll token expiration time (#29213) * [v13] provide warning on tsh sso login with Teleport user specified (#29221) * [v13] Fix lint warning, make these unordered lists (#29160) * Support non-gogo objects for auth service events. (#29207) * Add ServerInfo type (#25281) (#29162) * [v13] Clarify API GetDatabases vs GetDatabaseServers (#29136) * [v13] Add assist fields to configuration reference (#29110) ------------------------------------------------------------------- Mon Jul 17 05:32:22 UTC 2023 - kastl@b1-systems.de - Update to version 13.2.2: * Release 13.2.2 (#29161) * [v13] Allow login and port to be specified when using `tsh config` to generate openssh configs (#29113) * fix mutualtls textarea (#29091) * Reduce embedding period to 20 minutes (#29153) * Edit forScopes configurations and edit guides (#28742) * [v13] assist: support recording non-interactive forwarded sessions (#29137) * [v13] Docs: Refresh Azure AD SSO Guide (#29138) * upload completer: suppress stack trace for access denied errors (#29078) * [v13] tsh recordings export session-id desc update (#29128) * [v13] [docs] add proxy_service.trust_x_forwarded_for option (#29117) * [v13] [doc] database labels reference (#29118) * [v13] Allow relative file URIs to `sqlite` (#29130) * [v13] v13.2.2 Assist backports (#29125) * Extend DatabaseSessionStart posthog event (#28931) (#29106) * [v13] resolveNetworkAddress: Listen for `close` instead of `exit`; Fix FailedApp theme (#29108) * [v13] [Assist] UI tweaks (#29067) * docs: version update (#29096) * Remove session condition from Firestore events query (#29114) * [v13] Allow configuring number of parallel execution workers (#29061) * chore: Bump Buf to v1.24.0 (#29120) * tsh play error handling (#29077) * Minor clarifications in the Azure AD guide (#28802) * [v13] helm: Add ingress support (#29084) * [v13] Encode URI for `sqlite` properly (#29099) * DeployService IAM Configure: unescape arguments (#29044) * Log the value of EventsBufferSize instead of the pointer address (#29082) * Added 07/13 Upcoming Releases Update (#29064) * [v13] chore: Bump Go to 1.20.6 (#29073) * [v13] fix: suppress search events (#29063) * [v13] update database and kube name validation (#29035) * [v13] Add more details about specifying a CA pin (#28886) * [v13] assist: fix flaky assist test (#29051) * Correct the clock passed to `dynamicCredsConfig` (#29058) * Document backend_write_requests_total (#28980) * [v13] DeployService: use teleport-ent image for ent clusters (#29045) * docs: proxy peering out of preview (#29037) * Add usage-based feature values for Device Trust (#28919) (#28964) * [v13] Add an option to bootstrap database service to `teleport discovery boostrap` (#29002) * [v13] [Assist] Only parse messages from Assist as markdown (#28911) * [v13] Deduplicate resources for `tsh request search` when `replicas>1` (#28889) * [v13] Update `e` ref to enable PagerDuty plugin (#28986) * [v13] Add `ProxyGroup` support to reverse tunnels (#28930) * Docs: Update/Refresh OneLogin SSO guide (#28444) (#28768) * Add test that verifies sessions are unaffected by Auth restarts (#29000) ------------------------------------------------------------------- Thu Jul 13 04:57:33 UTC 2023 - kastl@b1-systems.de - Update to version 13.2.1: * Release 13.2.1. (#29021) * [v13] Dont allow cloud tenants to update certain cluster networking config fields (#28992) * Ignore SIGQUIT in exec sessions. (#29020) * fix operator crashing on first startup (#29013) * Fix Azure join for identities across resource groups (#28961) * remove alert maximums (#28967) (#28983) * [v13] Mention agentless in the OpenSSH guide for better SEO (#28923) * Set lower temperature to ChatGPT calls (#28959) * Install Script: don't enable Automatic Upgrades for non-systemd systems. (#28987) * tctl alerts ack: Make --reason optional (#28955) * Fix listing servers when creating a new lock via webui (#28963) * desktop access: clean up error handling (#28974) * [v13] [Docs] Add missing 'resources' config field to application service docs (#28971) * [v13] include endpoint_url parameter for tctl sso configure github (#28968) * [v13] docs: openssh updates (#28726) * docs: update version (#28933) * supports newline and whitespace in motd: (#28937) * feat(dbcmd): add `sqlcmd` support (#28944) * Remove preview from several features (#28924) (#28928) * Fix ssh env var parsing by checking after cf.AuthConnector is guaranteed to be set. (#28922) * Update tough-cookie and @grpc/grpc-js (#28914) * [v13] add Athena URL parameter to configure AWS region (#28912) * tctl alert ls: Always show alert ID (#28906) * [v13] Backports PagerDuty hosted plugin (#28883) * chore: Bump Buf to v1.23.1 (#28894) * [v13] docs: Add clarification on event types in enhanced recording mode (#28893) * [v13] DeployService: auto upsert IAM Join Token (#28799) * DeployService: use correct version when auto-upgrades are enabled (#28874) * Machine ID: Add guides to the Enroll Integration page (#28646) (#28888) * Add IDToken attributes to GCP join audit event (#28673) (#28882) * docs: use -o file instead of sudo tee (#28771) * teleport-connect.mdx: Fix typo (you with -> you wish) (#28875) * rework instance hbs to be more scalable and to track upgraders (#27895) (#28847) * Support specifying `assume_role_arn` for Kube cluster matchers (#28282) (#28832) * Minor wording change (#28778) * Add redirects introduced by docs reorganization (#28822) * Update keep_alive comments auth-service.yaml (#28820) * typo correction (#28827) * [v13] Fix theme not loading on first login & overflowing command result summary (#28770) * docs: bump cloud to 13.2.0 (#28788) * removed cloud warning (#28815) * Fix `tsh kube credentials` lock when no-login is required (#28811) * Edit playbook user in the Ansible guide (#28791) * Use more restrictive S3 object permissions (#28765) * Change signup links to mention Teleport Team (#28680) * Fix Okta docs that mentioned "Application Service" (#28792) * [v13] Fixed CPIO digest mismatch on RHEL 8 (#28794) * Added 07/03 Upcoming Releases Update (#28796) * Increased the gh-trigger-workflow polling period (#28783) * [v13] update attributes to roles (#28695) * [v13] document create_host_users_mode (#28639) * Add t.Parallel() to several tsh tests (#28613) * [v13] Update assist docs (#28732) * [v13] Firestore backend improvements (#28737) * [v13] Machine ID: GCP Delegated Joining support (#28762) * add docs for idp-initiated sso for grafana (#28645) * Document Jamf `exit_on_sync` toggle (#28394) (#28415) * Support GCP joining when `google` claim is not present (#28759) * Document Jamf service and auto-enroll (#28167) (#28393) * [v13] Docs: Update GitLab SSO docs (#28693) * specify enterprise in commercial prereq cloud tab... (#28524) * [v13] Connect: Add docs for theme (#28407) * docs: edits to the headless webauthn guide (#28733) * docs: correct docker installation table (#28652) * [v13] User groups in access requests will expand list of applications. (#28603) ------------------------------------------------------------------- Thu Jul 06 07:24:27 UTC 2023 - kastl@b1-systems.de - Update to version 13.2.0: * Release 13.2.0 (#28696) * Fix Machine ID guide index and adjust FAQ (#28700) * Rename `database_labels` to `db_labels` (#28687) * update eref (#28699) * Update agentless mode description (#28682) * Update `e` reference (#28684) * improve startup with empty db or discovery config (#28622) * `tsh db connect` should prefer mongosh (#28668) * Script to configure IAM for the DeployService (#28436) (#28643) * [v13] lib/teleterm: Remove misleading error log after LocalAgent.GetKey (#28664) * [v13] Move database validation to gRPC methods (#28638) * Teleport Proxy Behind ALB support for IP Pinning (#26623) (#28466) * Add option to allow for host users not to be deleted (#28432) * [v13] Update e ref. (#28615) * [v13] Add custom component prop type for react-select (#28617) * [v13] Web: Improve no access message and remove hard coded color (#28550) * [v13] Backport Assist related changes (#28480) * Improve copy on the integrations page (#28611) * [v13] Web related tweaks for access request user groups (#28545) * backport jamf default checks to branch/v13 (#28558) * Update `e` (#28605) * AWS OIDC - DeployService: configure IAM (#28088) (#28597) * dynamodbbk: don't delete non-expired items on Get (#28600) * [v13] Add light & dark themes to YAML editor (#28517) * Change copy "Go To Dashboard" for "Go To Cluster" on new account screen (#28434) (#28520) * athena audit logs - add migration script (#28182) * Disable disk-based logger for web tests (#28557) * [v13] integrations/operator: Try to delete bot role (#28543) * [v13] fix: Use correct sync defaults and validation (#28553) * Fix header levels in the authorization docs page (#28495) * Fix the username on self-hosted DB doc pages (#28521) * clarify source of user cert TTL (#28534) * remove sentence fragment and link (#28483) * Added 06/29 Upcoming Releases Update (#28478) * update device trust guide (#28365) (#28523) * Add unauthenticated rate limiter constants (#28538) * Promote IAC docs for agents and dynamic resources (#28526) * docs: replace "Golang" with "Go" (#28171) * [v13] Docs: Document that root clusters can't populate OS users from leaves. (#28531) * [v13] Discover: Add deployed method field to deploy service event (#28507) * [v13] Web terminal themes (light & dark) (#28408) * Add omitempty to new ResourceMatcherAWS block for best backwards compat (#28419) * Emit default role `editor` changes (#28209) (#28481) * docs: fix upcoming release descriptions (#28504) * adding name to docker run command (#28502) * [v13] Add security notes to the session recording guide (#28462) * Describe subject flags in Event Handler guides (#28431) * [v13] Fix moderated session presence checking (#28456) * Remove most t.Log() from tests (#28471) * [v13] Docs: Update Google Workspace SSO Guide (#28475) * docs: bump cloud to 13.1.5 (#28404) (#28450) * Update tsh scp command description to match ssh node commands (#28467) * Replace xitongsys/parquet-go with segment-io lib (#28472) * use teleport.sh instead of dashboard.goteleport.com for license retrieval (#28426) * [v13] Drain database connections on graceful shutdown (#28369) * [v13] Expand Docker installation instructions (#28447) * Machine ID: Add support for BotJoin analytics event (#28293) (#28425) * Clarify the disablesse S3 backend setting (#28401) * copy edits (#28423) * Hide wait subcommands (#28416) * athena audit logs - use sqs attribute as oldest metric (#28274) * chore: Bump Buf to v1.22.0 (#28381) * [v13] k8s operator supports Okta import rules. (#28377) * [v13] Machine ID: Add usage event for bot creation (#28366) * Update `e` (#28406) * [v13] Connect: Light theme (#28277) * Teleport One Off Script (#27852) (#28347) * [v13] Remove absolute goteleport.com/docs links (#28395) * [v13] Add a note on the `admin` database permission requirement for MongoDB (#28362) * docs: update version (#28389) * [v13] Add username to headless authentication backend key (#28380) * [v13] docs: backports (#28331) * update installation video (#28370) * Add opsgenie static credentials check and test (#27655) (#28326) * [v13] Restore resource requests guide with an admonition. (#28348) ------------------------------------------------------------------- Wed Jun 28 06:13:22 UTC 2023 - kastl@b1-systems.de - Update to version 13.1.5: * Release 13.1.5 (#28364) * [v13] Clarify permissions for Okta API tokens. (#28294) * [v13] Fix TestSQSMessagesCollectorErrorsOnReceive flakiness (#28184) * [v13] Allow setting max_session_ttl from clusterauth preferences (#28130) ------------------------------------------------------------------- Tue Jun 27 05:01:42 UTC 2023 - kastl@b1-systems.de - Update to version 13.1.4: * Release 13.1.4 (#28327) * Fix audit log report of `kubernetes_users` and `kubernetes_groups` (#28323) * Docs: Update recommended role (#28278) * Reduce debug log spam for TeleportReady events (#28319) * Use the long-form --config flag in shell example (#28299) * Pass teleport-reversetunnelv2 for auth connections (#28316) * Returned Vars to the code output (#28225) * only apply stripe csp for team/usage users (#28198) (#28308) * docs: include desktops for cloud faq reverse tunnel (#28305) * Respect client idle timeout setting (#28202) * Don't add keys to agent during headless login. (#28236) * [v13] Preserve applications original URL's query (#28218) * Converts the default Content-Security-Policy representation to a map (#27182) (#28307) * [v13] Add associated applications and user groups to UI objects. (#28303) * Move "Device Trust" to a top-level docs item (#28108) (#28199) * Improve the upload completer logs (#28211) * [v13] Use supplied tarball when building AMIs (#28128) * [v13] docs: default https ports for tsh login (#28288) * Always collect `deny` arm of `kubernetes_resources` (#28285) * Support `assume_role_arn` for database dynamic resources (#28039) (#28210) * [v13] Windows Device Trust documentation (#28050) ------------------------------------------------------------------- Mon Jun 26 