------------------------------------------------------------------- Wed Dec 07 06:34:44 UTC 2022 - kastl@b1-systems.de - Update to version 11.1.2: * Release 11.1.2 (#19117) * Fixed container images dockerfile download using hardcoded repo name (#19090) * Remove mentions of "setup" as a verb (#18949) * spelling, typos, and non-example nouns fixed (#18943) (#18976) * docs: fix tsh --cert-format reference (#19057) * update webassets (#19070) * [v11] Update e ref to conditionally enable usage reporting in cloud/enterprise (#19064) * Add a new usage reporter (#18142) (#19059) * [v11] docs: Add warnings about using layer 7 LBs with TLS routing (#19052) * Provided expanded definition on internal.logins (#19035) * [v11] Re-add the section about EC2 instances including the AmazonSSMManagedInstanceCore (#19029) * [v11] Fix web ssh session with proxy recording mode (#19021) * [v11] Create a partial for adding a role to a user (#19026) * [v11] BUGFIX | Teleport ALPN Proxy doesn't respect HTTP CONNECT Proxy (#19038) * [v11] Move corrupted uploads to separate directory (#19040) * Cache static desktop labels (#18874) * docs: clean up per-session MFA page (#18952) * [v11] Fix unknown group error issue (#18990) * full link to main site (#19004) * [v11] Add clarification as to the purpose of Metrics endpoint. (#19017) * Ensure `tctl windows_desktops ls` produces expected output (#18779) (#19016) * correct heading level for 11.0.1 release (#18998) * update docs version (#18997) * Properly check err from EmitAuditEvent. (#18963) * [v11] Add a guide to GKE Auto-Discovery (#18986) * Address feedback * Added 12/01 Upcoming Releases Update * Fix dir path in Enterprise install instructions (#18967) * [v11] Improve the Kubernetes Dynamic Registration guide (#18950) * [v11] Add the `--version` flag to `helm install` (#18947) * docs version update (#18927) * [v11] [Docs] Update EC2 Discovery guide for bootstrapping. (#18924) * [v11] Fixes for ec2 discovery installer script on legacy ubuntu and fixes for `teleport discovery bootstrap` (#18965) * Connect: Check db cert before using it for local proxy (#18740) (#18852) * [v11] Connect: Set TeleportClient.AuthConnector before logging in (#18900) ------------------------------------------------------------------- Thu Dec 01 05:44:31 UTC 2022 - kastl@b1-systems.de - Update to version 11.1.1: * Release 11.1.1. (#18957) * [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#18954) * [v11] backport #18036 (Allow for specifying roles when making Resource Access Requests in the UI) (#18868) * [v11] Add Terraform provider links to Terraform module README (#18162) * backport spell fixes (#18941) * operator: Handle conflicts properly during tests (#18916) * Fix FIPS builds (#18902) * Remove DEBUG env var from Connect macOS dronegen (#18899) (#18921) * [v11] Include ssh protocol in start, end audit events (#18895) * [v11] Securely delete OTP QR code (#18917) * [v11] Update permit_user_env comments in config ref (#18912) * Include upload ID & session ID in failed upload warning logs (#18788) (#18872) * Fix duplicate docs page titles (#18862) * fuzz: fix broken OSS-Fuzz build (#18878) * [v11] Add info on license renewals (#18848) * Swaps Allow remote RDP connections and Open firewall to inbound RDP connections steps (#18844) * Add `server_hostname` to `session.*` events (#18812) (#18832) * [v11] Improve error message if dialing etcd nodes times out (#18822) * [v11] feat: GCP KMS support (#18835) ------------------------------------------------------------------- Tue Nov 29 08:02:09 UTC 2022 - kastl@b1-systems.de - Update to version 11.1.0: * Release 11.1.0 (#18806) * saml: Don't check existence of templated role names (#18766) * [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#18841) * Export GithubConverter type (#18751) (#18836) * Generate new session on new ssh websocket connection. (#18523) (#18839) * [v11] Improve `tsh play` JSON & YAML output (#18825) * Add extra database validations to CreateDatabase (#18776) (#18785) * Do not run parker process for all SSH sessions (#18810) * Add `tctl windows_desktops` as the default and keep `tctl desktops` as an alias (#18816) * Add `teleport discovery bootstrap` command (#18641) * [v11] Add info to docs about working with github enterprise server (#18808) * [v11] Session Control + UI SSH Performance (#18797) * [v11] Ensure app session is in backend in app access integration tests. (#18803) * call out restrictions on Var in code blocks (#18714) * [v11] Document Discord access plugin (#18790) * [v11] [Docs] Desktop Access Value and Log updates (#18799) * [v11] Undos support for `TELEPORT_PROXY` in `tctl` (#18796) * [v11] Reformat imports GCI (#18736) * [v11] Update GetDatabases to use the correct cluster uri (#18735) (#18762) * [v11] Fix for Teleport start config file log (#18778) * Add STS endpoints for new regions (#18756) * [v11] Fix issue self-hosted databases with ec2 hostnames fail to create (#18773) * [v11] Add FIPS support for Desktop Access (#18743) * [v11] Release server CI integration improvements (#18513) (#18702) * [v11] Terminate sessions when peers disconnect (#18684) * Added 11/23 Upcoming Releases Update * bump etcd client * Stop creating Snowflake ocsp_response_cache.json (#18720) * [v11] Fix Mongo document sequence msg validation (#18738) * Fix up GCP docs (#18729) * [v11] operator: Add `auth_connector` support (#18350) * Add additional space to apt commands (#18733) * [v11] Make the Standalone Kubernetes guide easier to use (#18694) * [v11] Ensure ssh connection rejection errors are returned (#18708) * Connect: Add prerequisites for gracefully handling expired db proxy certs (#18259) (#18678) * GCS: don't swallow cleanup errors (#18725) * CodeQL: Rename from codeql-analysis.yml to codeql.yml * spell fixes (#18692) * Fix trusted clusters for Desktop Access * Enable and fix AuditOn. (#18574) * update teleport.e submodule (#18687) * [v11] Adds GCP GKE auto-discovery (#18396) * [v11] [Docs] Fix rewrite key example. (#18387) * Add ability to have multiple Github auth connector implementations (#18521) * [v11] Allow configuration of identity file and proxy url with env in `tctl` and `tsh`. (#18673) * Add tests for teleterm.Serve with TCP address (#18144) (#18637) * Add mutex for certs in local proxy (#18278) (#18623) * [Docs] remove tf language from codeblocks (#18669) * Make SessionTracker heartbeat loop more robust (#18415) (#18576) * [v11] Allow connections to nodes when Auth is offline (#18585) * docs: improve wording on free cloud trials (#18653) * Make proxy routing logic reusable (#18370) (#18596) * [v11] Add TLV support to ProxyLine (#18650) * Docs: Update Terraform suggested role (#18648) * [v11] Take cloud labels into account for application access permissions calculation. (#18642) * attempt to fix TestProxyProtocolRedis flakiness (#18316) * [v11] [Docs] Minor Config Reference Update (#18613) * [Docs] Add AWS credentials to variables block (#17916) (#18645) * [v11] [Docs] End User Doc Page (#18619) * Docs: fix TF role's `_labels` type (#18635) * remove single quotes from env vars for k8s (#18624) * [v11] Fix web ListResources total count with apps and update tests (#18601) * Added EOL dates for releases. (#18630) * Add Teleport 11 videos (#18629) * [v11] Add a guide to dynamic Kubernetes registration (#18533) * Deflake TestWebSessionsRenewDoesNotBreakExistingTerminalSession (#18529) * [v11] Improve trusted cluster observability (#18609) * Forward traces from the web UI (#18519) (#18598) * [v11] fix aws rds discovery invalid engine filter (#18590) * [v11] Fix Flaky TestDatabaseRootLeafIdleTimeout test (#18422) * Added 11/17 Upcoming Releases Update (Cloud) * [v11] Desktop Discovery guide (#18571) * spell fixes (#18583) * [v11] add allowed users to tsh db ls json and yaml output (#18543) * Bump cloud version to 10.3.8 (#18560) * Close local proxy conn if middleware errors (#18242) (#18527) * [v11] Update the teleport-kube-agent reference (#18535) * Added 11/17 Upcoming Releases Update * Update to use db configure create, troubleshooting, required cert (#18556) * Add support for user.spec in moderated sessions filters (#18455) * Deflake TestResizeTerminal (#18406) * Sign tsh on windows builder for connect (#18165) (#18477) * Minor logging order tweak in tbot (#18511) * [v11] Add new audit event for DynamoDB protos (#18035) * [v11] Allow users to merge multiple clusters in the same `kubeconfig` file when using `tctl auth sign --format kubernetes` (#18525) * Docs version update (#18512) * [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#18505) * Use temp files instead of current dir for active dir install script (#18502) * set cluster connector name on signin for first cloud user (#17834) (#18445) * Allow non-moderated sessions during outage (#17309) (#18441) * docs: add FAQ entry for seeing resource name in access requests (#18400) * [v11] improve kube rbac docs (#18480) * Shared Directory Audit events (#17410) (#18398) * [v11] [Docs] Document AWS quotas (#18450) * Correct username -> user in tsh alias guide (#18482) * Fix role word reference (#18471) * Remove CertificateTTL from appaccess integration tests. (#18448) ------------------------------------------------------------------- Tue Nov 15 07:20:33 UTC 2022 - michael@stroeder.com - Update to version 11.0.3: * Fixed issue with validation of U2F devices. #17876 * Fixed tsh ssh -J not being able to connect to leaf cluster nodes. #18268 * Fixed issue with failed database connection when client requests GSS encryption. #17811 * Fixed issue with setting Teleport version to v10 in Helm charts resulting in invalid config. #18008 * Fixed issue with Teleport Kubernetes resource name conflicting with builtin resources. #17717 * Fixed issue with invalid MS Teams plugin systemd service file. #18028 * Fixed issue with failing to connect to OpenSSH 7.x servers. #18248 * Fixed issue with extra trailing question mark in application access requests. #17955 * Fixed issue with application access websocket requests sometimes failing in Chrome. #18002 * Fixed issue with multiple tbot's concurrently using the same output directory. #17999 * Fixed issue with tbot failing to parse version on some kernels. #18298 * Fixed panic when v9 node runs against v11 auth server. #18383 * Fixed issue with Kubernetes proxy caching client credentials between sessions. #18109 * Fixed issue with agents not being able to reconnect to proxies in some cases. #18149 * Fixed issue with remote tunnel connections not being closed properly. #18224 * Added CircleCI support to Machine ID. #17996 * Added support for arm and arm64 Docker images for Teleport and Operator. #18222 * Added PostgreSQL and MySQL RDS Proxy support to database access. #18045 * Improved database access denied error messages. #17856 * Improved desktop access errors in case of locked sessions. #17549 * Improved web UI handling of private key policy errors. #17991 * Improved memory usage in clusters with large numbers of active sessions. #18051 * Updated tsh proxy ssh to support HTTPS_PROXY. #18295 * Updated Azure hosted databases to fetch the new CA. #18172 * Updated tsh kube login to support providing default user, group and namespace. #18185 * Updated web UI session listing to include active sessions of all types. #18229 * Updated user locking to terminate in progress TCP application access connections. #18187 * Updated teleport configure command to produce v2 config when auth server is provided. #17914 * Updated all systemd service files to set max open files limit. #17961 ------------------------------------------------------------------- Thu Oct 27 15:29:33 UTC 2022 - Michael Ströder - Update to version 11.0.1: * Block SFTP in Moderated Sessions #17727 * Fixed issue with agent forwarding not working for auto-created users. #17586 * Fixed "traits missing" error in Application Access. #17737 * Fixed connection leak issue in IAM joining. #17737 * Fixed panic in "tsh db ls". #17780 * Fixed issue with "tsh mfa add" not displaying OTP QR code image on Windows. #17703 * Fixed issue with tctl rm windows_desktop/ removing all desktops. #17732 * Fixed issue connecting to Redis 7.0 in cluster mode. #17849 * Fixed "failed to open user account database" error after exiting SSH session. #17825 * Improved tctl UX when using hardware-backed private keys. #17681 * Improved tsh mfa add error reporting. #17580 ------------------------------------------------------------------- Tue Oct 25 04:54:30 UTC 2022 - kastl@b1-systems.de - Update to version 11.0.0: * Full changelog see https://github.com/gravitational/teleport/releases/tag/v11.0.0 * Teleport 11 brings the following new major features and improvements: - Hardware-backed private keys support for Server Access (Enterprise only). - Replacement of obsolete SCP protocol with SFTP for Server Access. - Removal of persistent storage requirement for Helm charts. - Automatic discovery and enrollment of EKS/AKS clusters for Kubernetes Access. - Richer Azure integrations for Server and Database Access. - Cassandra and Scylla support for Database Access, including AWS Keyspaces. - GitHub Actions and Terraform support for Machine ID. - Access Requests and file upload/download support for Teleport Connect. ------------------------------------------------------------------- Thu Oct 20 08:03:56 UTC 2022 - michael@stroeder.com - Update to version 10.3.3 with multiple improvements and bug fixes: * Fixed issue with EC2 auto-enrollment not working on Ubuntu instances. #17467 * Fixed issue with tctl auth sign producing "access denied" error. #17557 * Fixed issue with agents entering permanent error loop if they had expired join tokens and the cluster had previously undergone host CA rotation. #17599 * Fixed issue with tsh producing auditd errors on some systems. #17495 * Fixed issue with Machine ID bots joined via IAM token not respecting requested certificate TTL. #17371 * Fixed issue with Teleport failing to initialize properly without configuration file. #17343 * Fixed desktop access clipboard sharing with newer versions of Chrome. webapps#1266 * Added license expiration alerts. #17489 * Added support for imagePullSecret in teleport-kube-agent Helm chart. #16678 * Added support for join parameters in teleport-kube-agent Helm chart. #17534 * Improved error when trying to connecto to a Windows desktop that is locked. #17548 * Improved SAML connectors validation upon creation. #16854 * Improved desktop access connection error handling. #17390 * Updated tsh ls --query to allow querying SSH nodes by hostname. #17038 * Updated Machine ID to export user CA when generating SSH host certificate. #17525 * Updated tsh to default to passwordless login if Touch ID is available. #17472 ------------------------------------------------------------------- Fri Oct 14 04:56:55 UTC 2022 - kastl@b1-systems.de - Update to version 10.3.2: * Release 10.3.2 (#17303) * [v10] Fix FIPS aws credentials (#17304) * Desktop Access optimizations (#17071) * [v10] Add AWS Roles to Drone pipelines (#17296) * [v10] Refactor Drone Pipelines to use AWS role assumption (#17244) * Tweak wording of joining nodes blurb. * AWS Terraform App Access, DB listeners variables (#17105) * [v10] Remove installer, app and database watchers for remote proxies (#17226) * [v10] Fix X11 forwarding for non-root users (#17130) * [v10] Manually print installer scripts instead of using asciitable (#17167) * [v10] Fetch tags when promoting rpm/deb (#17031) * [v10] Ensure operator tests are run when Go dependencies change (#17032) * desktop clipboard: prevent integer underflow (#17179) * Bump Cloud Version (#17150) * Fix background database local proxy termination by SIGINT signal (#16932) * Drain errChan in `api.client/connect` (#17159) * Limit number of resources loaded into memory for version metrics (#17087) * Port in Tiago's feedback. * Update tool/tsh/app.go * Fix unit test. * Update tool/tsh/app.go * Remove cacert flag from curl output during tsh app login. * Revert change from PKCS1 to PKCS8 (#17045) * Fix ListResources for WindowsDesktops (#17093) (#17117) * Added 10/06 Upcoming Releases Update * Add `username_claim` to OIDC config to select claim from Identity Provider to use as username (#17070) * Update on-prem version in docs (#17091) * [v10] fix: data race in NodeSession.runCommand (#17073) * [v10] Finalize CI release API integration (#17064) * Stop using etcd serializable mode (#17049) * Missing spaces in on/offboarding section (#17039) * [v10] correct plugin name reference (#17019) * Refactor TestResolveEndpoints to avoid test failure when AWS SDK changes (#16943) (#16987) * correct protocol name (#16995) * [v10] Add docs for IdP-initiated SSO (#16897) * docs: mention that WindowsDesktop now supports EC2 join (#16811) * [v10] [Docs] Update 'Using Teleport Connect' for Linux & Windows (#16945) * bump cloud version (#16855) (#16885) * snowflake access fixes (#16940) * Fixes Dismiss Stale Workflows Runs GitHub Actions (#16926) * Fix client idle timeout ending sessions too early (#16868) * Release 10.3.1 (#16915) * docs: add more details on audit log retention (#16814) * [v10] Drop direct dependency on github.com/golang/protobuf (#16904) * local alert resync * security patch alerts * Release 10.3.0 (#16891) * [v10] security: include exec command in session.start.initial_command (#16905) * typo correction (#16839) * Fix label based tsh when per session mfa is enabled via role (#16893) * Implement RFD 82: Session Tracker Resource RBAC (#15760) (#16554) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#16888) * [v10] Backport Elasticsearch suppport (#16873) * Update download link (#16836) * [v10] Drop a couple of deprecated/shallow Go dependencies (#16883) * Added 09/29 Upcoming Releases Update * update webassets (#16860) * update eref (#16859) * Initial RDPDR tests (#16470) (#16846) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#16807) * [v10] Clean up old artifacts when retrying a tag build (#16669) (#16785) * [v10] Add an Elastic Stack guide (#16842) * [v10] security: one allow one exec request per SSH channel (#16813) * [v10] Change kube logged in message (#16829) * [v10] Document MsTeams access plugin (#16642) * Update on-prem docs version (#16725) * [v10] Fix auto discovery on secondary cluster of a global Aurora database (#16710) * Updated operating system support * [v10] Retrieve an IMDS token in the default ec2 discovery installer (#16808) * [v10] Docs: Update Docker Config Path (#16522) * docs: add ssh_file_copy to role spec (#16766) * Update the docs issues contributing guide (#16529) (#16631) * [v10] Backport PagerDuty edits (#16052) * [v10] fix: Handle failures when checking for excluded credentials (#16765) * [v10] update e ref (#16731) * Hide `--db-user`/`--db-name` flags if they are not needed. (#16747) ------------------------------------------------------------------- Sat Oct 01 16:49:17 UTC 2022 - kastl@b1-systems.de - Update to version 10.3.1: * Release 10.3.1 (#16915) * docs: add more details on audit log retention (#16814) * [v10] Drop direct dependency on github.com/golang/protobuf (#16904) * local alert resync * security patch alerts ------------------------------------------------------------------- Sat Oct 01 16:25:21 UTC 2022 - kastl@b1-systems.de - Update to version 10.3.0: * Release 10.3.0 (#16891) * [v10] security: include exec command in session.start.initial_command (#16905) * typo correction (#16839) * Fix label based tsh when per session mfa is enabled via role (#16893) * Implement RFD 82: Session Tracker Resource RBAC (#15760) (#16554) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#16888) * [v10] Backport Elasticsearch suppport (#16873) * Update download link (#16836) * [v10] Drop a couple of deprecated/shallow Go dependencies (#16883) * Added 09/29 Upcoming Releases Update * update webassets (#16860) * update eref (#16859) * Initial RDPDR tests (#16470) (#16846) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#16807) * [v10] Clean up old artifacts when retrying a tag build (#16669) (#16785) * [v10] Add an Elastic Stack guide (#16842) * [v10] security: one allow one exec request per SSH channel (#16813) * [v10] Change kube logged in message (#16829) * [v10] Document MsTeams access plugin (#16642) * Update on-prem docs version (#16725) * [v10] Fix auto discovery on secondary cluster of a global Aurora database (#16710) * Updated operating system support * [v10] Retrieve an IMDS token in the default ec2 discovery installer (#16808) * [v10] Docs: Update Docker Config Path (#16522) * docs: add ssh_file_copy to role spec (#16766) * Update the docs issues contributing guide (#16529) (#16631) * [v10] Backport PagerDuty edits (#16052) * [v10] fix: Handle failures when checking for excluded credentials (#16765) * [v10] update e ref (#16731) * Hide `--db-user`/`--db-name` flags if they are not needed. (#16747) ------------------------------------------------------------------- Tue Sep 27 18:46:58 UTC 2022 - michael@stroeder.com - Update to version 10.2.6: * Fixed issue with connecting to SQL Server in a leaf cluster through the local proxy. [#16616] * Fixed regression issue introduced in `10.2.3` with enterprise specific web UI pages returning errors. [webapps#1212] ------------------------------------------------------------------- Tue Sep 27 07:57:11 UTC 2022 - michael@stroeder.com - Update to version 10.2.5: * Fixed issue with connecting to servers with some GUI clients e.g. PyCharm. [#16662] * Added support for simplified Active Directory configuration in Desktop Access. [#16623] ------------------------------------------------------------------- Tue Sep 27 06:39:03 UTC 2022 - kastl@b1-systems.de - Update to version 10.2.4: * Release 10.2.4 (#16712) * Fix link with a long redirect chain in the CHANGELOG (#16527) * [v10] helm: allow custom CA in teleport-cluster without custom certs (#16475) * Disable MongoDB server selection in tests (#14622) (#16695) ------------------------------------------------------------------- Tue Sep 27 06:32:20 UTC 2022 - kastl@b1-systems.de - Update to version 10.2.3: * Release 10.2.3 (#16686) * [v10] Misc Backports (#16674) * [v10] Improve logging when TDP input streaming fails (#16525) * Fix issue with builtin remote proxy role getting access denied to roles (#16685) * [v10] ci: Add Dependency Review linting tool (#16651) * Use `testauthority` instead of `native` to generate keys in tests (#16486) (#16625) * [v10] Fix flaky integration test: TestAppServersHA/RootServer (#16628) (#16666) * helm: add minReadySeconds to teleport-cluster chart (#16675) * Add a timeout for device cancels (#16657) * bucket etcd leases (#16659) * Add a version support table to the FAQ (#15924) (#16630) * docs: move S3 IAM policy into an include (#16476) * Introduce discovery_service and automatically run an SSM Document on discovered EC2 nodes (#14094) (#16588) * [v10] Connect: Fix premature `proxyClient.Close()` when getting kube clusters (#16538) (#16586) * Backport V10: Add an AWS EC2 instance fetcher (#13886) (#16006) * spell fix (#16607) * [v10] azure mysql postgres auto discovery docs (#16562) * Make the Fluentd guide more usable (#16051) * add cluster alert links (#16426) (#16595) * Fix CA pool loading for etcd backend (#16484) (#16598) * Generic retrieval of FnCache values (#16485) (#16544) * add status interface for cluster alerts (#16505) (#16574) * [v10] ci: Swap CodeQL to larger runner and improve workflow (#16535) * [v10] [Docs] note S3 versioning requirement (#16454) * Allow opting out of forced OIDC email verification (#15847) (#16142) * [v10] Move GitHub review bot to shared-workflows repository (#16226) (#16557) * [v10] Register Windows native artifacts in release API (#16197) (#16540) * Update on-prem v10 docs version (#16514) * [v10] TLS Routing support with Teleport Proxy behind ALB for database access (#16415) * Fix issue "tsh db env" returns error when TLS routing enabled (#16252) (#16468) * Change caching resolver to return a copy of cached data (#16219) (#16353) ------------------------------------------------------------------- Wed Sep 21 08:27:17 UTC 2022 - kastl@b1-systems.de - Update to version 10.2.2: * Release 10.2.2 (#16469) * update e-ref * rework cmd registration * Add EC2 joining for Windows Desktop Service (#16438) * Fix incorrect PagerDuty guide redirect (#15917) * [v10] VSCode remote ssh extension settings (#16462) * Add documentation for Event Handler chart (#15662) * adding video banner to mssql server db quide (#16420) * Fix minor issues that impact SEO (#15920) * Fix auditd status on older kernels (#16448) * [v10] Fix `known_hosts` locking by refactoring our locks in `utils/fs` (#16441) * [v10] Nodes use FIPS STS endpoints for IAM join method when in FIPS mode (#16374) * Added 09/15 Upcoming Releases Update * operator: Fix flaky drift tests (#15815) (#16338) * Add `where` predicate and Machine ID support to SSH host certificates (#16261) (#16427) * [v10] helm: support Kubernetes 1.25 (#16343) * Capture stderr from "tsh db connect" and reformat redis error (#13843) (#16416) * [v10] Rephrase docs on moderated sessions backward compatibility (#16349) * Remove Stripe from `Content-Security-Policy` header (#16390) * Unhide tctl alert create (#16290) * Add Default Allow Rules for new resources (#16237) (#16399) * [v10] Prevent ssh.Session SendRequest from wrapping payload twice (#16171) * [v10] Correct hsm service docs command (#16405) * [v10] docs: fix joinParams reference (#16381) * [v10] ci: Add paths/paths-ignore to GitHub Actions workflows to reduce unnecessary builds (#15708) * [v10] Kubernetes Exec via Websockets (#16282) * Documentation for AWS API access (#14429) (#16066) * Use tracing handler per server not per route (#16372) * [v10] Document `tbot configure` (#16373) * [v10] Add /webapi/sites/:site/alerts endpoint to the apiserver (#16336) * updates changelog to document when rdp licensing negotiation was added (#16340) * Fix `TestTokenGeneration` flakiness (#15090) (#16362) * [v10] backport #16136 and #16151 (#16213) * [v10] Wrap `desktopplayback` endpoint with `WithClusterAuth` rather than `WithAuth` (#16292) * [v10] Adds warning about directories blocked from being shared (#16328) * [v10] Clarify access denied due to Teleport role permission (#16331) * [v10] Dial by UUID for label based ssh (#16324) * spell fixes (#16166) * [v10] docs: Add missing commands key to dynamic labels in reference (#16294) * Update on-prem docs version (#16313) * Tweak TestAgentForward (#16304) * changelog: fix moderated sessions typo (#16222) ------------------------------------------------------------------- Tue Sep 13 12:46:41 UTC 2022 - kastl@b1-systems.de - Update to version 10.2.1: * Release 10.2.1 (#16283) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#16287) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#16280) * [v10] Reduce the severity of the upgrade alert to 'info' (#16211) * [v10] Add documentation for Jira Helm chart (#15921) * [v10] Categorize Teleport Connect linux builds correctly (#16272) * Remove the "." from the end of the auth token generated by "tctl tokens add" command (#16157) (#16238) * Update Helm snapshots when updating version (#16189) * Change base image for os compatibility check. (#16177) * (v10) Bump Go to 1.18.6 (#16259) * [v10] fix tctl auth server flag (#16255) * [v10] Calculate shasums of TCon Linux OS packages (#16253) (#16256) * Added 09/08 Upcoming Releases Update * Update grpc-go (#16199) * Add validation for hostname read from EC2 (#16015) * [v10] Correct cluster auth preference dynamic example (#16246) * [v10] bump go mod go1.18 (#16088) * Add serialization of writes to `known_hosts` file. (#16203) * [v10] Update the CockroachDB logo in our guide (#16194) * bumps rust to 1.63.0, fixes linting errors (#16056) (#16152) * Fix running ssh command on multiple nodes with mfa per session (#16148) * [v10] Add a guide to Desktop Access Directory Sharing (#15932) ------------------------------------------------------------------- Wed Sep 07 06:53:32 UTC 2022 - kastl@b1-systems.de - Update to version 10.2.0: * Release 10.2.0 (#16172) * upgrade notifications * implements IRP_MJ_LOCK_CONTROL (#16139) * [v10] Generalize private keys in tsh (PIV integration) (#15890) * [v10] Replace quay.io with amazon ECR where appropriate (#15713) * Rename web JSON field names and wrap traits (#14611) (#16173) * Auditd integration (#14948) (#16140) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#16169) * [v10] Add OS compatibility checker (#16141) * [v10] Add section on teleport.cluster.local (#16153) * [v10] Update buildbox to push to ECR (#15725) * [v10] Update user traits when renew session (#16122) * Plugin ECR Documenation updates (#15719) * [v10] Docs: Update Contributing Page (#16115) * [v10] Add retries on operation denied in fido2 (#16085) * Restrict Google JSON creds to service_account (#16042) * Add support for `--browser none` to `tctl sso test`. (#16086) * [v10] ConnectionDiagnostics: SSH Tester (#15413) (#16087) * Forward flags to "tsh ssh" and "tsh aws" (#16058) (#16094) * Support AWS Console for US GovCloud Partition (#13442) (#16067) * [v10] Make `tctl bots add` display the proxy address (#16089) * Fix outdated CHANGELOG links (#16110) * Increase dynamo get limit (#16103) * [v10] Use regional STS endpoints for IAM join method (#15915) * [v10] Update Library for new systemd install (#16030) * Drop libudev-dev from buildbox dependencies (#16102) * Fix username in example (#14276) (#16077) * Add omitempty for GitHub teams_to_roles (#16012) * Add comment and import cycle proto linters (#16092) * Fix infinite session heartbeat failures (#16065) * [v10] Correct links to tracks (#16078) * dronegen: Enable verbose logs for electron tooling on macOS (#15836) (#15894) * [v10] Add an `is_empty` field to `FileSystemObject` (#16059) * [v10] Add support for `FileNamesInformation` (#16054) * Added 09/01 Upcoming Releases Update * [v10] Backport TLS routing Ping connection (#16017) * [v10] azure mysql postgres auto discovery watchers (#15992) * [v10] Add Access Request ID to response for UserContext (#15962) * [v10] Add architecture guide for Machine ID (#16036) * [v10] Avoid wrongly filtering Yubikey4 devices (#16011) * [v10] Update on-prem version to 10.1.9 (#16020) * [v10] Remove deprecated upsert password endpoint (#15855) (#15938) * [v10] Fix a flaky operator test (#16010) * [v10] NodeJoin script: fix when no labels are provided (#15755) * improve semaphore flakiness test * fncache test improvements * github releases scraper * [v10] Add lock target to lock.create event (#15981) * Added section on Cloud upgrades. * [v10] azure mysql postgres auto discovery api (#15991) * [v10] azure mysql postgres auto discovery proto (#15989) * [v10] Azure mysql postgres auto discovery config create (#15990) * [v10] Apply linters to legacy protos (#15961) * [v10] Azure mysql postgres auto discovery configuration (#15988) ------------------------------------------------------------------- Wed Sep 07 06:48:02 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.9: * Release 10.1.9 (#15980) * [v10] Add default debug setting for install.sh AMI script (#15936) * [v10] Record when a session recording is accessed (#15729) * [v10] backports for 13630 14267 14959 15289 15364 15789 15743 (directory sharing) (#15767) ------------------------------------------------------------------- Wed Sep 07 06:44:22 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.8: * Release 10.1.8 (#15952) * [v10] Fix race in `reversetunnel.remoteConn` (#15943) * [v10] Organize docs guide sections chronologically (#15735) * [v10] Fix link in Authentication options docs (#15276) * [v10] Connect: Add tests for ParseClusterURI (#15942) * [v10] Use Buf linters and formatter on lib/teleterm protos (#15919) * [v10] Use Buf to build/lint/format lib/ protos (#15913) * [v10] Add omitempty for deprecated teams_to_logins field (#15933) * [v10] Added sles as another identifier for suse in auto install (#15702) * [v10] Build Teleport Connect for Windows (#15292) (#15899) * [v10] moved redirect path param to RawQuery and added escaping (#15628) (#15908) ------------------------------------------------------------------- Wed Sep 07 06:40:07 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.7: * Release 10.1.7 (#15931) * [v10] Edit the Mattermost guide (#15508) * [v10] Add redirect from /user-manual (#15525) * [v10] Authenticated pulls to build artifacts (#15791) * [v10] Replace `Tile` components with lists of links (#15423) ------------------------------------------------------------------- Wed Sep 07 06:36:39 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.6: * Release 10.1.6 (#15914) * [v10] Default debug to false in aws AMI scripts (#15909) * Fix SAML alternate redirects (#15868) * [v10] Backport #13924 (#15733) * [v10] Use to Buf to lint, format and generate api/ protos (#15875) * cluster alerts * [v10] Correctly handle Firestore pagination with DocumentID