06:58:12 UTC 2023 - kastl@b1-systems.de - Update to version 13.1.3: * Release 13.1.3 (#28243) * [v13] bump e-ref (#28241) * log why the TeleportReady event is not being emitted (#28239) * Warn about clamshell-related touch ID unavailability (#28214) * Added 06/22 Upcoming Releases (#28155) * [v13] Edit the server access Getting Started guide (#28172) * [v13] InstallScripts: pin teleport version using ServerVersion (#28149) (#28208) * [v13] update helm docs (#28068) * [v13] Specify how host user creation invokes `useradd` (#28194) * Bump 'e' ref (#28206) * docs: fix kubernetes guide (#28164) * docs: remove note about supporting any platform supporting Go (#28178) * [v13] Update teleport cloud faq.mdx (#28174) * [v13] Add Opsgenie plugin (#28098) * [v13] permission-warning.mdx: Advise NOT TO give access,editor to users (#28132) * [v13] docs: update macos tsh install instructions (#28135) * [v13] Use the one-liner in install-linux.mdx (#27907) * docs: Fix syntax error (#28142) * bump docs to 13.1.1 (#28153) * feat: add support for label expressions to k8s operator (#28156) * Correct the backend_requests metric help text (#28107) * [v13] feat: adds motd to the ui (#27922) * [branch/v13] Bumped `e` ref (#28144) * Remove deprecated/unused device trust protos (#27975) (#28075) * [v13] Integrate AMI buids into drone (#27354) (#28127) ------------------------------------------------------------------- Thu Jun 22 05:14:09 UTC 2023 - kastl@b1-systems.de - Update to version 13.1.2: * Release 13.1.2 (#28124) * [v13] update message on empty tsh ls results (#28120) * Add skip-confirm flag for headless approval. (#27823) (#27864) * bump e (#28101) * Fix invalid command example. (#28018) * AWS OIDC Integration: Deploy DB Service in a single click (#27035) (#28051) * fix: Ignore staticcheck false positive on darwin (#28042) * Update ssh-approval-slack.mdx (#28081) * Add reviewer and requester roles. (#28076) * [v13] Okta service docs only show in enterprise and cloud. (#28069) * [v13] Docs: Update Okta SSO Guide (#27950) * docs: mention required scope for GitHub app (#27910) * Provide client login IP when SSO initiated in a browser. (#27896) * [v13] Update e ref. (#28060) * Add mapping between user groups and applications. (#27962) * [v13] Add a delete confirmation step to SyncInventory (#27961) * Add HasPluginType to plugins interface. (#28052) * update eref (#28044) * [v13] Fix `Assist` import so it does not break storybook (#28047) * [v13] Connect: Fix overlapping placeholder and keyboard shortcut in the search bar (#28048) * Reorder resource filters in the search bar (#28034) * [v13] Update Electron to 25.1 and TypeScript to 5.1 (#28027) * [v13] Fix `tsh` relogin on not found errors (#27974) * add saml wizard to ui (#27949) * [v13] Update e ref. (#28036) * docs: include tsh install in connect your client tsh page (#27971) * [v13] Gracefully handle errors in Assist frontend (#27669) (#27935) * OpenSearch AWS autodiscovery (#27537) (#27942) * [v13] helm: Use local auth server address in auth pod to prevent extra connections (#27980) * [v13] Vendors the `pagerduty` plugin source into `teleport` (#27612) * [v13] helm: add hostAliases support (#27880) * [v13] docs: update cloud downloads (#27963) * Make Teleport config instructions easier to follow (#27968) * Add a diagram to the Linux Server guide (#27808) * Temporarily ignore Device Trust deprecation warnings (#27969) * Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions (#27865) * Add more accurate info to cloud download page re: `tbot` (#27946) * [v13] Device Trust: `tsh` privilege elevation for TPM enrollment (#27959) * [v13] Fixes the "Run as different user" window freezing (#27874) * design updates for team gated features (#27756) (#27897) * [v13] Make use of keepAliveInterval in terminal handler (#27914) * [v13] CHANGELOG spelling fixes (#27955) * [v13] Add Machine ID tip when `tctl auth sign` is used (#27928) * chore: Bump golangci-lint to v1.53.3 (#27898) (#27911) * [v13] MongoDB Atlas IAM authentication docs (#27493) * Added 06/15 Upcoming Releases Update (#27901) * docs: update version (#27917) * [v13] Docs: Update ADFS SSO guide (#27891) * [v13] Pass context through `UpsertAuthServer` (#27887) * [v13] [Assist] New UI & rewrite (#27791) * [v13] docs: document label expressions (#27878) * [v13] Update e ref. (#27883) * [v13] Add the notion of friendly names to access request details. (#27803) * [v13] docs: Fix more installation commands on Windows (#27877) * [v13] chore: Bump Buf and Go versions (#27860) * [v13] Omit empty fields from DeviceCredential resources (#27869) * Fix `TestDiagnoseSSHConnection` flakiness (#27762) (#27849) * [v13] fix: Observe accurate `backend_read_seconds` duration (#27857) * [v13] Update Locking docs to refer `server-id` (#27845) ------------------------------------------------------------------- Wed Jun 14 18:37:49 UTC 2023 - kastl@b1-systems.de - Update to version 13.1.1: * [v13] Fix an issue ALPN handshake test does not respect "HTTPS_PROXY" (#27810) * Set default limit for ListResourcesRequest (#27839) * [v13] Trim yum release version in install-linux.mdx (#27777) * Move Cloud Matchers to proto (#27162) (#27530) * [v13] bump e (#27818) * [v13] Add Proto types for storing TPM Platform Attestation in Collected Data (#27757) * bump e (#27806) * [v13] Delete proxy heartbeats on graceful shutdown (#27786) * [v13] Fix an issue kube local proxy requirement is wrong in separate port mode (#27732) * Fix: time.Since should not be used directly after a defer statement (#27795) * Default to SymlinksTrySecure rather than SymlinksSecure (#27784) * [v13] bump e-ref (#27736) * app access: fix broken docs link in error message (#27766) * Don't use WithError() when logging "Missing session cookie" (#27768) * [v13] Docs: document labels for trusted clusters (#27738) * [v13] Fix flaky test `TestHeadlessAuthenticationWatcher_WaitForUpdate` (#27765) * [v13] MongoDB Protocol Hardening (#27741) * docs: Fix curl commands on Windows (#27759) * remove confusing variable delineation (#27746) * [v13] docs: update desktop session recording reference (#27749) * [v13] Change Campaign to utm_campaign (#27706) * Implement in-memory vector DB (#27587) * Add UI `node` lock to use `server_id` instead (#27621) * Fix Teleport Connect assume roles (#27723) * [v13] Abort reverse tunnel connections early if the proxy is already claimed (#27699) * Add scaling warning re: DynamoDB (#27600) * [v13] helm: Add conditional RBAC/ServiceAccount to `teleport-kube-agent` post-delete hook (#27637) * [v13] docs: update navigation instructions for sso audit log troubleshooting (#27675) * add styles to tooltip for team pages (#27417) (#27642) * Set UID/GID for ARC runner builds (#27638) (#27689) * Fix TestAuthorizeWithLocksForLocalUser flakiness (#27687) * usagereporter: add context check in RunSubmitter (#27678) * [v13] feat: label expressions (#27641) * Bump vite from 4.2.0 to 4.2.3 (#27670) * Fix redirects (#27593) * add new CTA event property (#27216) (#27643) * [v13] export etcd event processing metrics (#27220) * Added 06/08 Upcoming Releases Update (#27631) * [v13] Update description of Roles UI (#27539) * Update e (#27640) * [v13] Bump cloud version to v13.1.0 (#27633) * [Docs] Assist built-in role access (#27602) * [Docs] Assist - remove MFA section (#27603) * [v13] Web: Plugin tweaks and new plugin icons #27427 (#27576) * [v13] feat: label expression protobuf types (#26977) * fix: record applied login rules in github login event (#27607) * [v13] Add deprecation note to PAM user creation guide (#27626) * [v13] update agentless docs to use 'teleport join openssh' (#27624) * [v13] Update docker images (#27502) * [v13] docs: provide information on local user locks from login attempts (#27609) * Update `github.com/gravitational/predicate` to `v1.3.1` (#27483) * [v13] Docs: Trusted Clusters - Mention the correct expiration time as per tctl command (Buddy PR) (#27498) * [v13] use proxy port in openssh config (#27545) * [v13] Proxy Templates overwrite CLI cluster value (#27581) * docs: add headless auth as faq question (#27584) * docs: adds configuration and helm chart to app access getting started (#27529) * [v13] Fix not being able to "login" with auth type set to sso but no connectors set yet (#27589) * Primarily changes "match: '^.*\.dev\.example\.com$'" to "match: '^.*\.dev\.example\.com'" so that users aren't mistakenly guided towards eliminating the implicit ":3389" from their regex matches (#27516) * Fix the default `teleport-kube-agent` upgrade server (#27572) * Only fallback to SSH_TELEPORT_ env variables for proxy, user, and cluster name when used with headless. (#27507) * Support authenticating with AWS IAM role for MongoDB Atlas (#26439) (#27494) * Bump e (#27501) * [v13] Implement leaf app access: `tsh app login --cluster=leaf` (#27197) * [v13] Backport hardened AMI resources (#27454) * [v13] include changelog for docs tests (#27479) * [v13] Docs: GCP join method (#27487) * Fix SEO issues (#27242) * [v13] Document all installer script template vars (#27482) * Create api handler specifically for FormData (#27408) * [v13] Docs: improve Postgres in GCP (#27471) * Propagate proxy public addr in Web UI ssh session. (#27058) (#27420) * [v13] Document new Okta import rule regexes. (#27453) * [v13] docs: add enterprise value for kube agent reference (#27472) * docs: update version (#27473) * Extend host lock enforcement to other built in roles besides `Node` (#27018) (#27442) * Build change for when go caching should be used (#27209) (#27284) * chore: Bump golangci-lint to v1.53.2 (#27456) * [v13] WebDiscover: Check for RDS length before setting a limit for listing DBs (#27415) * Jamf config for PluginSpecV1 (#26374) (#27459) * [v13] loadtesting automation improvements (#27438) * Add prometheus endpoint to tbot (#27432) * [v13] Add docs for database auto user provisioning (#27289) ------------------------------------------------------------------- Mon Jun 12 20:37:19 UTC 2023 - kastl@b1-systems.de - Update to version 13.1.0: * Release 13.1.0 (#27418) * [v13] [Assist] Do not parse event data is there is none (#27435) * [v13] Update e (#27430) * [v13] Add Assist to the access role (#27424) * [v13] Adds info on exporting requirements for impersonated certs (#27403) * chore: Bump Buf to v1.20.0 (#27400) * [v13] Add IAM auth info to ElastiCache guide (#27306) * Move and update Proxy Template docs. (#27350) * specify supported architectures (#27279) * [v13] docs: Formatting/grammar fixes for TLS routing (#27391) * [v13] Update e ref. (#27388) * tncon: Remove unused return variables (#27386) * Add plugin static credentials getter. (#27301) * Minor updates to Server Access Getting Started (#27253) * [v13] WebPublicAddr includes user specified port. (#27376) * [v13] Web: Emit integration events (aws oidc) and touch ups (#27172) * [v13] cache parsed role template expressions (#27326) * add circle icon helper (#27185) (#27286) * [v13] Update e ref (#27375) * Reply with a user-friendly message on verification errors (#27270) * [v13] Assist docs (#27260) * [v13] docs: update enrollment steps for active dir (#27357) * Add endpoints to export AuditEvents as unstructured data (#27290) * [v13] Docs: Update GitHub SSO (#27273) * Add kube credentials lockfile to prevent possibility of excessive login attempts (#27366) * [v13] Use the proper check for the SAML IdP session. (#27314) * Get fresh cluster features to `config.js` (#26785) (#27362) * [v13] Assist bug fixes (#27356) * [v13] Get locks in tctl get all (#27294) * [v13] flaky test detector: override skipped tests (#27274) * Only wait for headless authentication watcher initialization in tests. (#27298) * [v13] Assist backport (#27243) * Replace global testing variables for device trust with pluggable ceremony interface. (#27239) * [v13] Web: Fix local storage clearing (#27296) * Disable GHA cache (#27305) (#27315) * [v13] Pin golangci-lint to `v1.53.1` and upgrade `depguard` config to `v2` (#27293) * Speedup OpenSSL build (#27056) (#27261) * tctl: allow creating desktops from YAML file (#27250) * Fix TeleportClient.ConnectToProxy logic error with closed context. (#27140) * Dont load ForwardedPorts from profile, only recieve them from the cli (#27208) * backport device trust and okta provider docs (#27218) * Ignore ENOENT error on group check (#27231) * Add support for automatic database users for Postgres (#26555) * [v13] lib/kube/proxy/server.go: Fix potential mutex deadlock on error (#27237) * docs: mention locking as an alternative to CA rotation for revoking access (#27248) * docs: add troubleshooting step for standard RDP security (#27245) * [v13] Fix headless server access requests (#27241) * tncon.c: Switch all size variables to size_t (#27234) * update access controls table (#27226) * Add static credentials reference to plugin credentials. (#27225) * [v13] docs: update fluentd output and correct docs link (#27202) * Add elasticache:Connect AWS permission to auto-IAM (#27188) * Updated Cloud SQL guides with more info about 'Allow only SSL connections' option (#27224) * docs: update version (#27219) * Add information about the cert-format flag (#27167) * Update cloud version to 12.4.5 (#27214) * return an error if a moderated session is created for an agentless node (#25721) * [v13] Add docs for shell completion (#27093) * add section for username_claim (#27006) * [v13] helm: Switch custom deployment guide to standalone rather than scratch (#27177) ------------------------------------------------------------------- Thu Jun 01 11:46:13 UTC 2023 - kastl@b1-systems.de - Update to version 13.0.4: * Introduce the Plugin Static Credentials object. (#27121) (#27163) * Added 05/25 Upcoming Releases Update (#26910) * [v13] Update Terraform reference docs to 13.0.3 (#27034) * Correct grammar in role removal error message (#27142) * [v13] feat: label expression parser (#26970) * [v13] docs: correction and note on direct mode for desktop (#27149) * TLS Routing behind ALB: tsh kube subcommands UX (#26305) (#27155) * [v13] helm: Tidy standalone cluster setup docs (#27154) * [v13] `buf breaking` CI action (#26833) * Fetch ClusterAlerts a single time during login (#27110) * [v13] docs: remove duplicative k8s access guide (#27128) * [v13] Update title for proxy peering architecture (#27041) * Refactor test globals out of lib/devicetrust/enroll (#27133) * Switch to recommending identity file in terraform guide (#27068) * [v13] Add `tsh kubectl` support for tracer exporter (#27130) * [v13] docs: Update GSLB docs for changes missed from master (#27132) * chore: Bump OpenSSL to 3.0.9 (#27123) * changes ldapDialTimeout from 5 to 15 seconds (#27045) * Okta Import Rules use Teleport style regexes. (#27126) * Fix `TestKube/Join` data race (#26619) (#27124) * [v13] Refresh port descriptions (#26936) * [v13] Support ElastiCache Redis IAM auth (#26990) * Fix "unnecessary conversion" in lib/devicetrust/native (#27077) * [v13] Automatically perform `tsh app login`. (#26820) * docs: offer alternative aws methods for joining for aws db guides (#26939) * docs: update kube access for enterprise setting and agent updates (#26941) * [v13] Windows TPM Device Authentication (#27085) * Close clients when done. (#27104) * [v13] Expand Go docs for label prefixes (#27102) * Update `e` (#27087) * [v13] Update `kingpin` & allow autocompletion (#26238) (#26999) * Device Trust: TPM Enrollment support EKCerts (#27070) (#27082) * Remove initCommand from DocumentPtySession (#27003) * Search user groups by description. (#27021) * [v13] update lib/utils/parse to leverage lib/utils/typical (#26967) * use uri path for config dump (#26992) * [v13] feat: library for building predicate parsers (#26915) * [v13] Update kube operator with more details and troubleshooting (#27050) * Update CHANGELOG.md to include Helm image change (#26822) (#27000) * operator: allow operator to edit tokens (#27001) * Docs: replace static mermaid images with rendered charts (#23458) (#26094) * Clean up LDAP error handling (#26984) * docs: mention missing delete permission for GCS buckets (#26735) * Yarn updates for `terser` and `minimatch` (#26919) (#27025) * Make tctl command descriptions consistent (#26937) * Use root client for headless authentication. (#26878) * [v13] remove warning on unpopulated ssh proxy address (#27015) * [v13] update ui and config to refer to service as Teleport Service (#27011) * [v13] AWS Route 53 GSLB Multi-Region Proxy Peering High Availability Deployment Guide (#26743) * Add a guide to reviewing docs PRs (#26913) * Use WIRE_JSON in buf breaking (#26793) * docs: update version (#26988) * fix console node list scroll and close session join dialog (#26622) (#26906) * [v13] athena audit logs - use otel traces in querier (#26900) * [v13] Remove useProfileLogin from makeClient in tsh (#26975) * [v13] athena audit logs - add metrics (#26920) * [v13] helm: Fail to install if `clusterName` contains a colon (#26973) * Add a watcher for agentless EC2 nodes (#26888) * [v13] Add MDM and TPM fields to device resources (#26838) * Add integration enroll usage event (#26880) (#26930) * Fix bug where the system agent is not forwarded in combination with (#26929) * Add diagrams to Access Request plugin guides (#26924) * Update dependencies for `build.assets/tooling` (#26907) (#26918) * fix GitHub connector API endpoint URL path getting ignored when making HTTP requests (#26863) * [v13] Collect MDM data from macOS (#26897) * [v13] integrations/operator: Use a dedicated scheme in tests (#26883) * Backport #26366 to branch/v13 (#26738) * [v13] Web: Add back buttons and remove exit buttons (discover & integrations) (#26727) * [v13] skip rdpclient build in integration tests (#26526) * [v13] Spawn gateway CLI client directly (#26751) * bump cloud to 12.4.3 (#26899) * correct discovery bootstrap command description (#26894) * [v13] Add a codegen-focused buildbox (#26739) * [v13] Proxy Templates update: cluster switching and tsh ssh parity (#26852) * app access: improve error logging (#26869) * [v13] docs: include Enterprise in tctl version for ent, cloud prereq (#26847) * Bump github.com/docker/distribution (#26107) (#26855) ------------------------------------------------------------------- Thu May 25 06:35:23 UTC 2023 - kastl@b1-systems.de - Update to version 13.0.3: * Release 13.0.3 (#26846) * add rbac for cluster alerts (#26423) (#26789) * docs: correct faq answer on editions (#26842) * [v13] use stable/cloud repo for cloud tenants (#26841) * [v13] Add a few convenience toggles to genproto.sh (#26672) * include db in tsh play and consistent description ends (#26816) * add polyfill for randomuuid (#26611) * athena audit logs - always pass utc to query (#26821) * [v13] docs: update to machine-id file list and edits (#26800) * Remove 'preview' from tcp app access guides (#26813) * [v13] [docs] add image for moderated file transfer (#26808) * Introduce group and app name Okta import rule regexes. (#26799) * fix TestALPNProxyHTTPProxyBasicAuthDial flakiness (#26713) * docs: add missing server_name to LDAP config (#26692) * athena audit logs - sent checksum on s3 write (#26748) * Amazon RDS converter: extract Subnets (#26621) (#26675) * [v13] Don't unmount `cgroup2` when restarting (#26728) * docs: update agent updates (#26731) * Windows TPM enrollment support (#25801) (#26736) * Fix link to CA Pinning information (#26690) * [v13] Add mermaid diagram to the HA guide (#26697) * docs: remove old starting from message (#26717) * Describe `tsh ls` support for multiple labels (#26539) * add upgrader to inventory hello (#26454) (#26479) * Define the "jamf_service" configuration (#26478) (#26700) * [v13] operator: ProvisionToken support (#26618) * Fix port forwarding when using a label based target (#26701) * [v13] Refresh Kubernetes Access Getting Started diagram (#26536) * [v13] Edit the docs UI reference (#26533) * [v13] refactor tsh db (#26651) * Remove intel label from macOS (#26698) * [v13] Make the Linux Server guide less SSH-centric (#26631) * [v13] Adds an admonition about Teleport not currently supporting Azure AD (#26556) * [v13] Docs: Patch Register Cluster page (#26686) * [V13] Add certificate rotation to `teleport join openssh` oneshot command (#26674) * [v13] docs: Add Msft SQL Server client examples and link in sql server guide (#26558) * docs: update reference to Teleport systemd (#26680) * chore: Bump Buf to v1.19.0 (#26645) * [v13] athena audit logs - pass teleport user as top level field (#26661) * Extend `kubectl auth can-i` support for `kubernetes_resources` RBAC rules (#26584) * Update e ref (#26664) * [v13] auditlog - pass context and rework search params (#26587) * expose firehose emulator host env in tests (#26592) * [v13] Update SyncInventory RPC documentation (#26629) * [v13] Add Teleport Team docs (#26639) * [v13] Docs: mark Okta application access as preview (#26627) * suggest machine id in plugins partial (#26624) * [v13] docs: remove starting from messages older then 10.0 (#26553) * [v13] changes openssh addr validation to allow hosts (#26549) * [docs] Amazon Athena guide for Application Access (#25329) (#26505) * [v13] Desktop access improvements (#26413) * Add RoleInstance to TestLocalServiceRolesHavePermissionsForUploaderService (#26597) * Update backends.mdx to remove incorrect comment (#26600) * Bump golangci-lint to v1.52.2 (#26593) * Add in Okta plugin type. (#26458) * [v13] Do not run the uploader with the MDM role (#26514) * Show dev-related tools only in dev mode (#26495) * update db and app service role permissions (#26519) * [v13] WebDiscover: Revert deleting the app wizard (#26457) * bump-e-ref (#26545) * add AWS cross-account db access guide (#26468) * docs: update version (#26509) * Update `gravitational/protobuf` fork tag (#26373) (#26488) * Add the JamfSpecV1 proto (#26391) (#26448) * [v13] Add in extra Okta audit event fields. (#26370) * Install Script: add Darwin ARM64 support (#26504) * Update AMI usage instructions (#26453) * [v13] Docs: Adjust curl examples (#26472) * athena audit logs - integration tests (#26494) * [v13] add assume_role_arn and external_id docs reference (#26030) * bypass lint and os-compatibility for md and mdx files (#26480) * [v13] Add and map the MDM system role (#26471) * Install Node Script: respect version variable (#26322) * [v13] add list of applied login rules to user login event (#26474) * bump eref (#26465) * bump docs for cloud to 12.4.2 (#26466) ------------------------------------------------------------------- Thu May 18 07:51:39 UTC 2023 - kastl@b1-systems.de - Update to version 13.0.2: * Release 13.0.2 (#26469) * [v13] docs: include DynamoDB streams as required in storage backend (#26381) * changelog spellfixes (#26431) * [v13] Web: Provide accurate actionable steps with duplicate db name error (#26399) * fix tsh db connect to active cassandra db (#26378) * [v13] Add in plugin bearer token credentials. (#26436) * [v13] docs: fix curl usage (#26411) * athena audit logs - run on single auth (#26443) * [v13] athena audit logs - delete from sqs (#26424) * athena audit logs - parquet writer (#26240) ------------------------------------------------------------------- Wed May 17 04:58:46 UTC 2023 - kastl@b1-systems.de - Update to version 13.0.1: * Release 13.0.1 (#26418) * bump eref (#26406) * [v13] Change TestDeleteMFADeviceSync to do per-delete assertions (#26390) * Update version in tsh.app Info.plist (#26314) * Remove the Adopters page (#26362) * remove opened var when set to false (#26367) * Update e ref (#26389) * check for empty name part in role arn (#26376) * Refresh the teleport-cluster Helm guide (#26172) * update video banner (#26384) * [v13] Web: Integrations touchups (#26152) * Add params to CTA redirect URL (#26086) (#26340) * [v13] fix azure db user auth check (#26317) * [v13] Proto and Go module changes for Windows TPM support (#26325) (#26348) * Update config.json (#26258) * bump e-ref (#26355) * [v13] docs: add mongo port in high availability and k8s operator doc (#26357) * [v13] docs: enroll auto updates fixes (#26352) * Remove our replacement for Logrus (#26241) (#26304) * [v13] Update `electron` and `electron-builder` (#26327) * [v13] Replace GetConnectCommandNoAbsPath with os.exec.Cmd.Args (#26328) * [v13] Disable "Open new terminal" if there's no active workspace (#26333) * athena audit logs - query rate limiter (#26221) * Fix twoClustersTunnel flakiness (#26254) * [v13] TLS Routing behind ALB: `tsh kube join` (#26283) * Update e ref (#26306) * Decrease test timeout (#26267) * Allow aws svg icon to take on the themes main color (#26039) * Revert usage of grpc error interceptors in `lib/client` (#26271) * [v13] docs: Make Amazon Linux name usage consistent (#26192) * Make PAM user creation script copy/pasteable (#26275) * [v13] docs: expand admonition for additional DB types (#26260) * [v13] docs: add tip on Kubernetes resources (#26278) * [v13] - Backport docker distribution update #26108 and #26109 (#26249) * [docs] Include File Transfers in moderated sessions docs (#26032) (#26265) * Restore Kubernetes Integration tests (#26186) * [v13] Populate the time locked status value when local user locked (#26255) * [v13] Add GCP Join Method (#26165) * athena audit logs - support athena engine v2 (#26222) * [v13] docs: reword dynamic guides language to more active (#26227) * athena audit logs - sqs receive (#26220) * Get rid of update on unmounted component in ResultList (#26230) * [v13] Remove privileged APIs from window after app initialization (#26213) * [v13] only show windows domain in audit log ui if applicable (#26078) * athena audit logs - query (#24740) * [v13] Add pprof diagnostics endpoints to `tbot` (#26117) * docs: Fix link to standalone Windows auth service (#26179) * Fix Helm chart Join token secret creation (#26055) (#26175) * [v13] Fix panic when using proxy peering (#26174) * [v13] Clarify Auth Service backend permissions (#26076) * Update e ref (#26163) * docs: fix invalid characters in kubernetes service example in discovery troubleshooting (#26157) * Modify error messages for customer portal to Teleport account (#26139) * TLS Routing behind ALB: access request Kube Pod search (#26128) * Set Cloud version