cursors (#13756) ------------------------------------------------------------------- Wed Sep 07 06:34:23 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.5: * Release 10.1.5 (#15866) * [v10] Use Debug flag in aws scripts (#15431) * [v10] Increase missing tunnels check interval (#15802) * Merge pull request #15853 from gravitational/capnspacehook/backport/v10/15144 * [v10] Fix an issue `tsh aws s3` fails when using path with special characters (#15819) * Added 08/25 Upcoming Releases Update * [v10] Update deprecated pty dependency (#15857) * [v10] Update fpm images to use amazon ECR (#15561) * [v10] Ensure watchers are using cache when applicable (#15838) * [v10] Documentation for AWS API access (#14429) (#15807) * [v10] Add Machine ID FAQ section on per-session MFA (#15831) * [v10] Remove TestMux/Timeout reliance on real time (#15827) * [v10] Add drone pipeline for building Connect with signed tsh.app (#15832) * [v10] Check if user has access to any registered resource (#15637) (#15814) * [v10] Deflake TestEC2Hostname (#15809) * [v10] Backport Teleport Connect Linux Builds (#15783) * [v10] Teleport Operator ECR (#15438) * [v10] update e & webassets (#15785) * [v10] Ignore Logins when listing Nodes (#15597) (#15797) * [v10] backport #14326 (Remove check for `local_auth` when creating privilege token) (#15776) * [V10] Show proper error message when "tsh db env/config" are not supported (#15734) * [v10] (buddy) Pass JWT headers on websocket requests (#15738) * [v10] upgrade window events (#15732) * [v10] Fix race condition to sessions map in K8S proxy (#15456) * [v10] Fix invalid Write implementation on K8S join stream (#15657) * [v10] Improve error logging on reconnect node (#15639) * [v10] ci: Reduce CodeQL max goroutines to address failed extraction (#15698) * [v10] Fix table formatting in the SOC 2 guide (#15692) * [v10] Span improvements (#15670) * [v10] Fix race in EC2 label warning (#15685) * [v10] Delete touch_id credentials during tsh mfa rm (#15675) * [v10] Remove duplicate words in trusted cluster overview (#15663) * [v10] helm: allow to disable local auth in teleport-cluster chart (#15595) * Added 08/18 Upcoming Releases Update * [v10] Update on-prem and cloud in docs to 10.1.4 (#15666) * [v10] Stop validating schema for labels in k8s operator (#15600) * [v10] Add an Email Access Request guide (#15414) * [v10] Improve K8S session join error propagation (#15492) * [v10] Reorganize approach to cluster names in Connect (#15200) (#15638) * [v10] Document `teleport.dev/database_name` tag. (#14923) (#15604) * [v10] Make tctl auth sign to write out kube TLS server name if TLS routing is enabled (#15632) * [v10] Fix 'get-kubeconfig.sh' to work with Kubernetes v1.24+ (#15617) * [v10] Connection Diagnostic: update, traces and ConnectionTester (#15158) (#15551) * Attempt to connect to other proxies on failure (#14954) (#15313) * [v10] Store AuthConnector in profile (#15552) * [v10] Reorganise Machine ID docs (#15522) (#15570) * [v10] Alias support for `tsh` (#13305, #14931) (#14919) * [v10] Add info to login command about passwordless (#15548) * [v10] Support China and GovCloud for database access (#15583) * [v10] Fix OS package repo promotion parallelism issue (#15531) * Lower EC2 label log frequency (#15179) * [v10] Publish to Release API on release promotion (#15153) (#15251) * [v10] Document multi-role-behavior for `create_host_user` option (#15587) * Backport #15268: Added docs for new RPM repos (#15268) (#15533) * [v10] misc docs fixes (#15539) * [v10] Add AWS troubleshooting page and add into applicable pages (#15568) * Fix cloud scope for db configure command. (#15567) * Allow reverse tunnel join without exposing the web API (#13598) ------------------------------------------------------------------- Wed Sep 07 06:26:31 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.4: * Release 10.1.4 (#15527) * (v10) Update Cloud package repo instructions (#15007) * [v10] Add Machine ID Kubernetes and Apps guides (#15501) * [v10] Fix inverted check for `join_params` and `auth_token` mutual exclusion (#15517) * Backport/branch/v10/pr 12763 (#15429) * [v10] Machine ID support for Logins trait (#15117) (#15470) * [v10] Fix TLS usage across multiple protocols (#15464) * Backport "Added YUM implementation of OS package build tool" (#14203) into branch/v10 (#15127) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#15504) * [v10] docs: Improve cloud security/compliance documentation (#15460) ------------------------------------------------------------------- Wed Sep 07 06:23:56 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.3: * Release 10.1.3 (#15499) * [v10] Add instructions for backporting PRs (#15420) * [v10] Remove tctl access ls from cli ref (#15496) * [v10] helm: Add support for mounting existing TLS root CA (#15347) * [v10] auditlog: fix panic during concurrent streams of the same session (#15360) * [v10] Add RBAC instructions for DB tctl auth sign (#15451) * [v10] Use the absolute path of the teleport binary in node join script (#15473) * Added 08/11 Upcoming Releases Update * [v10] Add support for variable playback speed for Desktop Access recordings (#15326) * [v10] Remove deprecated GenerateUserCerts HTTP endpoint (#15412) * [v10] Pick correct cert when signing Connect (#15344) (#15411) * [v10] Add better handling for common libfido2 errors (#15395) * [branch/v10] Update docs to use the latest Cloud version number (#15418) * [v10] Document teleport-operator (#15320) * [v10] Documentation for AWS DynamoDB guide (#14319) (#15387) * [auto] Update webassets in teleport/branch/v10 from webassets/teleport-v10 (#15406) * [v10] Adjust Machine ID generated ssh cert path to align with convention (#15297) * [v10] Update last report date for SOC 2 report (#15377) * fix peer addr for in-memory control stream * [v10] backport #15012 (Add `teleport install systemd` command) (#15270) * [v10] Connect docs: Add section about insecure mode (#15340) * [v10] Use a getter/setter for reading the token value from the config (#15372) * [v10] Add "RDP connection fail" section to desktop access troubleshooting docs (#15324) * [backport v10] Make dir before trying to open config file on `teleport configure --output=/some/dir ` (#15352) * [v10] Tag forwarded spans with custom attributes (#15215) * Fix cert renewal by recovering certbot state (#3610) * Fix bash examples in terraform README * Support terraform v1 (#15087) * [v10] Trace ssh sessions (#15228) * [v10] Create and List Connection Diagnostics (#14781) (#15080) * [v10] Add passwordless login capabilities to teleterm (#15265) * [v10] Add Suggested Labels to Provision Tokens (#15114) (#15319) * [v10] Use `waitForError` instead of `require.Eventually` in SessionRecordingModes integration tests (#15221) * [v10] Shutdown TCP socket on Go-side close (#14996) * [v10] Machine ID docs: Trusted Cluster support (#15295) * [v10] ci: Implement code scanning with CodeQL (#15279) * [v10] docs: Add additional known issues to BPF-based enhanced session recording security warning (#15308) * [v10] Add more general information to our SSO guide (#15307) * [v10] desktop access: send full websocket messages to the browser (#15314) * [v10] Add directory sharing to the ACL (#14653) * [v10] Move Access Requests guides to Access Controls (#15138) * [v10] docs: add a note about desktop session recording RBAC (#15290) * [v10] Add calls to action for Teleport Cloud (#15139) * [v10] desktop access: try using system DNS resolver first (#15255) * [v10] Fix missing cluster name on session.upload via Upload Completer (#15239) * [v10] [doc] Remove "tsh db login" from database guides (#15240) * [v10] Add FAQ and Troubleshooting docs for Machine ID (#15226) * [v10] Detect M1/M2 ARM CPUs when using the install script (#15233) * [v10] Revert "Use high CPU pool for unit & integration (#13875)" (#15229) * [v10] Minor updates to FedRAMP documentation (#15273) * Backport #12815 to branch/v10 (#15261) * [v10] Remove incorrect URLs from config.json (#15219) * [v10] Update instructions on checking version (#15071) * Backport #14852 to branch/v10 (#15084) * Backport #15099 to branch/v10 (#15260) * Backport #15191 to branch/v10 (#15257) * [v10] Fix data race on shutdown (#15248) * [v10] Add custom unmarshal for second_type factor (#15201) * [v10] Backport #13507 (#14456) * [v10] Fix session join requirements documentation (#14416) (#15130) * [v10] Actually use the cache for Snowflake sessions (#15193) * Added 08/04 Upcoming Releases Update * [v10] Add a version to the role in the GitHub CA guide (#14901) * [v10] AWS session audit log (#13288) (#15207) * [v10] [docs] AWS external ID support (#15161) * [v10] Skip cache during CreateBot RPC (#15116) * [v10] Don't reset eventID to 0 when out of events in the Postgres backend (#15165) * [v10] Fix the behavior of `tsh mfa add --allow-passwordless` (#15137) * [v10] helm: configure dynamoDB autoscaling in teleport-cluster (#15122) * [v10] backport #14698 (embed auth.Cache in auth.Server) (#14984) * [v10]Update docs version (#15132) * [v10] helm: configure session recording in teleport-cluster (#15003) * [v10] reduce sensitivity of fncache cancellation test (#15069) * [V10] Proxy Protocol support for Proxy SSH listener (#14712) (#15086) * [v10] Clarify when HTTP_PROXY applies (#14673) * [v10] `tctl` - Add --set flags for every trait (#14552) (#15108) * [v10] Add docs for TCP apps access (#15125) * [v10] fix help output for --access-request flag. (#15052) * [v10] Backport #14564 (#14992) * Amend 10.1.2 changelog (#15112) ------------------------------------------------------------------- Tue Aug 02 07:25:30 UTC 2022 - kastl@b1-systems.de - Update to version 10.1.2: * Release 10.1.2 (#15104) * [v10] Check manifest before attempting to push docker images (#15095) * Backport [v10] Add error messages to SFTP audit events (#15035) * [v10] SSH request tracing (#14124) (#14968) * Release 10.1.1 (#15067) * [V10] Download mTLS files from Web (#14526) (#15081) * [v10] Make tsh installer non relocatable and drop version from app (#15033) * [v10] helm: Deploy CRDs when the operator is enabled (#15006) * [v10] Fix drone teleport operator publishing (#15066) * [v10] Fix duplicated JWT import (#14888) * [v10] docs: mark resource access requests as in preview (#15059) * [v10] Document `tsh request drop` (#15038) * Release 10.1.0 (#15047) * [v10] Return nil on success for web UI file tranfers (#15044) * [v10] Move Helm references (#13102) (#14166) * [v10] Fix chan_shutdown_read issue (#15049) * [v10] Fix tsh proxy ssh handshake (#15010) * improve semaphore retries and tests * Refactor tests under services package. * [v10] Change IAM "UnmodifiableEntity" error to a debug log (#14958) * [v10] backport 14985 (#15026) * [v10] backport #14940 (refactor `Supervisor.WaitForEvent`) (#14994) * [v10] Update drone publishing (#14961) * Added 07/28 Upcoming Releases Update * [v10] Updated Teleport 10 Getting started videos (#14906) * [v10] Enable BPF tests in CI (#14501) * [v10] Firestore: Err Not Found if doc was already deleted (#14982) * [v10] Use IP as `LocalAddress` when gateway is created on Windows for SQL Server (#15000) * [v10] helm: Add CA Pinning Support (#14893) * [v10] Connect: Implement SetGatewayLocalPort RPC (#14828) * [v10] Backport "Add on_leave documentation for require policies" (#14182) (#14579) * [v10] Make EC2 availability check more robust (#14962) * Added 07/27 Upcoming Releases Update * Backport [v10] SFTP server side support (#14209) * [v10] Fix artifact registration in Releases API for Teleport Connect (#13946) (#14925) * [v10] Validate token for node join script (#14944) * [v10] Fix Token creation TTL regression (#14943) * (v10) Add support for proxying TCP apps (#14896) * [v10] Add docs for Teleport Connect (#14945) * [v10] Support AWS external id (#14086) (#14894) * [v10] Rename `teleport.dev/database-name` to `teleport.dev/database_name` to match convention. (#14933) * [v10] Handle `"true"` being passed for the `email_verified` OIDC claim (#14917) * [v10] `tsh ssh` `--forward` and `--dynamic-forward`: graceful error handling (#14914) (#14745) * [v10] Error out if port is already bound #13464 (#14886) * [v10] Force unlock keychain on Darwin Push Build (#14910) * [v10] Teleport 10 Video (#14811) * [v10] Support dynamic registration in kube-agent helm chart (#14881) * [v10] Fix makeClientForProxy user extraction (#14865) * [v10] Refactor reversetunnel localsite (#14785) * [v10] Fix flakiness in `TestRoleUpdate` (#14890) * [v10] Warn that all nodes must be on v10 for Resource Access Requests (#14868) * [v10] Add context.Context to session.Service inteface (#14877) * [v10] Support TCP protocol in tshd (#14882) * [v10] Add dynamodb metrics (#14757) * [v10] Improve error message if data dir on tbot and tctl not available for permissions (#14872) * [v10] Teleport Operator (#14860) * [v10] Add `tsh request drop` command (#14843) * [v10] Add context.Context to AuthenticateWebUser and AuthenticateSSHUser (#14846) * [v10] Fix TestMux/Timeout (#14483) * [v10] Correct Node/agent naming and usage (#14650) * [v10] Allow setting public addresses in `teleport-cluster` chart (#14768) * [v10] Ensure that the WindowsDesktopReady event is emitted (#14839) * [v10] Adjust global logger to include `\r` when terminal is in raw mode. (#14831) * [v10] Retry login for tsh proxy ssh (#14814) * [v10] Fix possible deadlock during server close (#14816) * [v10] Spelling fixes additional (#14837) * [v10] Allow "tsh proxy db" without "tsh db login" first (#14336) (#14798) * [v10] Allow to override db name using AWS tag. (#14799) * [v10] Remove time.Sleep in teleterm tests (#14829) * [v10] Spelling Fixes (#14819) * [v10] Fix session join access denied (#14770) * [v10] Fix the device detection loop for U2F devices (#14795) * [v10] Update advisory to remove that SQL Server audit logs aren't available (#14805) * [auto] Update webassets in branch/v10 (#14769) * Backport #12770 to branch/v10 (#14714) * [v10] Fix tctl instructions in DB Access guides (#14600) * [v10] Fix bug when merging resource and role requests (#14711) (#14777) * [v10] Ensure the upload completer sets the time on session.upload events (#14559) * Backport #14658 to branch/v10 (#14784) * [v10] Better error message on ping parse error. (#14735) * [v10] Add SSH session recording modes to documentation (#14747) * [v10] Add app access support to Machine ID (#14551) (#14723) * [v10] backport #14177 (build-time cbindgen) (#14684) * [v10] Fix Enterprise spelling in intro (#14670) * [v10] Fix docs redirects (#14720) * [v10] Add documentation for the sqlite backend options (#14744) * [v10] Move the tsh guide to the new "Use Teleport" section (#14682) * [v10] [docs] Consistently quote second_factor in cluster_auth_preference (#14727) * [v10] Allow traces to be exported to files (#14746) * [v10] Updates to loadtest assets (#14527) * [v10] Correctly exit out of tbot when one shot mode is enabled (#14683) * [v10] Allow dynamic libfido2 builds via Makefile (#14693) * [v10] Update port used in Machine ID database guide (#14708) * Added 07/20 Upcoming Releases Update * Apply forScopes feature to articles (#14704) (#14709) * [branch/v10] Add context.Context to CreateWebSession and DeleteWebSession (#14663) (#14699) * Update scaling documentation. * [v10] Add s3 metrics (#14664) * [auto] Update webassets in branch/v10 (#14675) * [v10] add config flags to db configure create (#14654) * [v10] Fix CTRL-C hanging if session is paused (#14511) * [v10] Add note about disabling password authentication for added security (#14626) * [v10] lib/teleterm: Refactor daemon gateways to a hash map (#14640) * [v10] Reduce flakiness of Testbot_Run_CARotation (#14628) * [v10] Add error message for failed SSO authorization (#9622) * [v10] Docs update version 10.0.2 for on-prem, 9.3.10 cloud (#14524) * [v10] WebAPI: return user traits (#14138) (#14453) * Add support for session recording config override * [v10] Complete renaming of the Graceful Restarts guide (#14605) * Backport "Update docs for new APT repos" (#12959) into branch/v10 (#14591) * Fix TestAgentStart flakiness (#14610) (#14639) * [v10] Implement the Touch ID credential picker (#14643) * [v10] Add tbot to nightly build (#14631) * [v10] Remove `update` verb requirement when creating Tokens (#14506) (#14624) * [v10] Fail `db_service` start on invalid configuration (#14515) * [v10]: fix tsh status cluster env var (#14335) ------------------------------------------------------------------- Wed