to 12.3.3 (#26036) * [v13] Search bar: Take cluster filter into account when listing offline clusters (#26127) * Backport Assist UI (#26145) * Move the favicon so Teleport serves the static file (#26144) * [v13] Fix GoRoutine leak in `authclient.Connect` (#26125) * [v13] docs: update plugin and docker version (#26113) * [v13] provides info on Oracle Wallet location when using Oracle Orapki generation (#26133) * [v13] Fixes a SharedDirectoryAnnounce incompatibility (#26090) * Return a better message on "lacks registered credentials" errors (#26103) * docs: add note about curl on Windows (#26088) * [v13] Moderation Session docs update (#26082) * [v13] Use os.UserHomeDir where possible (#25999) * bump e-ref (#26101) * [v13] [docs] TLS routing behind l7 load balancer preview (#26077) * [v13] usagereporter: split the `ssh_port` session start into `ssh_port_v2`, `k8s_port` (#26062) * push the feature check to ctx.init (#26007) (#26071) * Use the correct value for DeviceAuthenticateEvent (#26068) * [v13] Show resource search errors in search bar when fetching a preview (#26073) * create e-imports package (#25992) (#26044) * [v13] docs: clarify host labeling for Windows desktops (#25524) * Clean up staticConfig mocks (#26059) * [v13] Document how to open a local terminal in Teleport Connect (#26061) * docs: AWS OpenSearch (#26051) * Improve AWS OIDC Integration extensibility (#26050) * [v13] tctl: improve alert ack flows (#26040) * docs: Update MySQL Server Version (#26052) * [v13] Add in Okta audit events. (#26000) * Add docker cli to buildbox (#25975) * gh-trigger-workflow: Retry transient server errors (#25972) * [v13] Change Helm reference `--set` formatting (#25509) * [v13] Okta assignment targets/statuses are human readable in the CLI. (#26023) * [v13] fix: truncate YubiHSM2 key IDs (#25816) * [v13] Note that the SAML IdP now supports HSM. (#26005) * [v13] fix: use errors.Is for all EOF comparisons (#26017) * Install Scripts: add updater package (#25971) * Provide client address information in transport request (#25993) * Add events to cta clicks (#25325) (#25986) * [v13] TLS Routing behind ALB Connect support for SSH and Database access. (#25899) * [v13] Allow adding 'locked' features to menu items and routes (#25952) * [v13] Upgrade TypeScript to 5.0.4 (#25983) * [v13] Introduce inventory service counts. (#25944) * Remove test case which uses local profile. (#25969) * [v13] add redirect to windows user creation instructions to host user creation doc (#25965) * build: Scope RUST_VERSION var to single target (#25962) * [v13] warn about v13 repos not containing v14 Teleport (#25954) * [v13] don't delete unit schedule file (#25943) * Bump Buf to 1.18.0 (#25888) * Update the supported versions table (#25902) * helm: warn about teleportVersionOverride and scratch risks (#25601) (#25914) * [v13] docs: instruct users to use `apt`/`yum`/`dnf` instead of `dpkg`/`rpm` (#25937) * [v13] backport team plan CSP and RBAC (#25928) * [v13] Okta documentation. (#25940) * [v13] Team plan CTAs (#25073) (#25701) * Add t_source to be standard (#25720) * [v13] Add the debug command `tsh fido2 attobj` (#25923) * Makefile: cache `go env` values (#25894) * docs: document the updater (#24628) (#25913) * [v13] check for correct kube and ssh listen address in starting message (#25907) * provide starting message for tar ball install (#25904) * Add IsUsageBased to features and send it to web UI (#25465) (#25860) * [v13] Remove code related to the command bar from Connect (#25898) * Simplify the Getting Started experience (#25519) * [v13] Make TS a dev dep of root package.json, fix design dev deps (#25875) * [v13] Fix flaky resolveNetworkAddress test (#25874) * [v13] enable acl in single aws terraform s3 (#25854) * Add ability to enable trace logging level (#25833) * Remove `not a valid Unix login` logging (#25838) * Fix application resource headers rewrite spec (#25863) * Add ability to enable trace logging level (#25833) * Remove `not a valid Unix login` logging (#25838) * Fix application resource headers rewrite spec (#25863) * Update docs version vars for v13 (#25352) ------------------------------------------------------------------- Thu May 11 12:52:08 UTC 2023 - kastl@b1-systems.de - Update to version 13.0.0: changelog to big, please find it here: https://github.com/gravitational/teleport/releases/tag/v13.0.0 - BuildRequire go1.20 (github.com/gravitational/teleport/lib/events/athena ------------------------------------------------------------------- Tue May 09 05:23:00 UTC 2023 - kastl@b1-systems.de - Update to version 12.3.3: * Release 12.3.3 (#25835)) * Fix access to leaf resources (#25694) (#25862) * fix auditlog error (#25843) * [v12] Include teleport-windows-auth in OSS releases (#25846) * make some chatty dynamodb logs trace (#25821) * Update e ref (#25831) * Correct SAML IdP session read permission. (#25798) * Fix Web UI error message when host is offline (#25661) * [v12] Update e ref. (#25812) * [v12] Add `SetFeatures` method to modules (#25653) * add agent config scaling section (#25796) * Update change log to include desktop access fix in 12.3.2 (#25793) * [v12] docs: document "and" logic for labels (#25750) * [v12] Log troubleshooting information when InvalidInstanceID errors are found during EC2 discovery (#25641) * [v12] docs: provide instructions on getting enterprise file from new license Teleport Account (#25753) * [v12] WebDiscover: Enroll RDS Databases and Hookup RDS flow (#25604) * Try to fix TestAgentPoolConnectionCount (#24616) (#25695) * Support additional expected instance roles. (#25742) * [v12] Use the GHA base container for Lint (Docs) (#25716) * update eref (#25733) * [v12] Add client compatibility to installation guide (#25685) * [v12] Improve API client connection failure feedback (#25563) * [v12] Refresh the HA guide (#25670) * [v12] docs: fix claims to roles description in access controls reference (#25633) * Ensure useDocumentGateway creates the gateway only on mount (#25626) * [v12] docs: update cloud proxy service architecture language (#25724) * [v12] docs: move docs links from absolute to relative (#25736) * [v12] use "google.golang.org/protobuf" to clone protobuf messages (#25714) * refactor theme in v12 (#25650) * Add UserGroups to RequestableResourceKinds. (#25708) * Don't report usage for KubeServiceV2 keepalives (#25656) * docs: mention Machine ID where tctl auth sign is used (#25610) * [v12] Update e-ref and icomoon library (#25665) * backport missing deps (#25662) * Update role-templates.mdx (#25628) * Reuse auth connection for Okta client (#25622) (#25646) * [v12] WebDiscover: Enroll aws integrations (#25594) ------------------------------------------------------------------- Fri May 05 05:09:38 UTC 2023 - kastl@b1-systems.de - Update to version 12.3.2: * Release 12.3.2 (#25647) * Update e-ref (#25636) * docs: correct gcp install headers (#25426) * Define a new DeviceEvent proto with the usual embeds (#25353) (#25555) * Use new device event layout in Web UI (#25355) (#25558) * [v12] Add specific message for network errors on app launch (Web UI) (#25606) * [v12] Add missing user groups entry to getEmptyResource state. (#25612) * Do not change proto user on make grpc (#24847) * Update metrics docs (#25591) * Make ProtoPostgres support PROXY protocol (#25529) * [v12] Support UI methods for user groups, label match user groups in API. (#25578) * [v12] docs: update version (#25577) * [v12] docs: update CloudHSM docs (#25570) * Web:Discover Refactor resource selector screen (#23018) (#25556) * [v12] Team plan CTAs (#25073) (#25572) * [v12] Add integrations access rule to user context (#25516) * Disallow OktaAssignment deletion from tctl. (#25463) * [v12] New Usage Events (#25493) * add billing to navigation (#25192) (#25487) * [v12] banner dependencies (#25194) * [v12] Document HA for Access Request plugins (#25551) * Capitalize Teleport in command/args (#25545) * Remove Origin from cloud converters (#24977) (#25459) * Updates distroless Dockerfile to handle fips realeases (#25451) ------------------------------------------------------------------- Wed May 03 04:48:12 UTC 2023 - kastl@b1-systems.de - Update to version 12.3.1: * Release 12.3.1 (amended) (#25517) * [v12] darwin: Use notarytool to notarize instead of altool (#25455) * [v12] chore: Bump Go to 1.20.4 (#25506) * Release 12.3.1 (#25502) * Allow unknown fields when unmarshaling types.MFADevice (#25445) * Fix backwards compatability of GenerateUserSingleUseCerts (#25486) * [v12] Update e ref. (#25474) * Return friendly errors when sessions are prevented due to a lock (#25482) * docs: automatic user creation for windows desktops (#25364) * Add missing Connection header for ALPN connection upgrade (#25346) (#25411) * [v12] WebAPI: thumbprint endpoint (#25338) ------------------------------------------------------------------- Tue May 02 05:32:47 UTC 2023 - kastl@b1-systems.de - Update to version 12.3.0: * Release 12.3.0 (#25443) * [v12] Bump e-ref (#25440) * [v12] docs: update YubiHSM2 docs (#25359) * Fix issuing credentials for non SSH protocols (#25430) * docs: remove dynamic database resource in example aws dynamodb (#25340) * webapi cleanup (#24363) (#25368) * [v12] docs: update docker guide to allow for server access and show troubleshooting (#25345) * [v12] Windows user creation (#24780) (#25348) * [branch/v12] Add building Windows Authentication Package to Drone (#23811) (#25311) * terraform: enable ACLs in the certs bucket (#25335) * Define distinct types for all device events (#25320) * docs: update onelogin screenshot (#25331) ------------------------------------------------------------------- Sun Apr 30 07:15:36 UTC 2023 - kastl@b1-systems.de - Update to version 12.2.5: * Release 12.2.5 (#25326) * Integrations: AWS OIDC - ListDatabases action (#24877) * Record and verify WebAuthn RPIDs (#25238) (#25289) * [v12] Fuzz TDP protocol, fix two issues. (#25308) * Add option to override kube context on `tsh kube login` (#25253) * Fix `TestAuthSignKubeconfig` test (#25269) * Update Electron to 22.3.6 (#25184) * Fix cluster alerts timeout (#25300) * Properly handle SAML IdP enable/disable. (#25309) * Addresses #23554 (#25296) * Do not try to verify PROXY signature for non-Teleport TLVs (#25302) * Bump gh-trigger-workflow timeout to 2h30m (#25174) * [v12] Clean up Drone slack notifcations (#25217) * Use the correct emitter in auth.TLSServer (#25272) * Fix `underlying reader not a terminal` issues (#25102) (#25242) * [v12] docs: Login Rule k8s operator docs (#25158) * [v12] Show <1m for remaining tsh status valid time for last minute (#25225) * Move db cert renewal message to debug log (#25222) * docs: add information on viewing status and logs for systemd service (#25199) * * Save ssh_service.public_addr values to Server.PublicAddrs instead of discarding them (#25223) * Add new field to license spec (#23194) (#25197) * fix: avoid inadvertent deletion of active HSM keys (#25208) * [v12] Update headless tsh command descriptions (#25148) * [v12] Update e ref. (#25205) * Connect: Fix logout sequence (#24978) (#25182) * Avoid prompting users for mfa when using `tsh ssh --headless` (#24701) (#25187) * [v12] Simplify Okta assignment statuses. (#25189) * Improve performance of MFA ceremony (#24804) * Headless Login explicit username (#24689) (#25112) * Alphabetize the GUI Client page (#25120) * [v12] Document relative link paths in partials (#25117) * [v12] docs: append cluster name for example ansible hosts list (#25124) * [v12] Order sudoers file lines by role name (#24792) * [web] Add storeUser to console context (#24159) (#24809) * Add login hooks. (#24828) (#25105) * Join Script: fix tarball folder for ent builds (#25076) * fix github url formatting (#25089) (#25098) * Add key attestation to generate user certs to catch non-login flows. (#24867) (#24956) * add comment specifying kubernetes user (#24916) * docs: Add warning about TLS multiplexing to Kubernetes IAM joining (#24820) * OktaAssignment and UserGroup in auth cache. (#25067) * docs: fix spelling and remove misspelled word from spellcheck skip (#25030) * Add in group labels for role conditions. (#25080) * Log informative messages for device authn failures (#24912) * [v12] docs: Change `listen_addr` to `web_listen_addr` in custom Helm deployment guide (#24974) * docs: fix directory instruction for docs contributing (#24994) * docs: Adds common Teleport configure,start and helm charts for non-iam db access guides (#25001) * Pass the auth.Server itself to inventory.NewController (#25007) * [v12] local proxy not required for mysql separate port (#24827) * replace 'machine' with 'host' or 'workstation' (#24986) * clarify tctl command location and secret destination (#24982) * Make tsh check SSH_ user, proxy, and cluster env variables if not already set. (#24470) * [v12] docs: update version (#24957) * [v12] Proxy Client (#24734) * docs: make adopters table markdown for cleaner look (#24951) * Fix example API client imports (#24375) * docs: remove unneeded sudo for removing user data dirs (#24919) * [v12] Makes the `Per Role` per session mfa