Jul 20 05:47:24 UTC 2022 - kastl@b1-systems.de - Update to version 10.0.2: * Release 10.0.2 (#14613) * [v10] Replace `ssh proxy` execution with `crypto/ssh` call (#14522) * [v10] Add Kubernetes Access support to Machine ID (#14269) (#14550) * [v10] Deflake TestOpenExecSessionSetsSession (#14588) * [v10] Fix broken links (#14532) * [v10] Update error message returned when user is not allowed to sign db certs (#14426) * [v10] tsh: Suppress PPK deletion error when file doesn't exist (#14572) * Fix TestProxyTunnelStrategyAgentMesh flakiness (#14398) (#14474) * [v10] Expand the edition comparison table (#14255) * [v10] Add RBAC instructions for Kubernetes Access (#14258) * [v10] Display helpful error when joining with invalid host ID for EC2 join method (#14494) * [v10] Bundle `tbot` into the built docker images (#14462) * [v10] Fail `app_service` start on invalid configuration (#14325) (#14478) * [v10] Add check that roles in given user exist (#14459) ------------------------------------------------------------------- Mon Jul 18 05:57:27 UTC 2022 - kastl@b1-systems.de - Update to version 10.0.1: Changelog omitted due to size, please see here: https://github.com/gravitational/teleport/releases/tag/v10.0.1 ------------------------------------------------------------------- Mon Jul 11 14:04:02 UTC 2022 - kastl@b1-systems.de - Update to version 10.0.0: Changelog omitted due to size, please see here: https://github.com/gravitational/teleport/releases/tag/v10.0.0 ------------------------------------------------------------------- Mon Jul 04 12:35:43 UTC 2022 - kastl@b1-systems.de - Update to version 9.3.9: * Release 9.3.9 (#14034) * [v9] Fix TDP/RDP termination (#14024) * Updated upcoming releases (06/30) * (v9) Fully check the policy set for and v5 policies without short-circuiting (#14013) * [v9] Fix database role fetch for `tsh db ls --all` (#13626) * [v9] Add error check before `handle_bitmap` (#13828) (#14019) * remove extra `handle.Delete()` (#14010) * [v9] Backport #11616, #11714, and #12499 (#13707) * [v9] Open a new remote client when the remote site has changed in a web session (#13967) * [v9] Improve error msg when client fails to auth in Teleport (#13835) * [v9] Improve log message when we fail to retrieve the client cert pool (#13675) * [v9] Fix JumpHost TLSRouting flow when root cluster is offline (#13791) (#13928) * [v9] Fix AWS credentials format in IBM guide (#13847) * [v9] updates rdp-rs ref to new HEAD where scroll wheel delta is fixed (#13905) * Clarify our version compatibility guarantees (#13593) * [v9] fix panic child.Close() called without logger initialized (#11117) (#13907) * [v9] Properly handle empty list of role requests (#13456) (#13893) * [v9] Mongo clients with `serverSelectionTimeoutMS` set to 5000 (#13859) * Optionally provide ca_pin as a file path (#13089) * [v9] Pass proxy address to PromptMFAChallenge calls (#13772) (#13856) * [v9] Move predicate err check earlier, inside RetryWithRelogin (#13368) (#13747) * [v9] ensure timestamps on request reviews (#13758) * [v9] Add OpenSSH Proxy Jump docs (#13851) * Backport lib/utils/prompt improvements to [v9] (#13822) * [v9] Update Terraform reference (retries and provider source) (#13842) * [v9] Fix LDAP attribute labeling * [v9] Update docs version (#13810) * [v9] backport fips #11291 and #13222 (#13703) * Enterprise docker getting started fixes (#13550) - skipping non-existent version 9.3.8 ------------------------------------------------------------------- Wed Jun 22 20:44:53 UTC 2022 - kastl@b1-systems.de - Update to version 9.3.7: * Release 9.3.7 (#13742) * Backport #10708 to branch/v9 (#13250) * Backport #12946 to branch/v9 (#13244) * [v9] Fix Teleport welcome screen image (#13710) * Update libbpf to 0.7.0-teleport (#13650) * [v9] Add better error handling for ec2 labels (#13487) * Fixes potential `cgo.Handle` panic (#13479) (#13590) * Fixed AWS 'teleport-generate-config' script when IMDSV2 is used (#13537) * [auto] Update webassets in branch/v9 (#13665) * Error out if port is already bound (#13679) * Fix panic when tsh kube exec is invoked (#13655) * [V9] Add `sshLogins` to nodes endpoint on `webapi` (GET /nodes) (#13474) * deflake TestAgentForwardPermission (#13638) * Update our list of support databases (#12841) * docs(helm): remove wrong statement from kube-agent highAvailability (#13262) * Drop rdpsnd messages (#13496) * Deflake TestX11Forward (#13493) * [v9] `tsh` list resources accross proxies and clusters (#12934) (#13313) * Backport #12828 to branch/v9 (#13421) * Update docs self-hosted version to 9.3.6 (#13533) * Naji/backport 13287 (#13520) * Update downloads.mdx (#13431) * Optimize instance metadata availability check (#13167) * Fix CA rotation watcher not starting when database svc enabled w/ no cfg (#13470) (#13517) * Replaced bsh with code blocking in docs (#13486) ------------------------------------------------------------------- Wed Jun 22 12:17:21 UTC 2022 - kastl@b1-systems.de - Update to version 9.3.6: * Release 9.3.6 (#13500) * [v9] Check for unimplemented error during stream receive in Client.GetAccessRequests (#13490) * Backport of #10746 to v9 (#13197) * Rephrase the Teleport Cloud introduction (#13422) * Add de-duplicating apps, dbs, and desktops when sorting/totalCount is needed (#12685) (#13451) * Backport #12840 to branch/v9 (#13420) * [v9] Aurora serverless v2 support (#13203) * [v9] Wait for app requests to finish before closing the session chunk (#13469) * [v9] Backport #12891 (#13391) * [v9] Deflake TestNoReadWhenOff (#13415) * [v9] Fix file descriptor leaks in `tbot` (#13386) ------------------------------------------------------------------- Wed Jun 22 11:18:01 UTC 2022 - kastl@b1-systems.de - Update to version 9.3.5: * Release 9.3.5 (#13449) * Added debugging packages to Docker images (#13199) * [v9] Access request compatibility for servers without v2 api (#13428) * Backport #12712 to branch/v9 (#12881) * Hide Access Controls links/pages based on scope (#12880) * CamelCase GitHub (#13269) * Hide Getting Started pages/links based on scope (#12882) * Hide Server Access menu items based on scope (#12883) * Hide Setup menu items based on scope (#12886) * [v9] Backport docs PRs related to scoped visibility (#12888) * Backport #12682 to branch/v9 (#12950) * Update the tctl auth sign --ttl flag docs (#12947) * Add a more complete Teleport Cloud introduction (#13081) * [v9] backport #13310 (use `auth_servers` when proxying) (#13399) * [v9] Forward kubernetes errors to user when running in remote exec mode (#13400) * Improve kube exec Audit Log events (#13381) * [v9] Deflake TestAgentForward (#13166) (#13358) * [v9] Enable Database and Application Access in AWS Terraforms (#13383) * [v9] Backport #13016 (Buddy merge for #11939) * [v9] Fix help string for "tctl version" (#13255) * SQLServer add suport for SSMS client (#13337) * Update upcoming-releases.mdx (#13344) * Implement proxy templates (#13311) * [v9] Make `TestDefaultTemplateRendering` less failure prone (#13002) (#13225) * Update to 9.3.4 for self-hosted (#13339) * V9: Backport #13029 (thread context.Context in tctl) (#13185) * Minor bugfix to correct dronegen error link in v9 (#13200) ------------------------------------------------------------------- Fri Jun 10 19:32:42 UTC 2022 - kastl@b1-systems.de - skipped non-existent version 9.3.3 - Update to version 9.3.4: * Release 9.3.4 (#13315) * Remove rdpclient's Cargo.lock (#13290) * [v9] Improve resourceAccessChecker performance (#13263) * Remove outdated MySQL DBeaver note (#13272) * Backport #12183 to branch/v9 (#13248) * (v9) Security fixes (#13301) * [v9] Add missing flags to "tctl auth sign" docs (#13279) * Document `tsh --mfa-mode` flag (#13264) * [v9] Expand --mfa-mode and disable stdin hijack by default (#13134) (#13212) * [auto] Update webassets in branch/v9 (#13265) * [v9] Add S3:AbortMultipartUpload to AWS IAM policies (#13235) * Make windows terminal keep up with real time (#13221) * [v9] docs: Fix proxy config for GCP (#13259) * [v9] Label desktops based on the content of LDAP attributes (#13238) * Reorganize the docs homepage menu (#13247) * Support proxy protocol v2 in MySQL (#12424) (#12993) * fix typo in RBAC guides.mdx (#13172) * Edit tctl instructions to clarify remote login (#13078) * Prereqs for tctl and enterprise, cloud flow (#12998) * Backport #12544 to branch/v9 (#13110) * Add a link from the older docs versions page (#12953) * Backport #12504 to branch/v9 (#13112) * [v9] Simplify reexec on linux (#13119) * Change tsh to only print non exit errors on exit (#12903) * Filter out invalid EC2 tag keys (#13131) * Update to Go 1.17.11 (#13104) * Add JWT auth guide for ElasticSearch (#12612) * Add disabled imds client by default for integration tests (#13109) * [v9] Cloud customer auth servers use port 443 (#13066) * Fix EC2 labels concurrent write (#13072) * [v9] Docs Backports (#12894) * Add ap-south-1 (Mumbai) as a cloud proxy region * OIDC multiple redirect URLs (#13046) * Backport #12038 to branch/v9 (#12642) * V9: Backport #12898 #12855 (#13065) * docs version update to 9.3.0 (#13004) * Automatically import EC2 tags (#12593) ------------------------------------------------------------------- Wed Jun 01 11:28:24 UTC 2022 - kastl@b1-systems.de - Update to version 9.3.2: * [v9] Fix broken version check in tbot's `tshwrap` (#13034) (#13037) * Updated Upcoming Relapses (05/26). * skip no credential providers error (#12984) * [v9] Fix CA rotation docs inconsistently providing `--type` flag (#12929) * [v9] Deflake TestLockWatcherStale (#12981) - skipping 9.3.1 release that does not exist ------------------------------------------------------------------- Mon May 30 14:39:12 UTC 2022 - kastl@b1-systems.de - Update to version 9.3.0: * Release 9.3.0 (#12955) * [v9] Re-add `kinds` config field to tbot with a deprecation warning (#13000) * Read all PROXYv2 header bytes (#12861) (#12994) * Fix missing SSH HostCA in tbot impersonated identities (#12992) * Add `tbot proxy` and `tbot db` wrapper commands (#12687) (#12990) * Extend support for identity files in tsh (#12686) (#12922) * [auto] Update webassets in branch/v9 (#12989) * Backport #11768 #12411 to branch/v9 (#12975) * [v9] When adding a cluster, return it if it was already added (#12978) * add ExactKey function to create absolute storage paths (#12721) * ensure tctl outputs all debug log messages (#12920) * Update docs docker versions for oss and enterprise (#12917) * Chage `teleport configure` to accept non existent `--data-dir` directory (#12673) (#12806) * Revert "Avoid nil dereferencing when tlsConfig is nil. (#9788)" (#12874) * [v9] Set TELEPORT_ETCD_TEST=yes. (#12784) (#12851) * Backport #12034 to branch/v9 (#12842) * Fix `tsh db ls` for remote clusters. (#12281) (#12853) * Improve CertAuthorityWatcher (#10403) (#12724) * Improve performance using session trackers in large clusters (#12584) (#12832) * tctl: Respect TELEPORT_HOME value when grabbing profile (#12486) (#12738) * [v9] Fix Redis Cluster default user AUTH cmd (#12754) * Warn instead of hard error when validating u2f facets (#12826) * [v9] Update docs version to 9.2.4 for self-hosted and cloud (#12823) * Remove non-https facets from documentation (#12776) (#12785) ------------------------------------------------------------------- Sat May 21 18:28:41 UTC 2022 - kastl@b1-systems.de - Update to version 9.2.4: * Release 9.2.4 (#12788) * [v9] Upgrade MySQL driver to v1.5.0 and set missing mysql client cap (#12734) * [v9] Add hostlogin to proxy config for windows desktop (#12781) * 05/19 Upcoming Releases Update * Backport #12119 to branch/v9 (#12645) * Backport #12236 to branch/v9 (#12648) * Add Video Banner for Installing Teleport page (#12746) * Ensure h2 has precedence over http/1.1 (#12740) (#12749) * Update Teleport Cloud FAQ (#12663) * Ignore access denied errors when creating/getting a session tracker as db, app, or windows desktop service. (#12728) * Backports redirects from #12528, adds indexing page (#12655) * [v9] Listener hygiene (#12689) * `tbot configure` command for assisting Machine ID configuration (#12517) (#12576) * Updates terraform docs for provider (#12314) (#12595) * Optionally skip unshallowing step (#10978) (#12669) * ssh: Ignore PuTTY-specific channel requests (#12662) * Replace title-less Details boxes with ScopedBlocks (#12608) * [v9] Proxy restart fixes (#12488) * Restore "Adds optional deployment key for CI (#10506) (#12590)" (#12624) * Reduce latency of GetNodes (#12637) * Implement global tsh config file: `/etc/tsh.yaml` (#12598) (#12626) * docs version update to 9.2.3 (#12631) * [v9] Link to Interactive Teleport Labs (#12620) * [v9] Client timeout fixes (#12632) ------------------------------------------------------------------- Fri May 13 14:54:38 UTC 2022 - kastl@b1-systems.de - Update to version 9.2.3: * Release 9.2.3 (#12623) ------------------------------------------------------------------- Fri May 13 14:52:56 UTC 2022 - kastl@b1-systems.de - Update to version 9.2.2: * Release 9.2.2 (#12621) * Update upcoming-releases.mdx * [v9] Add Session tracker to DB, App, and Windows Desktop Sessions; Fix make grpc * [v9] Refactor non-interactive sessions out of proxy/sess.go (#12541) * Update to Go 1.17.10 (#12607) * add --format flag to 'token add' and make the same flag visible for 'token ls' (#12588) * docs: mention new desktop label for OU (#12548) * Revert "Adds optional deployment key for CI (#10506) (#12590)" (#12603) * Ignore HTTP_PROXY in reverse tunnels, part 2 (#12335) * Stop loading the enitre node set into memory per tsh ssh connection (#12014) (#12573) * [v9] Fix user mismatch in postgres backend (#12553) * include groups example for role in k8s controls docs (#12563) * Adds optional deployment key for CI (#10506) (#12590) * App access JWT header improvements (#12589) * [v9] Includes Audit Log into common sso Troubleshooting (#12565) * Make the Installation guide more usable (#12369) * Add a UI reference entry for code blocks (#12428) * feat(helm): add priorityClassName and extraLabels to kube-agent (#12559) (#12568) * add pam tag back to tctl build (#12572) * Add new config templates to `tbot` for databases and identity files (#11596) (#12500) * Re-add grace period to Upload completer for backwards compatibility. (#12535) * Disable ssh_service for app config (#12539) * [v9] Upgrade gravitational/kingpin to latest master (8b7839c62700) (#12511) * Desktop access: add teleport.dev/ou label (#12502) * helm: Buddy merge for #11368 (Enable persistence in custom mode) (#11993) (#12218) * Make the Troubleshooting guide more usable (#12431) * Fix RDS Redshift dynamic resources registration logic (#11868) (#12451) * update version in docs to 9.2.1 (#12476) ------------------------------------------------------------------- Fri May 06 06:43:30 UTC 2022 - kastl@b1-systems.de - Update to version 9.2.1: * Release 9.2.1 (#12472) * Database agents to share same IAM policy (#11320) (#12457) * Only acquire semaphore lease if maxconnections is configured (#12462) (#12468) * [v9] Add roles needed in dynamic reg app and db docs (#12469) * Add hint message when removing access requests. (#11963) (#12435) * Update help message for `add token` command and allow token removal from the `rm` command. (#12118) (#12439) * [v9] Add nil check for billing mode in AWS DynamoDB events driver (#12461) * Update docs version to 9.2.0 for teleport (#12442) ------------------------------------------------------------------- Thu May 05 15:11:02 UTC 2022 - kastl@b1-systems.de - Update to version 9.2.0: * Release 9.2.0 (#12427) * Add a partial for agent installs in Teleport Cloud (#12366) * reduce verbosity of missing kernel support warning for secure symlink (#12396) (#12423) * [auto] Update webassets in branch/v9 (#12422) * Allow users to request database certificates in Machine ID (#11904) (#12195) * Fix tunnel mode for CockroachDB (#12400) * Deflake TestTSHSSH (#12402) * [auto] Update webassets in branch/v9 (#12338) * Update docs version to 9.1.3 self-hosted, 9.1.2 for cloud (#12382) * set cloud version in user pre (#12386) * Add context.Context to GetReverseTunnels (#12393) * Fix lingerAndDie race condition (#12376) * Update DBeaver guides to use authenticated local proxy. (#12037) (#12384) * [v9] Rollup backport (#12360) * [v9] Disallow malformed U2F facets (#12208) * moved status page cloud question up in faq order (#12354) * Updated release dates in Machine ID documentation. ------------------------------------------------------------------- Thu