example accurate (#24927) * [v12] docs: remove duplicate content in oracle guide (#24907) * docs: bump cloud to 12.2.3 (#24769) (#24843) * [v12] docs: provide warning on Amazon Linux 2023 installations (#24853) * Update e ref (#24894) * Use apt.releases to fetch pub key (#24875) * [v12] Update crewjam/saml dependency. (#24898) * [v12] Edit Homebrew installation instructions (#24824) * Remove unnecessary sudo from Connect uninstall docs (#24888) * Update Cloud FAQ doc to remove latency note (#24891) * refactor how 'tsh scp' destinations are parsed (#24861) * [v12] docs: provider faq answer for configurable maintenance times for cloud (#24855) ------------------------------------------------------------------- Thu Apr 20 14:35:02 UTC 2023 - kastl@b1-systems.de - Update to version 12.2.4: * Release 12.2.4 (#24844) * [v12] docs: document error with older SSM agent version (#24833) * OS packaging and auto updates backport - v12 (#24781) * [v12] SFTP fixes (#24831) * [v12] Checks proxy server and token set for join openssh (#24745) * [v12] Fix `TestHeadlessAuthenticationWatcher` flakiness (#24705) * [v12] docs: make consistent access request plugins helm configuration and instructions (#24760) * Add docs subsection about joining services (#24756) * Update embedded video (#24699) * [web] Add isModeratedSession flag to web ssh session (#24238) (#24806) * [v12] Backport Mac build GitHub Actions support (#24432) * Backport --raw version flag (#24772) * Acquire user certs from root cluster during web file transfers (#24768) * Fix memory leak on Kubernetes port-forwarding (#24763) * [v12] Use CompareAndSwap for OktaAssignments instead of lock. (#24748) * Tweak protogen to not change protos from cloud (#24688) (#24739) * Tweak messaging to anticipate a new linter (#24411) * docs: Login Rules Terraform docs (#24674) * [v12] reduce cache retry load (#23025) (#24719) * Change port-forwarding completion logs to debug (#24658) * [v12] Make audit log details dialog larger. (#24722) * stop handling SIGINT, SIGTERM in tctl (#24681) * Add Okta assignment update statuses to Okta access point. (#24735) * [v12] docs: remove ignored user parameter in tsh login example (#24624) * [v12] Check Okta action transitions during update, allow failed -> pending. (#24685) * Prevent multiple discovery agents to race against each other (#24214) (#24716) * Document `discovery_group` parameter (#24713) * Add cleanup time and last transition time to OktaAssignment. (#24725) * Add in a Okta assignments copy method. (#24694) * refresh vscode guide (#24697) * helm: fix `teleport-kube-agent` telemetry (#24471) (#24680) * allow redundant security release alert suppression (#24692) * [v12] Tag output from teleport configure as ERROR or WARNING if applies (#24676) * [v12] Introduce an OktaAssignmentsGetter and use it in the watcher. (#24584) * Ensure that proxy services join by dialing auth (#24668) * docs: update audit results faq for cloud (#24633) * Pull kube proxy address from proxy ping endpoint (#24516) * docs version (#24622) * [v12] docs: kubernetes joining guide + reference (#24545) * [v12] docs: update k8s gke discovery to use zone variable consistently (#24613) * [v12] Hosted plugins frontend / user-facing parts (#24597) * Make the OpenSSH guide more prominent (#24568) * Edit the SSH Key Extensions guide prereqs (#24537) * Add top-level redirects to intro pages (#24565) * Add architectural clarity to the AD guide (#24569) * [v12] Renders user auth types in User List in expected capitalization (#24604) * [v12] docs: simplify tokens generation examples (#24497) * [v12] Update relcli to fix publishing of release notes (#24438) (#24529) * [v12] Fix authenticated conn metrics for http reporter (#24570) * only call 'user.Current' when we really need to (#24573) * update aws configurator (#24362) (#24494) ------------------------------------------------------------------- Fri Apr 14 06:52:08 UTC 2023 - kastl@b1-systems.de - Update to version 12.2.3: * Release 12.2.3 (#24546) * Machine ID: Add ability to request RouteToCluster in generated certs (#23838) (#24544) * Update e reference (#24550) * [v12] spelling fixes and ignore adds (#24539) * Added 03/13 Upcoming Releases Update (#24547) * Document alert acknowledgement (#24489) * Add info to the Directory Sharing guide (#24487) * Update e ref. (#24542) * Fix IP pinning for SSO login (#24541) * [v12] docs: include Amazon Linux in BPF-supported distributions (#24480) * Allow the Okta role to read the cluster name. (#24540) * Integrations: web API and tctl (#24145) (#24458) * [v12] Ensure the Okta service can connect through the reverse tunnel. (#24524) * Update FAQ for on-prem data collection (#24512) * Support app servers on different types of tunnels. (#23749) (#24525) * Attempt ssh connections with and without mfa at the same time (#24371) * Fix relaxed moderator joining for Kube Access (#23674) (#23993) * [v12] Hosted plugin manager prerequisites (#23922) (#24390) * Add check for nil auth.local in ping response. (#24490) * Docs: adjust Active Directory (manual) guide (#24071) (#24462) * Docs: Standardize prerequisite partial use. (#23394) (#24452) * Create a partial for Event Handler role/user (#24469) ------------------------------------------------------------------- Thu Apr 13 07:08:02 UTC 2023 - kastl@b1-systems.de - Update to version 12.2.2: * Release 12.2.2 (#24478) * docs: bump cloud to 12.2.1 (#24475) * Unlock keychain in drone (#24474) * [v12] Add CA, Role, Lock AuthPreference RO persmissions to RoleOkta. (#24397) * Add caveat re: the audit event list (#24406) * helm: support setting proxyListenerMode to emptystring (#24426) * Clarify that "local" is not an auth connector (#24455) * [v12] Integration: add service to server and client (#24133) (#24439) * [v12] Return enroll_status unspecified for empty status (#24435) * [v12] docs: correct rds proxy policy example (#24423) * Restore MajorVersion template var for Installers (#24388) (#24434) * [v12] usagereporter: enable on-prem user activity reporting (#24433) * reduce log spam when AWS Aurora engine name is not recognized (#24413) * [v12] Distroless doc updates (#24036) * * Fix Hardware Key support docs when scoped for Open Source. (#24408) * * Add --mlock flag with auto, off, best_effort, and strict options. (#24236) (#24410) * Add new `reporting` license flag (#21928) (#24396) * Fix log output in aggregating.Reporter (#24391) * Move docs builds down in GitHub Actions (#24385) * Remove unnecessary query string (#24289) * [v12] Updates access plane to access platform and operator def (#24389) * Expose CopyAndConfigureTLS. (#24384) * [v12] Fields in WebAuthn comments (#24354) * chore: Bump Buf from 1.16.0 to 1.17.0 (#24351) * * Fix headless authentication watcher race condition on wait condition (#24361) * Add longer meta descriptions to high-traffic pages (#24334) * Update e reference. (#24341) * [v12] Support spellchecking in docs content (#24304) * Allow Okta role to heartbeat app servers. (#24329) * Constrict app.FindPublicAddr client. (#24331) * docs: correct header in changelog (#24308) * [v12] Update to Teleport Access Platform name in teleport,tctl (#24300) * purge extra newlines (#24283) * fix protocol name for elasticsearch guide (#24280) * [v12] Fixes to metrics docs (#24290) * add Datadog to audit events index (#24274) * Make react-router-dom and @types versions consistent (#24201) (#24272) * docs: use teleport systemd include for start mongodb (#24258) * [v12] Fix package names for v1 protos, misc proto changes (#24183) (#24263) * Connect: Do not include staging feedback address in prod CSP (#24189) * Add missing continue and handle error in the test echo SSH server (#24243) * Added 04/03 Upcoming Releases Update (#24215) * [v12] Bump cloud docs to 12.1.5 (#24204) * Include correct identity in post-renewal log message (#24246) * docs: use teleport systemd include for start (#24248) * update Makefile to use cargo sparse protocol in all cargo commands (#23856) (#24225) * GHA: Update path filters to include workflow files and Makefile (#24252) * Lowercase "Teleport Service" (#24219) * [v12] Disable `build-macos` and `build-windows` on PR (#24233) * bump teleport version in docs (#24205) * usagereporter: on-prem dial home (#23916) (#24196) * Fix tctl test timeouts (#24216) * [v12] Add configuration options for hosted plugin runtime (#22320) (#24112) * [v12] [docs] Add documentation page for IP pinning (#23897) * Integrations service for CRUD operations (#23989) (#24144) * Add local guidance for Linux Server guide users (#24140) * [v12] Fix panic when incoming request is nil (#24199) * Fix panic for when `/web/launch` is requested (#24132) * Add systemctl instructions to Connecting Apps (#24137) * Make TestTeleportProcess_reconnectToAuth less flaky (#24191) * ClusterItem: Remove usage of colors.secondary.lighter (#24182) * add `set -eu` to discovery installer (#24034) * Clarify how to decide undocumented style questions (#24085) * update eref (#24165) * [v12] docs: update mfa docs (#24157) * Include year in cert rotate examples docs (#24153) * Send tunnel reconnects before waiting for sessions to drain (#24141) * [v12] Fix improper report of status on success (#24155) * refactor theme (#23876) * update eref (#24148) * helm: Propagate securityContext and nodeSelector to Job hooks (#24012) (#24134) * Remove no longer used Teleport enterprise yaml example (#24150) * Remove the Access Controls FAQ (#24081) * fix flaky tests (#24126) * [V12] Integration resource: proto (#24057) * Fix TestTerminal_KillUnderlyingShell (#24125) * [v12] Docs: Remove Details block from tctl partial. (#24072) * docs: Oracle Database Access (#24119) * [v12] Update gosaml2 to 0.9.1 (#24079) * Bump Cloud SLA to 99.9% (#24093) ------------------------------------------------------------------- Thu Apr 06 03:50:15 UTC 2023 - kastl@b1-systems.de - Update to version 12.2.1: * Release 12.2.1 (#24098) * [v12] helm: Add support for imagePullSecrets to teleport-cluster chart (#24017) * [v12] chore: Bump Go to 1.20.3 (#24062) * Show the server name (instead of UUID) in errors (#23724) (#23935) ------------------------------------------------------------------- Thu Apr 06 03:29:52 UTC 2023 - kastl@b1-systems.de - Update to version 12.2.0: * Release 12.2.0 (#24056) * fix joining moderated sessions in ui (#24018) * revert marshal database tls mode (#24063) * helm: delete hook-related resource on re-apply (#24068) * Fix listing of participant modes in UI (#24029) * [v12] Add a guide to creating Teleport roles via the API (#24003) * docs: correct mongodb atlas example config (#24044) * Add Azure auto-join docs (#23944) * Replace "Spotlight Search" with "Cross-Cluster Search" (#24049) * Recommend Proxy Service in event-handler guides (#23937) * Add missing `join_method` in azure joining docs (#24031) * [v12] docs: device trust edits (#24025) * [v12] Define an explicit device resource as DeviceV1 (#24024) * [v12] Connect: Collect protocol origin (#24039) * [v12] docs: update version (#24027) * Close auth clients in tctl tests (#24014) * docs: add description of config versions (#23936) * [v12] Headless Login (#23360) * [v12] tsh: Fix redundant error in PPK generation on relogin (#23984) * Allow getting client ip from ProxyHelloSignature for compatibility (#23419) * Update e reference (#24006) * [v12] docs: include enable teleport service in systemctl start (#23988) * [v12] Docs: prefer `curl .../auth/export` instead of `tctl auth export` (#23982) * [v12] docs: Add advisory and troubleshooting on non-tls mode for machineid kube (#23951) * [v12] Backport IP pinning for Kube and DB access (#23418) * Update e reference (#23994) * [v12] GitLab Delegated Joining docs (#23981) * Add Support for Oracle protocol (#23892) * [v12] Metrics: add IsSSO to Discover Events (#23902) * [v12] Add Docker Hub login to Drone's Kubernetes pipelines (#23958) ------------------------------------------------------------------- Mon Apr 03 13:17:55 UTC 2023 - kastl@b1-systems.de - Update to version 12.1.5: * Release 12.1.5 (#23945) * Reduce DefaultIdleTimeout to 30s (#23950) * [v12] Update e ref. (#23939) * Backport #22817 to branch/v12 (#23881) * split and notate new vs existing mysql user (#23930) ------------------------------------------------------------------- Mon Apr 03 13:06:43 UTC 2023 - kastl@b1-systems.de - Update to version 12.1.4: * Release 12.1.4 (#23929) * [v12] feat: Operator support for Login Rules (#23885) * Backport #23405 to branch/v12 (#23883) * [v12] Prevent unknown ssh requests from terminating sessions (#23904) * Allow a tsh aws to proxy any command (#19941) (#23835) * Return exit code from SFTP subsystem (#23729) * [v12] Allow Okta service reverse tunnel access. (#23853) * chore: Bump Buf from 1.15.1 to 1.16.0 (#23870) * [v12] Add gRPC service definition for Plugin resources (#21750) (#23780) * Added 03/30 Upcoming Releases Update (#23868) * Expose process.OnHeartbeat. (#23852) * Add Copy to AccessRequest. (#23638) (#23712) * Update e ref (#23845) * [v12] Remove `push` workflow for jobs that already run on PR and merge (#23862) * Machine