May 05 13:11:30 UTC 2022 - kastl@b1-systems.de - Update to version 9.1.3: * Release 9.1.3 (#12343) * Never use `--tlsUseSystemCA` and `--tlsCAFile` together with `mongosh` (#12363) * [v9] Advertise correct MySQL server version (#12340) * Updated scaling limits. * Improve error message for resource predicate query (#12262) (#12339) * Prevent relative expiry from emitting more events than can be processed (#12002) (#12247) * [v9] Specify the `NodeName` in `auth.ReRegister` (#12333) * Gracefully degrade `tsh db ls` in case fetching roles fails. (#12320) * added diagrams and install instuctions for db and app guides, getting started (#12313) * Connect: Use SSHAgentLogin when second_factor is set to optional or on (#12322) (#12323) * Upcoming releases: Replace Terminal with Connect (#12317) * [auto] Update webassets in branch/v9 (#12316) * Connect: Refresh leaf cluster certs before fetching certs for database (#12293) (#12315) * Backport Teleport Connect gateway changes from #11720 (#12297) * escape pipe char in table cell (#12280) * Dial only application servers that serve the requested application (#12217) (#12300) * SSH Session fixes (#12286) * Add `proxy_host` and temporary `actual_name` fields to the cluster response object (#12291) * Update predicate doc example to use bracket notation (#12237) (#12271) * Update upcoming-releases.mdx (#12276) * Create remote site cache based on remote auth version (#12130) (#12251) * Speed up TestAppServersHA (#12128) (#12253) * update docs version to 9.1.2 (#12278) * give direct link to cloud signup (#12219) * Add flags to `teleport configure` command (#11766) (#12267) * Teleport Connect: Accept database name when setting up proxy (#12173) (#12228) * Expose RoleSet.EnumerateDatabaseUsers to Teleport Terminal (#12070) (#12207) * [v9] Backport quoting Postgres connection string & generating DB CLI commands for Teleport Connect (#12206) * [v9] Backport initial Teleport Connect PR + fixes (#12205) ------------------------------------------------------------------- Wed Apr 27 17:14:24 UTC 2022 - kastl@b1-systems.de - Update to version 9.1.2: * Release 9.1.2 (#12259) * Revert "Backport #11725 #11249 #11799 to branch/v9 (#11795)" (#12243) * docker: Add lint-helm to build.assets Makefile (#12189) * [v9] Regenerate host UUID of node if host_uuid is empty (#12222) * Simplify user creation in database access guides (#12136) (#12235) * bump to 9.1.1 in docs (#12210) ------------------------------------------------------------------- Tue Apr 26 19:47:35 UTC 2022 - kastl@b1-systems.de - Update to version 9.1.1: * Release 9.1.1 (#12192) * docs: Add example for label usage with `tsh ssh` (#12110) (#12158) * [auto] Update webassets in branch/v9 (#12170) * Added support for JumpCloud. (#11936) * [v9] docs: Machine ID update (#12155) * Ignore HTTP_PROXY for reverse tunnels (#11990) (#12035) * Respect Firestore commit write limits (#12111) (#12177) * updates meta-description (#11746) * update latest 9 version (#12174) * Update upcoming-releases.mdx (#12166) * Update upcoming-releases.mdx * Fix Download Link (#12132) (#12134) * Prevent blocking forever when transport channel fails to open (#11875) (#12122) * Mention ScopedBlock in the UI reference (#12085) * Backport #12001 to branch/v9 (#12088) * Backport #11419 to branch/v9 (#12091) * Backport #11913 and #11826 to v9 (#12095) * Fix flaky test - TestAuditOn (#12135) * Fix ProxyKube not reporting its readiness (#12152) ------------------------------------------------------------------- Tue Apr 26 18:54:52 UTC 2022 - Johannes Kastl - introduce new executable tbot for new feature Machine ID https://goteleport.com/docs/machine-id/getting-started/ ------------------------------------------------------------------- Tue Apr 26 06:24:53 UTC 2022 - kastl@b1-systems.de - Update to version 9.1.0: * Release 9.1.0 (#12020) * Manually extract SSO redirect URL to preserve its own query params (#12100) (#12125) * Allow setting additional traits in tctl users add command (#12102) (#12133) * Fix reference to tbot start --oneshot (#12064) (#12112) * [auto] Update webassets in branch/v9 (#12126) * [v9] backport #12057 (panic in `CertAuthority.Clone`) (#12004) * [v9] backport #11019 (`ListResources` in the webapi layer) (#12106) * Add manual websocket pingloop (#11765) (#11915) * Improve error handling in `tbot start` (#11756) (#12012) * Pipe terminal stdin to session in kubernetes peer mode (#11288) (#11918) * Allow requesting a join token with IAM method from the web api (#11339) (#12060) * Fix globbing for Moderated Sessions join policies (#12067) (#12071) * Make `tsh db ls` lists available db users. (#10458) (#11942) * Switch to forked `httprouter` and enable `UseRawPath` option (#11068) (#12080) * Prevent goroutine leak in oidc client (#11974) (#12078) * docs: Don't lint external links when running in CI (#12058) (#12069) * Fix flaky test - TestChaosUpload (#12052) * Add JSON and YAML to several tsh commands (#11681) * update prereqs for machineid ansible guide (#12066) * fix(db): send initial heartbeat when there is no static dbs (#11160) (#12039) * Generate database access credentials with tctl auth sign command (#10785) (#12042) * Align atomics on ARM32 (#11822) (#11917) * Correct note on node (#12045) * Update linux-server.mdx (#11682) (#11815) * fix docker example (#12027) * update teleport cloud version to 8.3.7 in docs (#12017) * Update installation docs (#11677) (#12013) * Includes advisory for pages that are installing proxy, auth for cloud scope (#12030) * Ensure Cache `types.WatchKinds` and `proto.WatchEvents` are in sync (#11692) (#11927) * Backport #11381 to branch/v9 (#11969) * Backport #10996 to branch/v9 (#11967) * Backport #10759 to branch/v9 (#11966) * Backport #10801 to branch/v9 (#11964) * docs: Don't lint external links (#11940) (#11996) * Prepare five guides for Cloud users (#11982) * Document Okta OIDC provider workaround * Extract tabbed Prerequisites into a partial (#11960) * Backport #11801 to branch/v9 (#11965) * Fix Okta OIDC (#11718) * Remove references to authentication type 'false' from docs (#11621) (#11924) * (v9) Delete app sessions on logout (#11956) * helm: Set default second factor to "otp" in values (#11034) (#11923) * helm: Add support for mounting existing TLS secrets with optional root CA (#11295) (#11922) * Bump Go to 1.17.9 (#11932) * Fix race condition in (*sess). broadcastResult() (#11851) * Mention scoped Admonitions (#11900) * Edit four docs guides for Cloud users (#11971) * Edit four Access Controls guides for Cloud users (#11977) * Update upcoming-releases.mdx * Update upcoming-releases.mdx * [v9] Add audit logging for more MySQL commands (#11914) (#11949) * [auto] Update webassets in branch/v9 (#11951) * Return error message if supplied auth connector name doesn't match registered names. (#11800) (#11884) * change bash blocks to code to fix copy/paste and consistency (#11912) * Updated Getting Started Machine ID Guide. * Updated Ansible Machine ID Guide. * Updated Jenkins Machine ID Guide. * Update teleport-plugin guides to reference docker images for downloads (#11617) (#11934) * SQL Backend Documentation (#11897) * Move Cloud download binaries into tables (#11839) * [v9] Rollup bugfix backport (#11890) * NO_PROXY port support + special case for proxying via localhost (#11403) * [v9] Replace session upload grace period with session tracker (#11853) * Edit Database Access guides for Cloud users (#11846) * [v9] Release pipeline improvements (#10707) (#11833) * [v9] Make relogin attempts use the strongest auth method (#11781) (#11847) * Mention Teleport is deployable in k8s (#11874) * update golang version in docs config to 1.17 (#11869) * [v9] helm: Backports (#11728) * [v9] Access Control, K8s Cluster docs set scope and AWS first (#11761) * Add client cert in insecure mode (#11758) * Backport #11725 #11249 #11799 to branch/v9 (#11795) * Add auth'd tunnel mode to tsh proxy db command (#11720) (#11808) * [v9] Moderated Sessions rollup backport (#11803) * Fix session leave + termination deadlock * Backport #10880 to branch/v9 (#11442) * Add grpc server and client metrics to Teleport (#11773) * Fix key principals not being used when identity files are being used (#11793) * update 9 release version to 9.0.4 (#11789) * Document limitations with the Google OIDC connector and transitive group memberships (#11422) ------------------------------------------------------------------- Thu Apr 14 19:37:37 UTC 2022 - kastl@b1-systems.de - Update to version 9.0.4: * Release 9.0.4 (#11785) * Add Cloud instructions to five guides (#11742) * [v9] Add hint when the user receives an error about an "unknown certificate authority" (#11550) (#11751) * Added Machine ID to examples. * Backport SQL Backend to v9 (#11667) * [v9] Install script changes and sudo command updates for Teleport install and configure (#11750) * Support proxy protocol v2 (#11684) (#11722) * Clean up remoteSites with no active tunnels (#11435) (#11707) * update cloud-config to fix install errors (#11732) * update teleport 9 and cloud versions in docs (#11726) * Spread out `UploadCompleter` load (#11590) (#11698) * Split Redis docs (#11702) * [v9] Kube agent instructions on matching to server version (#11711) * Change client dialOpts append order (#11322) (#11624) * Added admonition about TLS Routing and Machine ID. * Added Jenkins Machine ID diagram. * Add support for backward compatible API Client behavior (#11567) (#11663) * [v9] Backport: fix tsh config test (#11657) * Avoid nil dereferencing when tlsConfig is nil. (#11614) * Updates minimum terraform version to 1.0 (#11651) * Add documentation for ssh key extensions with github (#11656) * docs: Add Helm docs for tls.existingSecretName (#11306) * minor edits (#11641) * Fix docs UI reference (#11635) * Edit two guides for Cloud users (#11642) * Remove misleading information about tctl for Cloud (#11632) * Update repo in docs contribution guide (#11638) * Fixes console player ctrl+C and ctrl+D functionality (#11559) * Fix tsh player issues (#11491) * docs: add note about user CA rotation + desktop access (#11586) * fix loggers not respecting json config (#10808) (#11655) * Add metric to track number ssh connect attempts (#11240) (#11629) * [v9] backport #11386 #11387 (in-memory cache and sqlite sync) (#11658) * Update IsValidLabelKey to include ':' (#11563) ------------------------------------------------------------------- Thu Apr 14 19:35:08 UTC 2022 - kastl@b1-systems.de - Update to version 9.0.3: * Release 9.0.3 (#11649) * Fix `ad-keytab-file` flag on sqlserver docs (#11581) (#11605) * Split the Helm chart reference (#11437) * helm: Add support for separate Postgres/Mongo listeners in teleport-cluster chart (#10858) (#11434) * [Docs] Add teleport.yaml docs for x11 forwarding (#10561) (#11429) * Edit three guides for Cloud users (#11362) * Fix 32-bit arm deb and 64-bit arm rpm packages (#11318) (#11568) * Add missing quotes in GCB triggers (#11608) * tctl: respect TELEPORT_HOME variable when reading profiles (#11561) * Use first available auth server (#11229) (#11598) * [auto] Update webassets in branch/v9 (#11582) * updated /signup to aboslute url (#11580) * Remove potentially confusing EOF line from snippet (#11438) * Split the AWS Node Joining guide (#11440) * 03/30 Upcoming Released Update * Backport #10620 to branch/v9 (#11542) * Add missing doc link for predicate language (#11466) (#11541) * [branch/v9] Backport #11388 (#11537) * tsh: ignore empty or non-existing config files (#11495) (#11571) * [docs/v9] Remove mention of x509 certs for Machine ID as they're not yet available (#11548) * error message improvement on teleport start file permissions (#11502) * [branch/v9] Rollup backport of session fixes (#11494) * Don't respect HTTP_PROXY env in k8 forwarder (#11257) (#11462) * [v9] Makes a common login error troubleshooting for sso docs (#11488) * [v9] Backport: "helm: Add details on AWS ACM to AWS guide (#10857)" (#11414) * Fix relative signup path * Fix TLS Routing jumphost flow (#11282) (#11496) * Assign EmitAuditEvent to err for subsequent check. (#11501) (#11505) * Added Jenkins tile to documentation. * Add Teleport Cloud downloads page. * Added Machine ID Jenkins Guide. * Update Machine ID icon to chip icon. * [auto] Update webassets in branch/v9 (#11473) ------------------------------------------------------------------- Sat Mar 26 14:53:54 UTC 2022 - kastl@b1-systems.de - Update to version 9.0.2: * Release 9.0.2. * Updated CHANGELOG.md. * update enterprise (#11408) * Reexec with `/proc/self/exe` on Linux (#11283) (#11453) * Add version string to terraform role ref (#11407) * [v9] Add HTTPS_PROXY for tsh (#11397) * Add tests for motd fixes * Fix MOTD not showing up on tsh login with certain arguments * Fix panic in getWebConfig (#11389) (#11413) * Update cargo deps (#11400) (#11416) * Reslove comments, move all occurences of teleport.dev to use a constant * Add configurable verbosity to `tctl get roles` * Resolve comments * Add verbosity to tctl * ls commands and resource get. * Move 'MakeTableWithTruncatedColumn' to asciitable and truncate labels * ls consistency: add support for tctl desktop ls * ls consistency: add tctl kube ls command * ls consistency: make tctl db ls output consistent * ls consistency: make tctl apps ls output consistent * ls consistency: Make tctl nodes ls output consistent, support yaml * Add a .tsh/config file and add support for configuring custom http headers * [v9] Backport: "helm: Adds missing namespaces to ConfigMap (#11032)" (#11343) * add copy/paste mention (#11377) * Edit Helm installation instructions (#11303) * Situate the Installation guide more clearly (#11300) * Edit four Kubernetes Access guides for Cloud users (#11354) * Teleport cloud license info and other info update (#11376) * add all token types (#11375) * Update Redis links in docs (#11393) * [v9] Add endpoint to webapi to generate DB join token (#10914) (#11256) * Fix certificate extension not being included in `tctl auth sign` * Show usage on invalid command line invocation. (#11174) (#11333) * Remove the v5 Kubernetes migration guide (#11297) * Add Cloud-specific instructions to two guides (#11314) * Add notes about wildcard certificates (#11310) * Fix broken link in the ADFS guide (#11307) * update e module (#11341) * [v9] helm: Backport chart changes from unit test addition (#11336) * Added Machine ID CLI and configuration references. * Update 'tctl apps/db/nodes ls' to accept filter flags (#11003) (#11076) * docs: add desktop session recording and clipboard sharing (#11005) (#11252) * Mention Cloud compatibility in three guides (#11234) * Updates `tsh ls` for node/app/db/kube to accept new filter flags (#10980) (#11016) * Add doc for filter support for CLI tools (#11012) (#11258) * Support role bootstrapping in OSS (#11175) (#11247) * corrects some powershell examples and put in code for linux commands (#11225) * docs: clarify /healthz and /readyz (#11085) (#11231) * Keep multiple per-node remoteConns in localSite (#11074) (#11184) * Fix TLS multiplexing for the kubernetes_service in the teleport-cluster helm chart (#10002) (#11212) * Update upcoming-releases.mdx * Improve `tsh` error message if mysql client is missing (#11215) * helm: Adds extraArgs and extraEnv to teleport-kube-agent (#11155) (#11237) * helm: include static_labels in database example (#10414) (#11214) * Revert "Only allow access request deletion through static roles' permissions (#9540)" (#11221) * Address problems in concurrent sqlite access (#10706) (#11190) ------------------------------------------------------------------- Thu Mar 17 10:28:30 UTC 2022 - kastl@b1-systems.de - Update to version 9.0.1: * Release 9.0.1 (#11208) * Fix outdated CLI help for `tbot init --owner` (#11158) (#11167) * Fix improper default value check in tbot's `FromCLIConf()` (#11169) (#11206) * [branch/v9] Backport #10665 (#11064) * Fix quit on ctrlc, race panic, atomic load align in session IO (#11112) (#11188) * Refactored Ansible guide to work with Machine ID. * Cleanup of Machine ID Getting Started Guide. * Remove mention of max ttl for tctl tokens command (#11148) (#11164) * Silence false positive lints from staticcheck in tbot/init.go (#11084) (#11128) * docs: add desktops to per-session-mfa page * Update docs for FIPS users * Automatically calculate `public_addr` field for dynamic apps (#10941). (#10943) (#11139) * Fix DeleteRange when the backend sanitizer is used (#11124) (#11131) * Fix `tsh aws ecr` Internal Server Error (#10475) (#11108) * correct db connect (#11097) * 03/11 Upcoming Releases Update. * 9.0 post-release 4 (#11089) * 9.0 post-release 1: update docs versions (#11082) ------------------------------------------------------------------- Sat Mar 12 20:35:40 UTC 2022 - kastl@b1-systems.de - Update to version 9.0.0: * Release 9.0.0 (#11067) * Add Redis docs (#11073) * Fix NLB Mongo/Postgres errors spam (#11059) * [auto] Update webassets in branch/v9 (#11055) * Added Machine ID docs. * Release 9.0.0-rc.2 (#11038) * UX improvements for tbot (#10833) (#11046) * Moderated Sessions improvements (#10991) (#11051) * Fix meaning of `bot_name` in bot join tokens (#11039) (#11047) * Backport of #10289 (#11030) * Better Semaphore Lease Contention Handling (#10666) (#10877) * V9 backport 10871 (#11031) * Prevent panic caused by nil session recorder (#10792) (#10874) * (v9) Missing v9 backports (#11033) * Fixed incorrectly named RPMs (#11029) * Fix quadratic complexity in Reconciler.Reconcile(). (#10989) (#11023) * Fix ACME instructions in start-auth-proxy.mdx (#11013) * Update suggested systemctl command (#10733) (#11025) * Switch to warning in case of resource origin clash. (#10947) (#11024) * Regenerate server identity if APIDomain not present (#10944) * Release 9.0.0-rc.1 (#11018) * Fix RPMs using a too-new version of glibc (#11008) * [v9] Disable automatic updating of API import path (#11010) * Update database guides with database configurator. (#10451) (#10995) * Add MariaDB to AWS RDS auto discovery (#10994) * Update go-mysql package (#10997) * Enable desktop access in Web UI in Cloud clusters (#10970) * Handle case where display is itself a unix socket #10719 (#10985) * [auto] Update webassets in branch/v9 (#10988) * Release v9.0.0-beta.2 (#10982) * (v9) Update e (#10964) * flaky test: TestDatabaseAccessMongoConnectionCount (#10869) (#10955) * skip databases that are not available during auto discovery (#10699) (#10870) * feat(app): consider reverse tunnel errors in apps HA mechanism (#10734) (#10906) * [v9] backport 10915 (memory leak) (#10927) * Default to `https` scheme for `--proxy` argument in `tctl auth sign` (#10844) (#10911) * Open parts files one at a time * Fix Windows session uploads * Complete empty uploads * [v9] backport #10765 and #10766 (#10855) * Include tbot binary in Teleport packages and installs (#10646) (#10802) * Add desktop access to front page (#10894) * Add sorting for kube cluster (#10702) (#10921) * Add `KindWindowsDesktops` to `ListResources` (#10769) (#10912) * Fix missing identity in certs logic (#10822) * Fix DynamoDB getAllRecords logic when 1MB query limit is reached (#10726) (#10845) * Fix panic in MSSQL when Login7 package is invalid (#10709) * Add support for more Redis Cluster commands (#10760) * Backport #9470 to branch/v9 (#10823) * Backport #9556 to branch/v9 (#10824) * Update dronegen to fix build-darwin-amd64-pkg-tsh artifacts path (#10862) * Fix panic in MongoDB message reader (#10710) * Backport #9969 to branch/v9 (#10826) * Backport #10061 to branch/v9 (#10827) * Fix large clipboard copy/paste (#10670) * Backport #10621 to branch/v9 (#10829) * [v9] Sanitize leaf cluster CA (#10742) * Fix ALPN panic on empty db handler (#10662) * Do not block apt publishing if there is a more current pre-release (#10805) * Restore docs deploy hook (#10838) * Fix V5 role in getting started guide. (#10837) * Tweaks in getting started guides. (#10780) * docs: update CA rotation page (#10419) * Improve HA behavior of database agents in leaf clusters (#10641) (#10771) * Partial revert of session.connect event * Print proxy server on instructions on nodes add command for cloud (#10750) * Display correct error message when host is missing in `tctl auth sign` (#10739) * [v9] Fix Mongo topology resource release (#10731) * [v9] Backport #10460 to branch/v9 (#10616) * Fix desktop session playback RBAC (#10570) (#10679) * TF provider configuration environment variables (#10417) (#10548) * Update CI to teleport9 buildbox (#10715) * IAM join method support for tbot (#10535) (#10685) * Add documentation for static windows hosts * [auto] Update webassets in branch/v9 (#10712) * Tag buildbox and upgrade to go1.17.7 (#10605) * Change get resources webapi response (#10598) (#10683) * Return filtered total count with ListResources (#10573) (#10682) * Fix crash when AWS Redshift does not have Endpoint info (#10597) (#10675) * helm: Fix enabled clause for db_service when using awsDatabases only (#10644) * Disable BPF tests in CI (#10654) (#10691) * [Docs update] Mention unsupported scenarios for IAM join method (#10530) (#10652) * helm: Fix indenting on database autodiscovery (#10624) * Update desktop access docs for 9.0 (#10406) (#10545) * Fix artifacts path for build-darwin-amd64-pkg-tsh drone pipeline (#10600) * docs: fix code block (#10495) (#10555) * Restore teleport-private deb/rpm gating (#10536) * [v9] Backport "helm: Revert PodSecurityPolicy change" (#10565) * Release 9.0.0-beta.1 (#10508) * Update e (#10505) * [auto] Update AMI IDs for 8.3.1 * Certificate renewal bot (#10099) * [auto] Update webassets in master (#10482) * CertAuthority watcher filtering (#10020) * Adds a `DesktopSessionRecording` flag to the ACL (#10365) * Add SQL Server guide (#10293) * Update x11 sshserver test to test concurrent sessions and requests. (#10470) * Add MFA for Windows Desktop web access (#10271) * Reduce concurrent connections in TestRedisTransaction (#10472) * feat: aws database configurator (#9145) * Add missing action VerbRead to ListResources (#10422) * Re-sign .drone.yml (#10469) * Remove drone step to publish centos6 buildbox (#10432) * Fix server compare to check expiry last (#10380) * Add teleport_audit_emit_event prometheus metric (#9134) * Use tdr in Dronegen (#10453) * helm: Add AWS database auto-discovery to teleport-kube-agent (#10344) * Add support for windows desktop services proxying different desktops (#10101) * Address Cloud users in guides (#9962) * Mention Teleport Cloud in some of our guides (#9989) * docs: Updated path to tctl/tsh for Enterprise binaries (#10428) * Add a Cloud compatibility warning to Helm guides (#10023) * Add a prominent warning to the config reference (#9558) * [auto] Update webassets in master (#10427) * IAM Joining Docs: Set join_method in token.yaml (#10433) * Clear terminal when auth server is in FIPS mode (#10095) * Update version thresholds (#10426) * Add support for configurable ssh key extensions * Fix HSM flaky integration tests (#10390) * Install gcloud in /opt, so it can be accessed by non root (#10400) * add where option with sessions so Access role by default can see their own session recordings (#10376) * Add SQL Server support for database access (#10097) * [auto] Update webassets in master (#10409) * Switch shell to golang for latest version detection (#10295) * Add a command to query the latest release * Switch to testify * Exclude draft releases from latest version logic * Fix release sorting * Add an lexicographic test case * Integrate version-check into build.assets/tooling * Implement resource sorter for server, appserver, dbserver (#10243) * Check for shell user's home directory as that user (#10321) * Update e submodule. (#10413) * add teleport_connected_resources metric (#9603) * MySQL prepared statement support (#10283) * Fix TestHandleConnection directory not empty error (#10407) * Add Redis integration (#10053) * Only request CF_OEMTEXT clipboard data * Add audit events for desktop clipboard access * Increase GCB UT timeout (#10398) * Remove the legacy JSON API for requesting host certs * Remove CentOS 6 builds for Teleport 9 * docs: add warning about auditor role (#10258) * Label active directory domain controllers (#10334) * Fix Reverse Tunnels Not Properly reconnecting (#10368) * Add TestModules (#10369) * Ensure docs nav titles use title case consistently (#10353) * Deflake TestFnCacheSanity (#10250) * Clarify Kubernetes Getting Started guide (#9580) * Fix db configure (#10349) * Migrate the joined-tokens code to the OSS release. (#10288) * Implement Moderated Sessions (#8563) * Fix tctl insecure flag when TLS Routing is enabled (#10297) * DigitalOcean 1-click Droplet and Kubernetes getting started guides (#8773) * Return desktop events in SearchSessionEvents (#10325) * Save unit test logs (#10076) * Fix TestProcessKubeCSR (#10355) * Implement global SessionData storage (#10287) * Don't open clipboard static channel when clipboard is disabled (#10348) * Synch Teleport preview updates (#10318) * Replace /tmp with os.TempDir(). (#10322) * Generate/validate a PIN for our virtual smartcard (#9919) * Add passwordless-related information to protos (#10281) * Expose reverse tunnel address to web ui (#10133) * Fix fake streamer implementation to match the real one (#10330) * Desktop session recording/playback (#9583) * RFD 48: Desktop Session Recording (#9864) * Ensure clipboard data is shared in the format Windows expects (#10284) * Add docs for IAM join method (#8899) * Add Prometheus metrics cache events and stale events (#9826) * Add Teleport Cloud instructions to 3 guides (#9681) * RFD 52/53/54: Passwordless (#9296) * Add documentation for moderated sessions (#9425) * Don't return `nil, nil` in (*AuditWriter).tryResumeStream (#10254) * Trusted clusters doc: Use wildcard for spec.allow.cluster_labels.env * Improve node labels example in roles docs (#9385) * Fix interpolation example in role templates docs (#9382) * Add missing DatabasesReady event to DB proxy (#10152) * active node inventory cleanup * Authentication options doc: wrap `on` in quotes * Add keepalive heartbeat to kubernetes service (#9584) * commit forgotten "make grpc" (#10280) * feat: add create database config command (#9618) * Convert auth test from gocheck to standard lib * Document desktop role options for Teleport 9 (#10227) * Replace testify/assert with testify/require (#9925) * Adds Application certificate path to profile (#10043) * [auto] Update AMI IDs for 8.2.0 * IAM Join Method (gRPC service) (#10087) * Make our docs guidance discoverable (#10155) * Use an apt-key alternative in install instructions (#10084) * docs: add steps for joining w_d_s to a cloud cluster (#10219) * Clean up desktop session error logging (#10232) * [auto] Update webassets in master (#10235) * Use buildbox images from quay.io (#10179) * Remove Teleport DB Users only message for tctl users ls that is incorrect (#10181) * Cleaned up NewClient in integration tests. * Fixed TestSessionStartContainsAccessRequest. * Fixed TestDisconnection * Expand cloud in production usage faq question (#10218) * Update the PR description for auto webassets udpates (#10212) * IAM Join Method (backend implementation) (#10085) * adds cliipboard to userACL (#10207) * Add the `cert.create` event (#9822) * [auto] Update AMI IDs for 8.1.5 * Reconnect broken LDAP connections (#10183) * Enable map key sorting in `utils.FastMarshal` (#10070) * Clarify `tsh config` usage docs on Windows (#8409) * Update MariaDB docs (#10113) * Add additional filters to ListResources (#10180) * Desktop Access: clipboard support (#9976) * Add more lint coverage (#10049) * Add desktop_clipboard role option (#10165) * update `github.com/gravitational/trace` to `v1.1.17` (#10079) * [auto] Update webassets in master (#10161) * x11 forwarding (#9897) * Document docs labels (#9537) * Update Docker image tags in docs (#9400) * Modified FedRamp to FedRAMP in docs for proper acronym (#10114) * Implement resource boolean expression parser (#10008) * Add xauth binary to buildbox for X11 forwarding. (#10164) * docs: Add extra commands and reference for AWS Managed AD to Desktop Access docs (#9669) * Add role option for record_desktop_session (#9523) * Fixes DocTest CI (#10117) * [auto] Update AMI IDs for 8.1.3 (#10144) * Update Documentation for GCP Cloud SQL Client Authentication (#10092) * Update version-check paths (#10118) * Fix. * Removed `TestProxyReverseTunnel`. * RFD 49: desktop access clipboard (#9868) * Backward compatible kubernetes_labels behaviour for v3 and v4 roles (#10122) * RFD 51: X11 forwarding (#10009) * Remove broken links to /admin-guide/#public-addr (#10057) * Use correct unmarshaller for json durations (#10124) * Dynamically resolve reverse tunnel address (#9958) * Updated assign and check logic for Cloud. * fix tests - forwarder is not set during cluster session init anymore * remove unnecessary file * unfix test case * tests * address comments * clean import * diable http2 for kube streaming endpoints * Update S3 canned ACL docs (#10072) * Add teleport_reverse_tunnels_connected Prometheus metric (#9698) * Log when App Service fails due to empty `proxy_service.public_addr` (#10056) * Add metric tracking number of Teleport agents joined to cluster (#9749) * Modify verbiage on AWS CLI (#10029) * Fix docker-compose Getting Started guide issues (#9709) * Add guide for Azure Postgres/MySQL database access (#9729) * Refactor database engines registration (#10074) * Add backporting tool. (#9568) * Clarify token.file usage in server access getting started guide. (#10060) * Updated the description of the location of the built binaries (#9885) * Documentation update for Redshift auto discovery support (#9990) * RFD 50: Cluster Join Methods and Endpoints (#9871) * Client Certificate Authentication for GCP Cloud SQL (#9991) * Fix tsh tctl do not load all CAS (#9357) * Use SDK Cloud script to install gcloud (#9941) * RFD 55: WebUI server-side paginating and filtering (#9633) * Add teleport proxy addr to the kubeconfig exec args when specified (#9899) * Add MatchSearch to resources for fuzzy search (#9892) * Removes diagnosis address from being hidden (#9975) * Update to Rust 1.58.1 (#9985) * Update golang.org/x/crypto to v0.0.0-20220126234351-aa10faf2a1f8 (#9984) * Respect errors from UserInfo (#9951) * support for redshift auto discovery (#9851) * add desktop and tip on assigned ports for networking ref (#9957) * Add a Cargo workspace (#9960) * Update teleport-agent readme links (#9963) * add extra checks to avoid getSigninToken failure (#9792) * Properly cleanup the connection monitor for desktop sessions (#9913) * Fix k8 access - respect kube service labels (#9759) * Updated docs for the improved Google OIDC connector (#9907) * Include uid in session.start & upload events (#9791) * Ignore artifact failures in remaining pipelines (#9932) * Add diag addr, web idle timeout, token clarification (#8489) * add ping oidc workaround documentation (#8486) * Add access requests to audit events (#9758) * Ignore failures for artifact registration step (#9921) * feat: add KubeService and Node to ListResources (#9613) * Add access request locks to the docs (#9866) * Auto discovery aurora reader and custom endpoints (#9668) * Access request locks (#9478) * make protoc generation compatible with api v2+ (#9673) * update RDS and Redshift CA URL (#9890) * Add github teams to available traits * Fix TLS Router serverName 'kube.' prefix based routing logic (#9777) * Put note about skipping TLS verification in a