ID FIPS support (#23563) (#23850) ------------------------------------------------------------------- Mon Apr 03 13:03:05 UTC 2023 - kastl@b1-systems.de - Update to version 12.1.3: * Release 12.1.3 (#23847) * update makefile (#23818) * support readable enum values in database tls mode (#23601) (#23808) * [v12] Fix the navigation only ever linking to the root cluster (#23708) * [v12] Improve fluentd exported by configuring buffer (#23841) * [v12] docs: Add Uninstall Instructions for Teleport Connect (#23822) * [v12] Reduce time spent setting ssh session envs (#23834) * docs: modify teleport binary reference to non-path specific in ec2 discovery (#23812) * Allow app server origin of Okta if added by Okta built in role. (#23794) * Add cluster flag to `tsh kube sessions` (#23825) * ALPN handshake test improvements (#23348) (#23798) * docs: Remove Open Source from Try out Teleport on a linux server (#23744) * docs: label enterprise prereq as Teleport Enterprise, not just Teleport (#23792) * [v12] docs: use commercial pre-req for enterprise only windows only users (#23803) * [v12] Use stable/cloud when Automatic Upgrades is on (#23395) (#23752) * Add Okta import rules, Okta assignments, and user groups to CLI. (#23722) * Clarify wording of Connect's Telemetry FAQ (#23413) (#23739) * Expose SingleProcessModeResolver and GetRotation. (#23772) * helm: Clarify port requirement for publicAddr (#23743) * Add new status to OktaAssignment, supporting service methods. (#23714) * Fix multiple profile handling for kube credentials (#23716) * [v12] Create an OktaAssignment watcher. (#23721) * Prevent races creating web api session context (#23691) (#23733) * Correct linux download name of Teleport Connect (#23604) (#23737) * [docs] Change scrollback_length to scrollback_lines (#23725) * reorder prehog credential events (#23254) (#23640) * [v12] Add SFTP subsystem fails note to server access FAQ (#23362) * Fix H1 Issues in Docs (#23328) (#23690) * Docs: Overhaul Okta SAML guide. (#23053) (#23673) * Docs: fix saml role addition partial. (#23186) (#23701) * feat(aws/config): Support configuring auth_service.proxy_listener_mode (#23678) * docs: Mention lack of signing with Homebrew (#23681) * Improve performance of `ListResources` (#23534) (#23596) * [v12] usagereporter: resource heartbeats (#23632) * [docs] Change ui_config to ui (#23672) * Cherry pick from v11 Backport of dependabot CVE updates (#23580) (#23582) * docs: configure windows service to listen on all interfaces (#23664) * Ignore unused-parameter on revive/golangci-lint (#23656) (#23661) * Bump cloud version to 12.1.2 (#23410) * [v12] fix: close all proxy listeners (#23647) * update github.com/pelletier/go-toml to v1.9.5 (#23658) * docs: point to release 12.1.1 for exe download for windows local users (#23629) * [v12] Increase DialTimeout when testing SSH Connection Diagnostics (#23635) * [v12] Remove the Houston enforcer (#23633) * Use RUNNER_TEMP to download teleport bins * Revert resty to a version to match teleport-plugins * Rename 'operator' pipeline file to 'integrations' * [v12] Vendor slack plugin and supporting libraries (#23045) * Add integrations/ * Fixed profiling documentation. * Updated Application Access documentation. * Added docs for Auth/Proxy LB configuration * Updated Cloud FAQ for IP allowlists. * Updated Cloud FAQ * [v12] Spell fix (#23594) * [v12] Allow for resource limits and requests for pre-deployment jobs (#23126) * docs: Remove note about not supporting Win Server 2022 (#23584) * [v12] Refactor UserGroups local service to use generic service. (#23579) * Fix agent pool test flakiness (#23572) * Attempt to build the docs in "Lint (Docs)" (#23530) * [v12] Add application RW permissions to the Okta role. (#23566) * allow users to specify separate API URL for github connectors (#23568) * Fix JSON reference in Azure Command (#23562) * [v12] Fetch kubernetes git version with disabled service account (#23559) * Update generated protos (#23545) * chore: Bump protoc-gen-go and protoc-gen-grpc-go (#23326) * Refactor data dir config params for `tbot` to support memory (#23447) (#23495) * Add missing GetPriority function to Okta import rules. (#23501) * minor refactor to replace localProxyOpts with alpnproxy.LocalProxyConfigOpt (#23302) (#23468) * [v12] support postgres cancel request (#23467) * Add Azure join method docs (#23526) * GHA: Cache tweaks (#23540) * Added Teleport Usage Script (#23543) * Validate proxy peer identity (#23506) * Enable minimal web handler when proxy protocol is enabled (#22753) (#23487) * Add hardware key support guide to access control guide list. (#23488) * improve aws utils and database validation (#23157) (#23482) * Plugins service no longer accepts getBackend(). (#23520) * [v12] Spell fix IAM docs (#23521) * docs: indicate which role options are enterprise only (#23298) * Add Teleport 12 features to comparison matrix (#23484) * Add proxy peering metrics to docs (#23015) (#23393) * [v12] Spell fix API comments (#23499) * Use GitHub camelcase for UI, examples and Messages (#23490) * [v12] Fix ProvisionToken incompatibility with BootstrapResources (#23474) * Handle getBackend() or backend argument for plugins. (#23438) * [v12] Add the Okta origin constant. (#23456) * docs: clarify directory sharing audit events (#23295) * add webui page with active session section (#23398) * Include teleport-msteams start in plugin docs (#23459) * [v12] update tsh proxy db cert and key file flags (#23466) * [v12] Add the Okta access point for the Okta service. (#23463) * Introduce Okta objects into the cache. (#23377) * Add `srv.ConnectionMonitor` to unify connection monitoring logic (#23465) * [v12] Add EKS guide to install agents using IAM joining (#23451) * docs: clarify app access debug app (#23297) * Add Okta client import for Okta service. (#23437) * [v12] Set serviceStarted if enterprise services are enabled. (#23402) * [v12] Docs: Update Terraform reference (#23439) * [v12] Filter out internal teleport defined logins (#23411) * [v12] Fix incorrect report of active sessions (#23444) * Do not log errors if metadata extraction fails (#23424) * Add user group read/write access to the Okta role. (#23370) * [v12] - Deprecate `site` param in `auth/export` HTTP endpoint (#23309) * [v12] Machine ID trusted cluster enhancements (#23390) * Fix links with long redirect chains (#22503) * Support Azure delegated joining for Machine ID (#23112) (#23391) * App Agent adjust connection noise logs (#23365) * Expose process ID for enterprise services. (#23383) * [v12] [Docs] Fix documentation for the `roles` field in the Moderated Sessions join policy reference (#23313) * Update e reference. (#23381) * Disable application launch in minimal handler (#22816) (#23332) * Fix docs mentioning connectors updates without secrets (#23344) * Include year in tctl status dates (#23371) * Fix tsh kube credentials fails on remove cluster for the first time (#23252) (#23354) * Add Headless SSO note to upcoming releases (#23339) * [v12] Use Helm DynamoDB policy in Backends reference (#23183) * Remove unused Expires column for tsh database list in verbose (#23318) * [v12] Fix DB Query always return success false in audit log (#23274) * App access: rewrite redirects to public app address from leaf cluster. (#21067) (#23220) * Fix docs link in changelog (#22452) * Export additional functions for enterprise use. (#23245) * Remove older-versions from docs (#23246) * Remove extraneous subheading in DB guides page (#23208) * Add Okta service configuration. (#23236) * fix link for troubleshooting (#23241) * [v12] build.assets Dockerfiles: Remove unnecessary ENV NODE_URL, pass fsSL to curl (#23188) * [v12] doc: add troubleshooting for RDS maximum policy size exceeded errors (#23231) * [v12] Access Mgmt Login Rule and IDP doc updates (#23217) * [v12] Notification improvements (#23223) * Fix navigation redirecting to the wrong page on category change (#23213) * Improve error message to label Enterprise version as FIPS for fips error (#23214) * [v12] Connect: Allow config customization (#23197) * GitLab Delegated Joining (#22705) (#23191) * adding video to k8s doc (#23171) * Allow webauthn to be passed when issuing certs for web-based scp (#22864) (#23195) * fix heartbeatv2 test (#23203) * Add anonymized device ID to tp.user.login event (#23055) * Decouple SkipLocalAuth, UseKeyPrincipal, and static auth methods. (#21182) (#23198) * Establish the Okta service role. (#23173) * [v12] Make Desktop Acess setup script idempotent (#23176) * Updated config to include HA guide (#23155) * [v12] tsh: Silent webauthnwin warning on app init (#23161) * [v12] Support App access behind load balancer (#23054) * [v12] Backport of `crypto` update (#23150) * [v12] Bump Cloud to 12.1.1 (#23129) * Use serverUID for web scp target (#23124) (#23152) * Add `app_server` support to tctl get/rm commands (#23136) * [v12] docs: Add instructions on uninstalling Teleport (#23135) * Added 03/15 Upcoming Releases Update (#23127) * Remove ossfuzz from CI (#23113) * Update Rust to 1.68.0 (#23101) * [v12] Introduce the Okta service. (#23071) * [v12] Backport Access Request plugin guide (#23085) * [v12] Backport #23024 and #23079 (#23080) * Changed Upcoming Releases format. (#23020) * Update docs version (#23083) * add bypasses for lint go and lint docs (#23078) * [v12] Document that GitHub username is added to internal.logins (#23060) * [v12] Backport #23008 and #23006 (#23021) * Introduce Okta gRPC and client interfaces. (#22733) (#23057) * [v12] chore: Bump Go to 1.20.2 (#22997) * [v12] Update the docs style guide (#23001) * Provide more context in the docs intro page (#23003) * [v12] usagereporter: Use the batched event ingest RPC (#23027) * Update Electron to 22.3.2 (#23048) * Add a getter for the backend in `auth.GRPCServer`. (#23043) * Log Connect version on startup (#23036) * [v12] Fix uncaught exception handling in Connect's shared process (#22986) * [v12] Backport Distroless OCI builds (#22814) * [v12] Fix unresponsive terminal in Connect on Windows Server 2019 (#22996) * Fixed enterprise and fips OS packages not uploading to OS package repositories when promoting in the context of private git repos (#21163) (#23012) ------------------------------------------------------------------- Tue Mar 21 08:51:11 UTC 2023 - Johannes Kastl - BuildRequire go1.19 ------------------------------------------------------------------- Tue Mar 14 07:12:37 UTC 2023 - kastl@b1-systems.de - Update to version 12.1.1: * Release 12.1.1 (#23016) * [v12] Hide upgrade-related alerts from dashboards (#22991) * Hide download center when not on dashboards and prevent license gRPC endpoint from being called (#22965) (#22980) * Web-Discover: Add support for connection testers with per-session MFA enabled (#22529) (#22943) * [v12] Add docs for Connect usage reporting (#22661) * fix leave session command (#22795) * Fix usagereporter tests (#22968) * [v12] Remove docs reference and video that users can approve/deny within PagerDuty (#22939) * [v12] Export CRL and Database CA in DER format (#22896) * docs: include a separate page for OSS access requests (#22946) * macOS-compatible grep (#22759) * Use 13px font size in a `Notification` (#22870) * [v12] Swap out select for poll (#22676) and Loop for poll (#22746) (#22798) * [Web] Make language on mfa verify step dialog more clear (#20825) (#22924) * Fix panic when AuditWriter fails on moderated sessions (#22930) * [v12] Add per-session mfa support to connection testers (#22918) * update eref (#22937) * fix select box sizing (#22686) * Make the NodeWatcher more robust (#22910) * Add idle connection timeouts to http clients and servers (#22885) (#22908) * Remove the permissions alias. (#22909) * [v12] chore: Bump gci and golangci-lint (#22900) * Drop local_auth/second_factor warning (#22859) * Update e ref. (#22905) * [v12] Connect: Provide prehog address for prod env (#22876) * [v12] Emit new `AgentMetadataEvent` (#22879) * chore: Bump Buf to v1.15.1 (#22856) * Ensure that the `webclient` closes connections (#22832) (#22893) * [v12] Connect: Remove leftovers from resource cache removal (#22884) * docs: mention how to get the correct API version (#22812) * [v12] Return Public Web Port in TLS mode for postgres when listen addr specified. (#22889) * Idp Docs Fixes (#22853) * Added 03/09 Upcoming Releases Update (#22846) * [v12] Add documentation for tsh --trace-exporter (#22837) * Move the authorizer into its own package. (#22825) * [v12] Interface for processing SAML IdP request signing on auth server. (#22801) * Do not check os groups when user exits (#22805) * [v12] Deduplicate multiplexer detection errors over 1-minute windows (#22802) * Validate static labels assigned to Kubernetes service (#22701) (#22777) * [v12] AWS Terraform doc updates (#22786) * Cherry-pick 6c58a9e (#22785) * usagereporter: Allow multiple batch submissions in a row (#22711) (#22788) * [v12] Use the teleport-ent package on enterprise clusters in the discovery installer (#22769) * Add correct link in place of placeholder for Telemetry docs (#22781) * Docs teleport and golang version (#22765) * [v12] Docs: Fix AWS Terraform Snippets (#22743) * The SAML IdP CA will be handled during auth.Init. (#22721) * [v12] Improve error messages for tsh login connectivity and ssh port (#22763) * [v12] Reorganize the config reference (#22271) * [v12] chore: Bump Go to 1.19.7 (#22725) * [v12] SAML identity provider docs. (#22625) * NodeJoin Script: clear yum repo cache (#22585) * Improve tctl auth export docs/help (#22681) ------------------------------------------------------------------- Tue Mar 07 05:48:42 UTC 2023 - kastl@b1-systems.de - Update to version 12.1.0: * Release 12.1.0 (#22694) * (v12) Downgrade Go to 1.19.6 (#22691) * Add MaxRetryPeriod for cachePolicy config to use in tests (#22656) (#22692) * [v12] temporarily disable TestHSMDualAuthRotation (#22682) * [v12] Docs: Add Datadog guide. (#22677) * Update node listing troubleshooting (#22678) * [v12] Update access request enterprise description (#22621) * [v12] Machine ID Agent Anonymous Analytics (#22658) * test keyword frontmatter (#22666) * Machine ID telemetry docs (#22541) (#22660) * SCP - Change file attrs only when requested (#22579) (#22609) * Fix broken Teleterm stories (#22665) * spell fixes and discord config fix (#22617) * Remove network I/O from database_service collection apply (#22588) * [v12] Add OSS repo name to github actions trigger (#22653) * Update e (#22608) * Refresh remote cluster connection status periodically (#22575) * bump cloud version (#22542) * fix typo in image (#22138) (#22552) * Bump e ref. (#22602) ------------------------------------------------------------------- Sat Mar 04 08:45:41 UTC 2023 - kastl@b1-systems.de - Update to version 12.0.5: * Release 12.0.5 (#22599) * Add SAML IdP service providers to default allow rules. (#22600) * [v12] node hb and watcher scalability improvements (#21495) * Add in SAML IdP service provider session metadata to auth attempts. (#22544) (#22562) * update eref (#22596) * [Web] Refactor serverside filtering and pagination (#20823) (#22432) * fix video link (#22576) * Use `btree.BTreeG` directly in memory backend (#22409) * [v12] Add GCP Service Account parameter to tctl users add reference (#22543) * [v12] Add Telnet into docker to test connectivity for cloud getting started (#22570) * Allow all alert severities to be acknowledged (#22582) * add github.com/google/go-attestation/attest to e imports #2 (#22465) * Fix compilation on ARM (#22569) * [v12] Refresh the Access Controls menu (#22523) * [v12] update e ref to latest branch/v12 (#22566) * Added 03/02 Upcoming Releases Update (#22547) * [v12] Enable BPF on ARM64 (#22550) * Teleport 12 Videos (#22527) * Add Azure auto-joining (#21087) (#22521) * [v12] Unify x86/ARM64 build process (#22495) * Fix pickDefaultAddr not respecting HTTPS_PROXY (#22492) * Set `create_as_resource` in device-related `tctl` RPCs (#22415) (#22518) * Improve `tsh kube credentials` read operations (#22508) * [v12] SAML IdP audit events. (#22510) * [v12] `lib/usagereporter` refactor and consolidation (#22512) * [v12] Make curl fail on server error when downloading binaries in buildbox (#22380) (#22442) * add known STS endpoint for ap-southeast-4 (#22486) * [v12] Server Access RBAC Docs page (#22500) * Okta local service. (#22434) (#22513) * chore: Bump Buf to v1.15.0 (#22430) (#22472) * [v12] Allow devices writes with resource-like semantics (#22470) * Initial Okta objects. (#22151) (#22431) * [v12] Update to libbpf 1.0.1 (#22424) * Automatically parse entity ID from SAML SP during CLI creation. (#22101) (#22368) * [v12] Add static and dynamic web ui configuration options (#22422) * [v12] feat: add LoginRule methods to api/client (#22426) * [v12] Add docs steps to create machine-id data dir and systemd enablement (#22477) * [v12] Remove non-applicable roles from teleport start --roles reference (#22311) * [v12] Use developer-friendly and precise technical language in docs (#22412) * docs: use approved terminology for desktop access w/ local users (#22418) * [v12] Add CLI doc changes after new client only parameter for tsh version (#22392) * Export runtime traces from tsh (#22406) * [v12] fixes #21970 - remove broken config validation check in scratch mode (#22423) * [v12] sshserver: Correctly handle PuTTY winadj channel requests (#22420) * Docs: Device Trust role and locking support (#21915) (#22416) * [v12] update e-ref (#22381) * Install libbpf 1.0.1 in buildboxes (#22317) * [v12] Update to default k8s deployment docs (#22396) * Update docs Teleport version and golang (#22384) * Add caching to web assets (#22183) * [v12] Connect: Remove resource cache (#22316) * Machine ID readme example script fix (#22394) * Add Azure join method (#22204) * [v12] Bump versions in docker images to 12 (#22375) * Updates to enable merge queue (#22370) * Fix incorrect login options for Windows Desktops (#22118) (#22333) * [v12] Update eref (#22343) * Add WEBASSETS_SKIP_BUILD to Makefile (#22337) * Always include webassets_embed when building teleport (#22339) * Add `isDashboard` to web config object (#20830) (#22329) * [v12] [Web] Add custom element support to SearchPanel (#22325) * Fix SAML IdP service provider CLI bug. (#22322) * [v12] [web] Move filtering out cloud and tcp apps to the frontend (#22324) ------------------------------------------------------------------- Tue Feb 28 07:52:01 UTC 2023 - kastl@b1-systems.de - Update to version 12.0.4: * Release 12.0.4 (#22321) * Terminate the local shell when a session closes (#22222) * Ignore all node_module paths when running shellcheck lint. (#22233) * [v12] Enable xterm links and clean up MFA modal (#22278) * [v12] Web: Fix regression for not able to create or reset users (#22267) * Mark Proxy Peering as in Preview (#22209) * [v12] helm: allow to set security contexts in `teleport-kube-agent` (#21535) * Format collected data in the device tctl resource nicely (#22198) (#22258) * Fix `disconnect_expired_cert` and `client_idle_timeout` description (#22255) * spell fix kubernetes resource doc (#22259) ------------------------------------------------------------------- Tue Feb 28 06:52:22 UTC 2023 - kastl@b1-systems.de - Update to version 12.0.3: * Release 12.0.3 (#22250) * [v12] Fix Kube impersonation header overwrite when dealing with remote clusters (#22244) * Fix an issue Redis protocol not handling nil response (#22200) (#22228) * preserve explicit local auth disable * Create a generic local backend service. (#22236) * [v12] Adds `kubernetes_resources` references (#22217) * User group API and cache. (#21956) (#22147) * [v12] Provide flag to only display tsh binary version (#22167) * [v12] Extend security context to proxy init container wait-auth-update. (#22064) * createPtyProcess: Return early on error (#22190) * ClustersService: Remove internal logins when syncing root clusters (#22187) * [v12] Implement tctl resource commands for Device Trust (#22157) * Added 02/23 Upcoming Releases Update * [v12] Add docs for Device Trust tctl commands (#22201) * Inherit `kubernetes_resources` from roles when using access requests to kube_cluster * [v12] Add service for "plugin" resources (#21210) (#22185) * [v12] Add Security-Kerberos Event Log for Desktop Troubleshooting (#22170) * add MFA type and Login flow to register challenge event (#22112) (#22159) * add bypassses for UI GHA's (#22105) (#22141) * Add expire time to SAML session creation. (#22135) * [v12] Add Plugin resource schema, methods (#20990) (#22177) * [v12] Connect: Enable font configuration (#22122) * Update e (#22156) * Spell fix previews page (#22152) * Add in WrapContextWithUserFromTLSConnState. (#22136) * [v12] Bump cloud version to 11.3.4 (#22114) * disable MFA TTL limit for local proxy tunnel (#21661) * [v12] Document silent install of Connect on Windows (#22119) * Clarifications in Okta SSO doc (#22036) * [v12] Docs: update fluentd guide (#22077) * Remove usage of lodash methods (#21567) (#22102) * Discover: install ent image when cluster is enterprise (#22109) * [v12] Install deb/yum repos when using node-join script (#22108) * Ensure UpdateRemoteCluster updates all fields (#22024) (#22088) * fix: improve tsh logs when skipping auto Access Request (#22094) * Add DatabaseService KeepAlive type (#22042) (#22087) * SAML IdP sessions added to the API and cache. (#22098) * Correctly handle LOCAL command of PROXY protocol v2 in multiplexer (#22092) * Import jest-canvas-mock in teleport tests which import xterm paths (#22074) * Refresh Introduction Page (#21261) (#22032) * [v12] Add non-HA Teleport cluster to Deploy with Helm links (#22039) * Emit usage events for `port`, `kube.request`, `sftp` (#21740) (#22016) * Relay child exit code in g-build (#21898) * [v12] [Web:Discover] Add missing checks (#22029) * Align AWS assume-role request duration with cert expiration (#21670) (#21994) * Support assumed roles for "tsh proxy aws" (#20568) (#21990) * [doc] Update app access reserved headers X-Teleport-* (#21000) (#21993) * [v12] Change init logger to include timestamp for debug level (#21996) * Add minor improvements to `lib/kube/proxy` (#21917) * [v12] Support proxy reading of SAML IdP CA. (#22030) * Mention --mfa-mode in the `tsh mfa add` flow (#22018) (#22034) * [docs] add a note on `rds:DescribeDBClusters` (#22007) (#22025) * Improve formatting for TLS cert requests (#22013) * CI: bypass OS compatibility check for some changes (#21989) (#22021) * [v12] Updates to windows getting started (#22019) * [v12] SAML IdP access checker. (#21955) * Expose access point in web handler. (#21957) * Include Enterprise in output of tctl version for commercial pre-req (#22004) * [v12] Fix Moderated session on leave pause action. (#21974) * [v12] [Web] Fix missing --request-id= flag in UI for Kubernetes login instructions (#21445) * [v12] Connect: Use SSH server UUID instead of hostname for file transfer (#21962) * [v12] Fix uncaught errors in Desktop's Discover flow (#21756) * Added 02/16 Upcoming Releases Update * Add metrics to track connection ingress (#19734) (#21771) * Switch CodeQL to scheduled (#21942) * Refer to tsh apps subcommand (#21857) * Adjust clientIP/pinnedIP fields according to IP pinning RFD (#21906) * Update Go toolchain to 1.20.1 (#21931) * [v12] Docs/TF: Identity as b64 (#21933) * Docs: Remove Jira Custom Field reference (#21908) * Update role > lock and add missing word." (#21897) * Reduce etcd requests performed by a KeepAlive (#21926) * Update Teleport Enterprise Cloud compare description (#21922) * [v12] Update teleterm README (#21879) * Disable instance heartbeats by default (#21901) (#21905) * [v12] Add docs references to `tsh request search --kind=pod` (#21887) * [v12] Add more info re: AWS credentials to the docs (#21776) * [v12] Include enterprise in tctl prereqs for ent and cloud (#21890) * Initial user group object. (#21657) * [v12] Add SAML query functions to auth preferences. (#21825) * SAML IdP session objects. (#21758) * [v12] Update troubleshooting docs (#21762) * [v12] Change error response formatting for "/version" endpoint (#21846) * Update download link (#21674) * use Enterprise over Commercial (#21370) * Improve webpack "exclude" expressions (#21663) (#21725) * [doc] allow either role name or full ARN for AWS IAM role db_users (#21240) (#21837) * helm: fix proxy and auth config referring to the same subdict (#21768) * Fixup teleport db configure create (#20968) (#21690) * spell fixes (#21855) * Bump Buf to v1.14.0 (#21842) * Run reviewers check on (un)labeled PR events (#21814) (#21819) * [v12] docs: login rule docs (#21829) * Remove deprecated warning when proxy starts (#21817) * [v12] Move CentOS 7 assets to GitHub repo (#21784) * feat: early feedback for successful security key taps (#21780) * set SessionExpires on new sessions (#21688) (#21733) * [v12] Skip deleting server heartbeats during in-process restart (#21807) * Remove code related to restarting lib/teleterm gateways (#21533) * AWS IAM role matching for database users (#20610) (#21251) * Add device lock support (#21667) (#21751) * [v12] Turn off parallelization of teleterm's integration tests (#21737) * [v12] Remove support for DEBUG_ASSETS_PATH (#21473) * Remove required cluster name when using `tsh kube login --all` (#21765) * [v12] Moderated sessions request is not forwarded into the leaf cluster (#21612) * Role access requests available for all scopes (#21752) * Update docs link to master db access rfd (#21736) * Cache etcd lease ttl (#21496) * Fix linter issues (#21748) * [v12] Update Go toolchain to 1.20 (#21680) * Add Pod resource search web API (#21595) * Update docs version (#21744) * [v12] Make UsageSessionStart report TCP app access separately (#21711) * [v12] Connect: Link to docs in `UsageData` dialog (#21730) * Delete assets/aws/cloudformation directory (#21696) * lib/utils/fs.go: Do not remove lockfiles on Windows * Update SQL Server library (#21065) (#21638) * Update database config samples (#21480) (#21543) * Change debug commands during discover flow (#21557) * [v12] Ask for job role on the second launch (#21640) * Correct namespace name in k8s doc (#21589) * Remove version warnings for EOL Teleport versions (#21665) ------------------------------------------------------------------- Mon Feb 13 15:53:03 UTC 2023 - kastl@b1-systems.de - Update to version 12.0.2: * Release 12.0.2 (#21679) * Bump cloud version to 11.3.3 (#21672) * Fix kube agent shutdown during upgrades (#21617) * [v12] Updates port validation to restrict to valid port numbers 1-65535 (#21651) * Improve listing resources across clusters (#21003) (#21577) * [v12] Skip deleting database servers on agent shutdown during binary upgrade (#21635) * [v12] Update JS grpc-tools to 1.12.4 (#21532) * capture custom role creation in prehog (#21123) (#21599) * Verify if proxy can handle application requests when creating session (#21615) * Extract entity ID when creating SAML service provider. (#21603) * Allow invalid namespaces in role templates (#21573) * Remove GCB checks (#21593) * [v12] Compare TLS and SSH principals independent of order (#21578) * [v12] Skip device authz when issuing App or Windows certs (#21571) * fix link in troubleshooting guide (#21581) * [v12] Use test IP addresses for auth_proxy_test. (#21576) * Remove unused `CheckResourceUpsertableByError` function (#21562) * refactor db local proxy logic (#21335) * Add field to user cert request (#21474) * Fix k8s docs links (#21553) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#21514) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#21513) * [v12] Update e-ref (#21547) * [v12] Add SAML IdP service providers to the cache and CLI. (#21471) * [v12] Improve error message when trying to rename resource (#21179) * [v12] Remove Auth/Proxy instructions from DB guides (#21333) * properly resolve conflict (#21409) * [v12] Update okta.mdx (#21410) * [v12] helm-docs: Separate cert-manager and ACM values for clarity in AWS guide (#21361) * Rename protoEqual and add a big warning (#21505) * [v12] Connect: return logged in user in `ListRootClusters` (#21467) * Run go mod tidy in CI (#21140) (#21482) * Align the Okta and Auth Connector configuration examples in Okta SSO guide (#21475) * [v12] Add in file configuration for the SAML IdP. (#21486) * improve 'tsh scp' error message when no remote path is specified (#21373) * Add `tsh request search --kind=pod` support (#21456) * Removes the "overflow: auto" from StyledXterm (#20868) * fix partial links (#21470) * Reduce CPU usage in enhanced session * update contribute instructions to use major version (#21462) * [v12] [Docs] update Desktop Access introduction for v12 (#21458) * Update the version support table for v12 (#21428) * single-source access control guides list (#21415) * [v12] Move Connect-specific MenuLogin story out of shared package (#21386) * Fix flaky tctl UT - allocate network listener (#21390) * Add RBAC labels for Database Services access (#21093) (#21244) * Enable role-based device authz for DB, k8s and SSH (#20640) (#21432) * [v12] Bump OpenSSL and libcbor (#21425) * [v12] Require flag for dynamic resources matching "tsh db configure create" (#21395) * [v12] Allow role-based device verification in AccessChecker (#20846) * Bump forked go-libfido2 (#21175) * fix k8s docs links (#21414) * Show enterprise installs for Cloud scope MacOS Installs (#19669) (#21368) * Update docs version to 12 (#21418) * [v12] Add missing license headers to files. (#21405) * correct tsh scp docs (#21378) * Docs: AWS RDS Proxy Guide (#21322) (#21401) * [v12] Update security information in docs. (#21358) * Updated Dronegen for v12 release (#21355) * [v12] Fix the navigation not listening to the back button (#21236) * Spelling fix and app access link fix (#21397) * [v12] Remove deprecated `/webapi/nodes/token` endpoint (#21152) * Add gRPC Kubernetes Service (#21359) ------------------------------------------------------------------- Wed Feb 08 08:08:12 UTC 2023 - kastl@b1-systems.de - Update to version 12.0.1: * Release 12.0.1 (#21372) * Fix operator build (#21369) * fix lint-breaking spacing (#21356) * [v12] Preview Page (#21283) ------------------------------------------------------------------- Wed Feb 08 07:53:13 UTC 2023 - kastl@b1-systems.de - Update to version 12.0.0: Full changelog is available at https://github.com/gravitational/teleport/releases/tag/v12.0.0 Teleport 12 brings the following marquee features and improvements: - Device Trust (Preview, Enterprise only) - Passwordless Windows access for local users (Preview, Enterprise only) - Per-pod RBAC for Kubernetes Access (Preview) - Azure and GCP CLI support for Application Access (Preview) - Support for more databases in Database Access: - AWS DynamoDB - AWS Redshift Serverless - AWS RDS Proxy for PostgreSQL/MySQL - Azure SQLServer Auto Discovery - Azure Flexible Servers - Refactored Helm charts (Preview) - Dropped support for SHA1 in Server Access - Signed/notarized macOS binaries * Azure and GCP CLI support for Application Access (Preview) In Teleport 12 administrators can interact with Azure and GCP APIs through Application Access using `tsh az` and `tsh gcloud` CLI commands, or using standard `az` and `gcloud` tools through the local application proxy. * Support for more databases in Database Access Database Access in Teleport 12 brings a number of new integrations to AWS-hosted databases such as DynamoDB (now with audit log support), Redshift Serverless and RDS Proxy for PostgreSQL/MySQL. On Azure, Database Access adds SQLServer auto-discovery and support for Azure Flexible Server for PostgreSQL/MySQL. * Refactored Helm charts (Preview) The “teleport-cluster” Helm chart underwent significant refactoring in Teleport 12 to provide better scalability and UX. Proxy and Auth are now separate deployments and the new “scratch” chart mode makes it easier to provide a custom Teleport config. “Custom” mode users should follow the migration guide: https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/ * Dropped support for SHA1 in Server Access Newer OpenSSH clients connecting to Teleport 12 clusters no longer need the “PubAcceptedKeyTypes” workaround to include the deprecated “sha” algorithm. * Signed/notarized macOS binaries Users who download Teleport 12 Darwin binaries would no longer get an untrusted software warning from macOS. * tctl edit tctl now supports an edit subcommand, allowing you to edit resources directly in your preferred text editor. * Breaking Changes Please familiarize yourself with the following potentially disruptive changes in Teleport 12 before upgrading. - Helm charts The teleport-cluster Helm chart underwent significant changes in Teleport 12. To upgrade from an older version of the Helm chart deployed in “custom” mode, use the following migration guide: https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/ Additionally, PSPs are removed from the chart when installing on Kubernetes 1.23 and higher to account for the deprecation/removal of PSPs by Kubernetes. - tctl auth export The tctl auth export command only exports the private key when passing the --keys flag. Previously it would output the certificate and private key together. - Desktop Access Windows Desktop sessions disable the wallpaper by default, improving performance. To restore the previous behavior, add `show_desktop_wallpaper: true` to your windows_desktop_service config. ------------------------------------------------------------------- Thu Feb 02 06:59:38 UTC 2023 - kastl@b1-systems.de - remove non-breakable-space character from changes file - Update to version 11.3.2: * Release 11.3.2 (#21121) * Update ec2-tags.mdx (#21115) * Fix MongoDB readHeaderAndPayload BSON max size (#21113) * [v11] Fix direct node dial from WebUI (#20928) * Update docker-compose docs (#21045) * Use CDN links for install node scripts (#20985) (#21057) * [v11] Remove CentOS6 and RHEL6 as valid distros (#20986) * Skip TestBot_Run_CARotation (#20944) * Use `SameSiteNoneMode` for application access cookies (#21049) * Fix data race when closing listener (#21040) * Conditionally build the UI if there are changes. (#20489) (#21018) * [v11] Use the webassets directory at the root of the project for the web ui. (#21016) * remove quotes from messages in makefile (#20740) * Open Support links in UI to new page (#20984) * [v11] Merge backports (#20997) * [v11] Enable building teleport with the new UI location (#20965) * Elasticsearch: explicitly require `--db-user`. (#20695) (#20919) * Use concurrent streams for SFTP connections (#20953) * update docs version (#20973) * Disable disk-based logging for TestResizeTerminal (#20871) * Fix language for try out teleport intro (#20948) * Use a GitHub app for the check and backport workflows (#20873) (#20958) * [v11] Add node and yarn to the buildboxes in preparation for the webapps merge (#20952) * Hardware Key UX fixes (#20949) * Update Rust to 1.67.0 (#20883) * [v11] chore: Bump Buf to v1.13.1 (#20921) * Added 01/26 Upcoming Releases Update * [v11] fix `tsh proxy aws --endpoint-url` (#20880) * Temporarily ignore the web directory when linting for license headers. * [v11] Migrate AppLauncher tests into webapps. (#1532) * Rearrange buildbox layers for faster updates (#20838) * Use ghcr image for doc tests (#20876) * Update app tests for rewritten headers (#20801) * [v11] Add support for Moderated Sessions in the Web UI (#1540) * [v11] [Discover] Enable mysql flow (#1539) * [v11] feat: login rule audit events (#1537) * [v11] Connect: Add useWorkspaceLoggedInUser (#1536) * [v11] Update eref (#1534) * Decode URL encoded values from AppLauncher's ARN. (#1530) * Update e ref (#1528) * Add --quiet to eslint package.json script (#1510) (#1523) * Update webapps.e reference to latest commit (#1522) * Fix clipboard permissions apparent inconsistency (#1509) (#1513) * Change the application access authentication flow (#1515) * capture additional prehog events (#1508) * [v11] backport #1505 (Revert "Use sessionStorage for Authentication Bearer Token) (#1506) * Add lazy loading for desktop sessions (#1503) * Add lazy loading for session playback (#1502) * Update e ref (#1500) * Make trusted cluster screen hidden based on user roles (#1484) (#1494) * Update Electron to 22.0.0 (#1498) (#1499) * [v11] Discover: Implement Day 1 Database Postgres Flow (#1487) * Update sessionPath value to new endpoint (#1486) (#1492) * [v11] [Connect] requestableRoles and suggestedReviewers on LoggedInUser (#1485) * [v11] Make bundled tsh available outside of Connect (#1488) * Connect: Add missing modal stories, misc modal fixes (#1479) (#1482) * Include session id in Session Uploaded event display (#1476) * awaits the file write and close to avoid data corruption (#1471) (#1472) * Fix websocket close (#1463) (#1470) * [v11] add app access dynamodb event (#1462) * [v11] backport #1275 (Use sessionStorage for Authentication Bearer Token) (#1458) * Adds a status code to the closing of the tdp client's websocket (#1442) (#1455) * [v11] [Connect] Use resourcesList in review access request table (#1456) * Add support for InstanceJoin and BotJoin audit events (#1414) (#1440) * Update electron-builder to 24.0.0-alpha.5 (#1434) (#1438) * Connect: Use typed URIs (#1394) (#1436) * Fix Connect stories (#1422) (#1435) * Connect: Implement tshd event handlers for db cert renewal (#1383) (#1416) * Add `recoveryCodesEnabled` (#1408) (#1419) * Add subject value to app sessions (#1413) (#1426) * alert convention matches grpc (#1424) (#1425) * [Connect] Async autocomplete (#1406) (#1423) * Fix large file corruption (#1382) (#1421) * capture events from webapps (#1344) (#1411) * Connect: Tell fpm to not use symlinks when building the rpm package (#1407) (#1410) * useAsync: Add support for abort signal (#1377) (#1409) * Update xterm to 5.0.0 (#1400) (#1401) * [v11] backport #1321 (Add checkbox component to design package) (#1393) * Lazy load Telemetry only when needed (#1399) * Fix alerts from not disappearing on route changes (#1395) (#1397) * Display `verb`, `request_path` & `response_code` in `kube.request` events (#1384) (#1391) * [v11] Use a single websocket for SSH connections (#1361) (#1392) * Pass clusterUri rather than documentUri to retryWithRelogin (#1385) (#1386) * [v11] [Connect] Use server side search in resource tables (Advanced Search) (#1381) * [v11] Forward SSH agent (#1366) (#1370) * [v11] Update to Electron 21 (#1351) (#1360) * Fix iterating over null array for sshLogins from fetched nodes (#1356) * [Discover] Refactor SetupAccess Screens (#1310) * Prevent non-https protocol from opening external windows (#1343) (#1345) * Shared Directory Audit Events (#1290) (#1348) * Connect: Set up tshd events server for tshd-initiated communication (#1285) (#1339) * [v11] retryWithRelogin: Enable use outside of document context (#1341) * Show all kinds of active sessions (#1337) * [v11] Log shared process `stdout` and `stderr` (#1046) (#1336) * [v11] Discover: Add back button for `TestConnection` screens (#1329) * Update ensureBaseUrl to use URL constructors only (#1328) (#1330) * Update ensureBaseUrl conditional (#1320) (#1322) * [v11] Handle private key policy errors and config (#1298) (#1311) * Warn user when desktop is active (#1297) (#1312) * Connect: Use gap instead of margins for