box * Check if the legacy password_file config field is set * Run LDAP initialization in a retry loop * Remove mention of LDAP password from docs * authenticate to LDAP with client certificates * Fix docs typo * Add email parameter to example (#9850) * Improved Google OIDC connector (#9697) * Reject TDP ClientUsername messages that are too long * [Breaking] Default to mongosh when connecting to MongoDB. (#8472) (#9754) * Fix docs and config newline outputs * Fix inclusion of non-existant gcp-credentials secret and credentialsPath when credentialSecretName is empty * [auto] Update webassets in master (#9870) * Update e-ref (#9843) * Cleanup of minor bot issues. * Remove devbox - build box now supports AMR64. (#9847) * use google/uuid instead of pborman/uuid (#9793) * Replace cluster periodics with watchers (#9609) * Tweak the PNG encoder (#9817) * make the switch in dynamic.go easier to read (#9836) * Retry with re-login ignores TELEPORT_HOME. (#9436) * Database auto discovery to be more tolerable to find as many as it can (#9426) * Treat EC2 Node IDs as UUIDs (#9722) * fix: removing new line convergance (#9579) * Add an Error message to TDP (#9586) * helm: Allow setting issuer group for certificate in teleport-cluster (#9138) * helm: Add logging configuration to teleport-kube-agent chart (#9632) * [docs] Add region and use of SSM decryption to Terraform docs (#8907) * Allow impersonation of roles without users (#9561) * Fix first desktop discovery reconcile loop (#9654) * Naji/force http2 kubernetes (#9294) * fix nindent of `service.spec` in teleport-cluster chart (#9645) * Conditionally publish deb packages (#9496) * docs: recommend a highly available LDAP endpoint. (#9744) * Clean up system role parsing (#9756) * Emit event when connecting to non-Teleport server (#9370) * feat: app server requests failover (#9288) * Don't shell out to `go list` when not needed (#9776) * Fix reverse tunnel dialing for Windows Desktops * omit invalid aws tags in rds autodiscovery (#9742) * Covert password_test.go from gocheck to std test * Run gpg in batch mode (#9728) * Use teleport logger instead of gravitational/trace (#9738) * Revert bot changes for `vendor/` (#9743) * Add the `access_request.delete` event (#9552) * Add support for MariaDB (#9409) * Add Videos to Teleport Desktop Access (#9373) * Update `google.golang.org/grpc` to v1.43.0 (#9656) * Upgrade from `go.etcd.io/etcd` v3.4.14 to `go.etcd.io/etcd/{api,client}/v3` v3.5.1 (#9607) * Add "limiter" support to database service (#9087) * Fix log file location for vendorless (#9689) * Move GOMODCACHE out of workspace * Disable make target update-api-module-path. * Mark RFD 47 as implemented * Remove vendor * Sign rpm repo metadata (#9027) * Update e-ref (#9682) * do not register Aurora serverless db clusters (#9386) * truncate Labels for tsh db ls (#9671) * Disable RDP client on ARM 32 bit (#9667) * Adds Desktops to license (#9576) * Remove unused context from sqlite backend (#9658) * Update Postgres audit events (#9435) * Add note about TLS routing backwards compatibility (#9630) * Clean up dynamicLabels ssh server goroutines when server is closed * Restrores CI lint for non-go files (#9663) * Close all SQL statements (#9614) * Fix race condition in multiplexer tests (#9660) * Fall back to "/" when home directory doesn't exist for `tsh ssh` (#9413) * Add teleport_build_info Prometheus metric to Teleport (#9595) * Add note about testing local dependency changes * RFD 47 - remove the vendor directory from source control * bot: label PRs that touch lib/events with "audit-log" * Fix Flaky Retry Tests (#9516) * Specify level of TLS verification for database connections (#9197) * Truncate label output in tsh ls and tsh app ls commands * Dead code removal + extra commentry & logging in build script (#9509) * Attempts to make CI integration test logs more useful (#9626) * Log when connecting to potentially incompatiable authservers * Only allow access request deletion through static roles' permissions (#9540) * Upload release binaries to new release infrastructure (#8722) * Add access requests to TLS certificates (#9501) * Update API client: dial auth service with TLS Routing (#9498) * Improve TestTwoClustersTunnel troubleshooting * Remove utils.BroadcastWriter * Use require.Eventually to avoid flakiness in TestAPILOckedOut * fix dynamo error types * fixes mdx comment style (#9599) * Forward TELEPORT_HOME to kubeconfig (#9546) * Adds the windows_desktop_service section to the meta teleport.yaml (#9573) * Add ARM64 support for buildbox docker image (#9572) * Emit the correct session ID for SessionLeave events * Update locking guide to include Windows Desktops * Allow locking a desktop * Fixed missing reviewers issue. * Added support for automatic labeling of PRs. * Fix goroutine/socket leak in multiplexer (#9507) * tweak test timeout * fix typed nil panic * fallback to calling origin if rc is missing from cache * docs: update cloud roadmap and faq (#9479) * Fix tsh db connect mongo dbuser logic (#9196) * Restart teleport-kube-agent can't join cluster. * add TLS routing support to helm chart * Added log configuration to teleport-cluster chart. * Added support for service.spec.loadBalancerIP. * updted Helm install guide in installation page. - link to getting started with kubernetes access page to refer Helm which is more up to date guide - removed which shows deprecated warning * Fix the UI to correctly determine if a user has access to a resource (#9473) * Update rdp-rs (#9344) * removes experimental note from example config (#9195) * Skip tests on a docs-only PR (#9416) * Update aws-console.mdx (#9477) * [auto] Update webassets in master (#9504) * Fix initKube: broadcast KubeReady event (#9418) * Session locking tweaks * Deduplicate access request IDs before signing certificates (#9453) * Fix devbox on AMD64 (#9462) * Clean up `make grpc` and .pb.go generation (#9432) * Add jitter and backoff to prevent thundering herd on auth (#9133) * Escape access request and access resolution reasons in tctl (#9381) * Prevent Linear Retry from converging on Max (#9393) * Allow loadtest teleport image to be configurable (#9398) * tool/tsh: support ID for `tsh play -f json` * Exclude Jitter from logging * Update README.md (#9378) * Fix flaky TestWebsocketPingLoop test (#9326) * Split dev tools into a seperate docker container (#9410) * update doc examples to change from admin role to editor,access (#9334) * Do not parse MySQL server packets (#9423) * feat: ListResources gRPC rpc (#9096) * Clarify the Linux Getting Started guide (#9346) * Create a blast radius reduction guide (#9189) * Fix NO_PROXY addr logic (#9287) * Port fixes from v8 (#9397) * Fixed IsInternal issue in Check workflow. * Updated checking logic for code owners. * Enable canned ACL for S3 (#9042) * Doc update mongo postgres separate listeners (#9340) * Allow a configurable event TTL in DynamoDB (#8840) * Add ability to run Mongo proxy on separate listener (#9194) * Include --insecure options for teleport {db|app} * Fix app server goroutine leak (#9332) * Add ability to run Postgres proxy on separate listener (#8323) * Ensure we don't miss the resolution of an access request (#9193) * Run tsh play requests with correct CLI context * Delete extra % sign * [auto] Update webassets in master * Update example username desktop service to single quotes * Correct Dismiss function spelling. * Tweak LDAPS troubleshooting docs * Improve error message when TOPT is not valid * fix racy test * bump nginx1.12 to nginx1 * Use in-memory cache for autoscale HA cluster * Add PDB to teleport-kube-agent chart * Optionally allow cluster_name to override public_address being used for cluster_name * Disable drone triggers (#9313) * Check If HEAD Branch Is A Fork (#9302) * Fix the CRL distribution point in Windows certs (#9299) * improve lock tests * improve Cache.ListNodes perf * improve concurrent watcher registration perf * bump backend limit * Remove uploadCtx/uploadDone as these are automatically reflected with uploadLoopDoneCh * Do not use the server's context to complete the stream - it might have been already cancelled. Proto stream to make sure the streams have been completely written before exiting from Close. * Fix CryptoRandomHex function (#9186) * Fix panic running TestIntegration/RotateChangeSigningAlg (#9316) * Add `--cluster` flag to all `tsh db` subcommands, Add "--diag_addr" flag to `teleport db/app start` (#9220) * tool/tctl: Log when requested ttl isnt granted for a cert * Replace "loose" with "lose" (#9284) * Avoid "Entering/Leaving directory" output in Make (#9246) * Update docker-compose.yml * Add thredUP case study to adopters page * Fix confusing port example in standalone docs * Add scopes description to the docs * Remove duplicate YouTube link * Add missing parenthesis in README * remove sudo from yum install * Update check.yaml * Improve docs for per-session MFA * Check if PR is from a fork before dismissing runs. (#9300) * Add Security and UX sections to the canonical RFD (#9251) * Fix CheckAndSetDefaults for UserTokenSecretsV3 (#9290) * Trigger Assign workflow on opened and ready_for_review events. (#9272) * Fix custom tsh home dir for some tsh commands. (#9240) * simplify desktop access getting started guide (#9100) * Prevent infinite dialing to Auth (#9254) * Added more log lines to dismiss workflow. * Add Teleport loadtest infrastructure and grafana dashboard (#9023) * Fix sessions endpoint and remove namespaces (#9217) * Fix make grpc (#9252) * Add support for configurable KMS CMK keys for S3 SSE (#8354) * Fix tsh ssh proxy for openssh client (#9219) * `tsh db connect` do not respect TELEPORT_HOME (#9226) * Fix incorrect paths in docker/Dockerfile. (#9164) * Fixed error in assignment logic. * Added extra logging to bot assignment. * Bump x/crypto (#9205) * Updated logic to find workflow by path. * Updated code review assignment logic. * Clear web terminal when session ends (#8850) * Do not prompt for hardware MFA using `tsh` on Windows (#9081) * Update e ref * Create separate builds for CentOS7 (+fips) * simplify connection establishment (#9098) * Enhance LDAP desktop discovery (#9152) * Add Azure access token auth support for Postgres/MySQL (#8951) * docs: Fixes for pam_exec user creation script (#9001) * Use t.Setenv in tests (#9154) * Fix MySQL proxy handshake (#9161) * Update fluentd.mdx * Forwarding Access Logs using FluentD Video * Google CloudBuild support (#9090) * RFD 42 - S3 KMS Encryption (#8344) * Fix misspelling * Resolve potential data race (#9118) * Resolve race in db tests (#9117) * Clean up temp dir after app tests (#9119) * Make the `tctl users update` command visible (#9080) * Add public docs for active and recorded sessions "where" (#9084) * Don't Dismiss Dismissed Reviews (#9094) * Add Bot Logging (#9099) * Refresh getting started guide to use TLS routing (#8988) * Update docs for TLS routing (#9048) * Keep Valid Reviews For External Contributors (#9067) * Make Teleport startup resilient to invalid roles (#9062) * docs: LDAP service account setup (#8875) * teleport configure: generate web_listen_addr (#9066) * Implement where conditions for active sessions (#9040) * add --publid-addr --cert-file --key-file for teleport configure (#9033) * Update reviewers (#9050) * Update vendor * Bump e (#9022) * Expose endpoint for fetching single desktop (#9041) * Add app metatada to app audit events (#8930) * Updated Docker Quickstart/Labs. * Request keypair from pool rather than directly. * Move unimplemented client methods out of the api client. (#8972) * Re-Request Reviews When Approvals Are Invalidated (#9037) * Fixed Helm publishing. * Updated Drone pipeline to build Teleport 8 images. * Clean up DB integration test output * [auto] Update AMI IDs for 8.0.0 (#9025) * make update-vendor (#9017) * Restart entire node on tunnel collapse (#8102) * update gosaml2 dep (#8937) * Fix dialing kube trusted cluser in v2 telport config (#8993) * teleport.cluster.local cleanup (#7922) * role labels use key instead of name * update docs to reflect terraform provider changes * Fix tunnel address for TLS routing if public tunnel address is present (#8961) * [pr-buddy] helm: Add support for annotation on secrets generated by cert-manager (#8872) * Updated build-darwin-* pipeline. * Remove explicit "deny" from preset "auditor" role, make preset roles V4 (#8959) * Update CODEOWNERS * replace dgrijalva/jwt-go with golang-jwt/jwt (#8939) * Prevent system roles from being created by a user (#8924) * RFD 43: Database access configurator (#8896) * Fix KUBECONFIG server name (#8940) * [auto] Update webassets in master (#8963) * Update username (#8968) * windows ldaps port (#8932) * RFD 45: RBAC where conditions for active sessions list/read (#8962) * Assign Doc Reviewers to Pull Requests with Changes to `docs/` (#8938) * Merge 'config-proxy' and 'proxy ssh' commands logic (#8920) * Add brief TLS routing description * Update CHANGELOG.md * Bypass required reviewers (#8901) * Add meta redirect for some routes (#8293) * tctl: allow issuing app access certificates via `tctl auth sign` (#8717) * Update check.go * Use Hardcoded Map to Get Reviewers for Authors (#8928) * Add user-facing documentation for WebAuthn (#8479) * Improve SSH agent forwarding error message in proxy mode (#8829) * Do Not Dismiss Commented Pull Request Reviews (#8912) * Add space between reviewer usernames (#8905) * remove checking if users exist * RFD 44: RBAC `where` conditions for session recordings list/read (#8084) * [auto] Update webassets in master (#8909) * Fix race condition in integration tests. (#8888) * Link libatomic on Linux * RFD 9 (Locking): Update with latest developments (#7860) * Update test plan (#8897) * Fix the buildbox (again) (#8892) * Fix ACME strict ALPN (#8869) * Add RFD 43: Kubernetes Access Multiparty Sessions (#8510) * Don't allow running Desktop Access in FIPS mode. * Fix Rust buildbox (#8881) * Rust & Desktop Access fixes (#8822) * Use cgo.Handle for passing client refs between Rust/Go * clarifying facet examples (#8705) * Fix heartbeat for LDAP hosts * Disable desktop access in Web UI in Cloud clusters (#8858) * Fix tsh ssh proxy (#8826) * Fix MFA for DB Access (#8796) * Add dynamic registration and discovery guides (#8694) * integration: name our subtests * Fix typo in error check. (#8810) * output of config is being included in copy/paste (#8855) * Split auth.AccessPoint into variant specific interfaces (#8471) * Update workflow files to run workflows in the context of master (#8728) * Bring back previous u2f challenge response for web terminal (#8830) * Update Go badge to 1.17 (#8841) * Fix the client idle disconnect audit event for desktops * Fix trailing whitespace * Adds a test for scroll wheel * updates keyboard test plan * Include desktop access in test plan * Fix mongo access with mfa and add tests (#8799) * Fix reverse tunnel web ping call log severity (#8775) * Update e-ref (#8819) * Remove checking for error from session end in web terminal (#8797) * Update rdp-rs to fix horizontal scroll + extended keys * update to syntax change in terraform provider (#8782) * [helm] Change path -> mountPath under extraVolumeMounts (#8806) * [ami] Get wildcard DNS cert when using certbot/Letsencrypt with Terraform AMI (#8792) * URL-encode Postgres username in connection string (#8771) * Return created date with new recovery codes (#8777) * [auto] Update AMI IDs for 7.3.2 * Update mac builds * Update test plan (#8794) * Set user verification to "discouraged" for WebAuthn (#8759) * Add '+' to key sanitizer whitelist (#8396) * flips struct ordering to match with tdp spec (#8753) * Fix error message when direct dial fails (#8678) * set packer version * API release automation with go script (#8484) * Fix race condition in PipeNetCon (#8643) * Update e * Ensure that Rust libraries are cleaned * Update and mark WebAuthn RFD as implemented (#8751) * Update TLS routing test plan scenarios (#8731) * Make RegisterUsingTokenRequest a Protobuf type (#8690) * Stop linking lcrypto and lssl * Update e * Add Rust to buildbox * Add link to Teleport Changelog in helm chart repository site. (#8734) * Include package-level failures in formatted test output (#8698) * Fix event code duplication for PrivilegeTokenCreateCode (#8733) * Update AWS CLI application access docs ref (#8634) * Update docs per-connection MFA DB access (#8682) * Add RFD 38 (#7769) * RFD 31: Dynamic registration for apps and databases (#6787) ------------------------------------------------------------------- Sat Mar 05 13:06:11 UTC 2022 - kastl@b1-systems.de - Update to version 8.3.4: * Release 8.3.4 (#10859) * Backport #9556 to branch/v8 (#10825) * Fix DynamoDB getAllRecords logic when 1MB query limit is reached (#10726) (#10847) * Backport #10061 to branch/v8 (#10828) * Open parts files one at a time * Complete empty uploads * Restore docs deply hook (#10839) * Do not block apt publishing if there is a more current pre-release (#10806) * Improve HA behavior of database agents in leaf clusters (#10641) (#10770) * docs: update CA rotation page (#10419) * Backport #10460 to branch/v8 (#10617) * Print proxy server on instructions on nodes add command for cloud (#10749) * Fix broken link * Fix nindent of `service.spec` in teleport-cluster chart * Update upcoming-releases.mdx * TF provider configuration environment variables (#10417) (#10547) ------------------------------------------------------------------- Thu Mar 03 08:20:49 UTC 2022 - kastl@b1-systems.de - skip non-existing release 8.3.2 - Update to version 8.3.3: * Release 8.3.3 (#10756) * Clear terminal when auth server is in FIPS mode (#10095) * Fix x11 server config issues (#10471) (#10758) * [v8] Fix Mongo topology resource release (#10730) * [v8] Sanitize leaf cluster CA (#10743) * Fix artifacts path for build-darwin-amd64-pkg-tsh drone pipeline (#10601) * Backport fixes to apt publishing logic (#10436) * Add missing read verb to ListResources (#10421) * [auto] Update webassets in branch/v8 (#10490) * Add documentation for static windows hosts * Disable BPF tests in CI (#10654) (#10680) * [Docs update] Mention unsupported scenarios for IAM join method (#10530) (#10651) * backport severity (#10667) * update enterprise getting started (#10606) * helm: Fix indenting on database autodiscovery (#10623) * Update x11 sshserver test to test concurrent sessions and requests. (#10473) * Add a Cloud compatibility warning to Helm guides (#10525) * Restore teleport-private deb/rpm gating (#10537) * Add a prominent warning to the config reference (#10524) * Mention Teleport Cloud in some of our guides (#10526) * [v8] Backport "helm: Revert PodSecurityPolicy change" (#10564) * Ensure docs nav titles use title case consistently (#10353) (#10523) * Address Cloud users in guides (#10527) * docs: fix code block (#10495) (#10556) * add teleport_connected_resources metric (#9603) (#10461) * Add teleport_audit_emit_event prometheus metric (#9134) (#10462) * helm: Add AWS database auto-discovery to teleport-kube-agent (#10344) (#10544) * Expose tunnel public addr to config.js (#10514) * Update config.json * Fix server compare to check expiry last (#10464) * Add PDB to teleport-kube-agent chart ------------------------------------------------------------------- Sat Feb 19 21:00:05 UTC 2022 - Johannes Kastl - add webassets, change %build section to build with flags and include webassets ------------------------------------------------------------------- Fri Feb 18 07:37:52 UTC 2022 - kastl@b1-systems.de - Update to version 8.3.1: * Release 8.3.1. * Updated CHANGLOG.md. * Revert "Add list,read for session to access role preset (#10382)" * Add missing DatabasesReady event to DB proxy (#10152) (#10306) * docs: Updated path to tctl/tsh for Enterprise binaries (#10429) * [Backport v8] IAM Joining Docs: Set join_method in token.yaml (#10435) * Update teleport docs to use 8.3.0 version (#10437) * docs: add warning about auditor role (#10258) (#10395) * Check for home dir as user. (#10418) * Add Prometheus metrics cache events and stale events (#9826) (#10312) * [v8] Revert Moderated Sessions docs (#10399) * Update upcoming-releases.mdx * Add list,read for session to access role preset (#10382) ------------------------------------------------------------------- Wed Feb 16 08:03:42 UTC 2022 - kastl@b1-systems.de - switch to 8.x.x line of releases - Update to version 8.3.0: * Release 8.3.0. * Updated CHANGELOG.md. * [v8] Desktop backports for 8.3.0 (#10357) * backport #10368 to branch/v8 (#10377) * Add Teleport Cloud instructions to 3 guides (#10308) * Fix docker-compose Getting Started guide issues (#9709) (#10167) * Fix tctl insecure flag when TLS Routing is enabled (#10361) * improve lock tests * improve Cache.ListNodes perf * improve concurrent watcher registration perf * bump backend limit * Set role examples to v4 and add detail warnings (#10345) * Sync cloud preview plans (#10317) * Add the `cert.create` event (#9822) (#10222) * [auto] Update webassets in branch/v8 (#10303) * Add documentation for moderated sessions (#9425) (#10302) * Add docs for IAM join method (#8899) (#10310) * Don't return nil, nil in (*AuditWriter).tryResumeStream (#10298) * Use an apt-key alternative in install instructions (#10276) * Make our docs guidance discoverable (#10278) * Document docs labels * [Backport v8] IAM Join Method (#10263) * Truncate label output in tsh ls and tsh app ls commands * Add github teams to available traits * Update config.json * Update Docker image tags in docs (#9402) * Update upcoming-releases.mdx * Remove Teleport DB Users only message for tctl users ls (#10240) * Modified FedRamp to FedRAMP in docs for proper acronym (#10116) * Fix Doctests CI (#10117) (#10149) * Release 8.2.0. * Updated CHANGELOG.md. * Removed `TestProxyReverseTunnel`. * x11 forwarding (#9897) * Cleaned up NewClient in integration tests. * Fixed TestSessionStartContainsAccessRequest. * Fixed TestDisconnection * Add teleport_reverse_tunnels_connected Prometheus metric (#9698) (#10224) * Expand cloud in production usage (#10221) * Clarify `tsh config` usage docs on Windows (#10208) * Restore DEVBOX in build.assets/Makefile (#10220) * [v8] Use buildbox image from quay.io (#10178) * Restore root user in CI buildbox (#10215) * Tag build images with teleport8 instead of go version (#10211) * (v8) Update config.json for 8.1.5 (#10200) * Add metric tracking number of Teleport agents joined to cluster (#9749) (#10162) * Backport #9907 to branch/v8 (#10198) * Release 8.1.5 (#10194) * Add xauth binary to buildbox for X11 forwarding. (#10164) (#10174) * [v8] Update Documentation for GCP Cloud SQL Client Authentication (#10140) * Release 8.1.4 (#10157) * Dynamically resolve reverse tunnel address (#9958) (#10139) * Revert "Emit event when connecting to non-Teleport server (#9370)" (#10156) * Add teleport_build_info Prometheus metric to Teleport (#9595) (#10135) * Update config.json (#10145) * Backport #10124 (#10125) * Release 8.1.3 (#10120) * Backward compatible kubernetes_labels behaviour for v3 and v4 roles (#10127) * helm: Allow setting issuer group for certificate in teleport-cluster (#9138) (#9812) * Fix panic running TestIntegration/RotateChangeSigningAlg (#10048) * Update version-check paths (#10119) * Release 8.1.2. * Updated CHANGELOG.md. * fix tests - forwarder is not set during cluster session init anymore * Turned http2 off for kube streaming endpoints. * backport aws guide changes (#10106) * Add guide for Azure Postgres/MySQL database access (#9729) (#10096) * Respect errors from UserInfo (#9951) * Enable canned ACL for S3 (#9042) * [v8] Client Certificate Authentication for GCP Cloud SQL (#10059) * Replace cluster periodics with watchers (#9609) (#9998) * Make diag-addr in teleport help start unhidden (#9981) * Update golang.org/x/crypto to v0.0.0-20220126234351-aa10faf2a1f8 (#9984) (#10015) * Emit event when connecting to non-Teleport server (#9370) * [v8] backport #9758 (access requests in audit log) (#9933) * Add access request locks to the docs (#9983) * [v8] backport #9697 (improved Google OIDC) (#9926) * add extra checks to avoid getSigninToken failure (#9792) (#9964) * backport #9133 to branch/v8 (#9867) * Access request locks (#9478) (#9930) * Fix k8 access - respect kube service labels (#9759) (#9955) * [v8] Auto discovery aurora reader and custom endpoints (#9668) (#9965) * tip on cloud and getting ports, added desktop port (#9971) * [v8] backport #9501 (access requests in TLS certs) (#9922) * Update upcoming-releases.mdx * helm: Add logging configuration to teleport-kube-agent chart (#9632) (#9814) * do not register Aurora serverless db clusters (#9386) (#9934) * Fix TLS Router serverName 'kube.' prefix based routing logic (#9777) (#9902) * Ignore artifact failures in remaining pipelines (#9932) (#9940) * [auto] Update webassets in zmb3/v8-backports (#9906) * Tweak the PNG encoder (#9817) * Add an Error message to TDP (#9586) * Reject TDP ClientUsername messages that are too long * Fix first desktop discovery reconcile loop (#9654) * docs: recommend a highly available LDAP endpoint. (#9744) * Clean up system role parsing (#9756) * Fix reverse tunnel dialing for Windows Desktops * Ignore failures for artifact registration step (#9921) (#9927) * Database auto discovery to be more tolerable to find as many as it can (#9426) (#9903) * update RDS and Redshift CA URL (#9890) (#9904) * feat: app server requests failover (#9288) (#9819) * omit invalid aws tags in rds autodiscovery (#9742) (#9766) * [auto] Update webassets in branch/v8 (#9872) * Release 8.1.1. * Updated CHANGELOG.md. * Conditionally publish deb packages (#9783) * [auto] Update webassets in branch/v8 * fix: removing new line convergance (#9579) (#9816) * [docs] Add region and use of SSM decryption to Terraform docs (#8907) (#9813) * Upload release binaries to new release infrastructure (#8722) (#9615) * Add the `access_request.delete` event (#9552) (#9787) * Fall back to "/" when home directory doesn't exist for `tsh ssh` (#9413) (#9662) * [Backport V8] Treat EC2 Node IDs as UUIDs (#9833) * Add info about upcoming databases to previews page (#9832) * Forward TELEPORT_HOME to kubeconfig (#9760) * [backport v8] force http2 kubernetes #9294 (#9796) * fix dynamo error types * [v8] Restores linting of non-go files in CI (#9664) * backport #9656 to branch/v8 (#9746) * backport terraform provider syntax changes to v8 (#9541) * Run gpg in batch mode (#9730) * [v8] backport #9607 (upgrade `go.etcd.io/etcd`) (#9733) * Release 8.1.0 (#9675) * Update e ref * Update previews page (#9670) * [v8]: Desktop Access backports for 8.1.0 (#9678) * Sign rpm repo metadata (#9623) * (v8) Add note about TLS routing backwards compatibility (#9631) * Specify level of TLS verification for database connections (#9197) (#9659) * Exclude Jitter from logging * [branch/v8] update doc examples to change from admin role to editor,access (#9335) * Update API client: dial auth service with TLS Routing (#9578) * removes experimental note from example config (#9195) (#9526) * Sign dronefile * [v8] Disable drone triggers (#9313) (#9532) * Add `--cluster` flag to all `tsh db` subcommands, Add "--diag_addr" flag to `teleport db/app start` (#9220) (#9518) * Fix the UI to correctly determine if a user has access to a resource (#9473) (#9525) * Fix tsh db connect mongo dbuser logic (#9445) * Update config.json * [v8] Skip tests on a docs-only PR (#9416) (#9510) * Prevent Linear Retry from converging on Max (#9449) * [v8] Use t.Setenv in tests (#9154) (#9428) * Escape access request and access resolution reasons in tctl (#9381) (#9455) * Release 8.0.7. * Updated CHANGELOG.md. * [helm] Re-add space after type in service definition (#9503) * Fix initKube: broadcast KubeReady event (#9444) * tool/tsh: support ID for `tsh play -f json` * Added 12/17 Release Update. * Restart teleport-kube-agent can't join cluster. * add TLS routing support to helm chart * Added log configuration to teleport-cluster chart. * Added support for service.spec.loadBalancerIP. * updted Helm install guide in installation page. - link to getting started with kubernetes access page to refer Helm which is more up to date guide - removed which shows deprecated warning * Remove dronegen from Teleport 8. * Update Drone pipeline to fix CentOS 7 repository. * Added support for buildings CentOS 7 RPMs. * Updated Enterprise reference. * Update aws-console.mdx (#9480) * simplify desktop access getting started guide (#9100) (#9467) * Fix CryptoRandomHex function (#9186) (#9433) * Fix app server goroutine leak (#9332) (#9459) * feat: ListResources gRPC rpc (#9096) (#9458) * [branch/v8] Backport #8840 (#9395) * [Backport v8] Create a blast radius reduction guide (#9430) * Clarify the Linux Getting Started guide (#9429) * Avoid "Entering/Leaving directory" output in Make (#9246) (#9424) * Add Videos to Teleport Desktop Access (#9374) * [v8] Prevent infinite dialing to Auth (#9403) * Do not parse MySQL server packets (#9411) * Fix NO_PROXY addr logic (#9287) (#9394) * Change invalid TOTP message * Clear web terminal when session ends (#8850) * Add synchronize event * Trigger on ready_for_review event * Don't run workflows on draft PRs * Update which pull request events to trigger workflow on * Fix confusing port example in standalone docs * Release 8.0.6. * Updated CHANGELOG.md. * Update AWS CLI application access docs ref (#8634) (#9396) * [auto] Update webassets in branch/v8 * Add WebAuthn and Active Session docs (#9390) * [v8] Add ability to run Postgres and Mongo proxy on separate listeners (#9341) * Post Release 1/4 (#9005) * Ensure we don't miss the resolution of an access request (#9193) (#9338) * Release 8.0.5 * Fix the CRL distribution point in Windows certs (#9299) * Drone fix (#84) * Release 8.0.4 (#9368) * Add support for configurable KMS CMK keys for S3 SSE (#8354) (#9262) * [backport v8] Fix sessions endpoint and remove namespaces (#9360) * Fix tsh ssh proxy for openssh client (#9249) * Release 8.0.1 (#9223) * [v8]: desktop access backports (#9201) * Do not prompt for hardware MFA using `tsh` on Windows (#9081) (#9198) * Bump x/crypto (#9203) * Update Workflow Config Files (#9207) * Add Azure access token auth support for Postgres/MySQL (#9185) * [Backport] Google CloudBuild support (#9090) (#9165) * Fix MySQL proxy handshake (#9162) * Refresh getting started guide to use TLS routing (#8988) (#9101) * Add '+' to key sanitizer whitelist (#8396) * Implement where conditions for active sessions (#9040) (#9076) * Make Teleport startup resilient to invalid roles (#9062) (#9105) * Update docs for TLS routing (#9097) * Add app metatada to app audit events (#9056) * Update CODEOWNERS (#9058) * Restart entire node on tunnel collapse (#8102) (#9043) * teleport configure: generate web_listen_addr (#9071) * Add --public-addr --cert-file --key-file for teleport configure (#9049) * Add meta redirect (#8980) * Updated Docker Quickstart/Labs. * Fixed Helm publishing. * [pr-buddy] helm: Add support for annotation on secrets generated by cert-manager (#8872) (#9013) * Release 8.0.0. * Release 8.0.0-rc.3. * Fix dialing kube trusted cluser in v2 telport config (#8996) * Fix tunnel address for TLS routing if public tunnel address is present (#8995) * Updated build-darwin-* pipeline. * Remove explicit "deny" from preset "auditor" role, make preset roles V4 (#8959) (#8998) * Release 8.0.0-rc.2. * Updated CHANGELOG.md. * backport bot improvements * Merge 'config-proxy' and 'proxy ssh' commands logic (#8920) (#8958) * Fix KUBECONFIG server name (#8940) (#8971) * [auto] Update webassets in branch/v8 (#8965) * windows ldaps port (#8932) * tctl: allow issuing app access certificates via `tctl auth sign` (#8717) (#8941) * Update e-ref (#8927) * Improve SSH agent forwarding error message in proxy mode (#8832) * [auto] Update webassets in branch/v8 (#8911) * Link libatomic on Linux * Fix the buildbox (again) (#8892) * fix buildbox * remove roletester toolchain * Rust & Desktop Access fixes (#8822) * Use cgo.Handle for passing client refs between Rust/Go * Fix heartbeat for LDAP hosts * Fix the client idle disconnect audit event for desktops * Return created date with new recovery codes (#8777) (#8903) * Release 8.0.0-rc.1. * Fix ACME strict ALPN (#8869) (#8889) * Don't allow running Desktop Access in FIPS mode. * Fix tsh ssh proxy (#8826) (#8871) * Fix MFA for DB Access (#8796) (#8870) * Disable desktop access in Web UI in Cloud clusters (#8858) (#8873) * Split auth.AccessPoint into variant specific interfaces (#8471) (#8859) * Release 8.0.0-beta.3. * Update Enterprise reference. * Updated Go to 1.17.3. * Add dynamic registration and discovery guides (#8862) * comment out teleport configure output example (#8856) * flips struct ordering to match with tdp spec (#8753) (#8814) * Bring back previous u2f challenge response for web terminal (#8830) (#8844) * Fix mongo access with mfa and add tests (#8800) * Update rdp-rs to fix horizontal scroll + extended keys * [helm] Change path -> mountPath under extraVolumeMounts (#8806) (#8825) * [ami] Get wildcard DNS cert when using certbot/Letsencrypt with Terraform AMI (#8792) (#8809) * Set user verification to "discouraged" for WebAuthn (#8759) (#8801) * Fix reverse tunnel web ping call log severity (#8776) * Remove checking for error from session end in web terminal (#8797) (#8816) * Update mac builds * Add link to Teleport Changelog in helm chart repository site. (#8780) * URL-encode Postgres username in connection string (#8772) * Release 8.0.0-beta.2. * Update e * Ensure that Rust libraries are cleaned * Release 8.0.0-dev.33 * Update e to match branch/v8 * Stop linking lcrypto and lssl * Add Rust to buildbox * Fix event code duplication for PrivilegeTokenCreateCode (#8733) (#8743) * Release 8.0.0-beta.1. * Pin Packer version to 1.7.6 * Updated webassets reference. * Update GH Actions Workflow Commands (#8724) * Development Workflow Automation (#8116) * Update app and database access test plan scenarios (#8718) * Add missing aws certs (#8704) * Fixed CentOS 6 builds. * Add priority class name (#8669) * add routing_strategy to config docs * use RoutingStrategy enum instead of boolean flag * Route to the most recently heartbeated node when there are duplicates * improve tests * fix nits * remove OnlyRecent behavior * ttl-based fallback caching * server-side filtering * Updated go.mod and re-vendored. * Update Enterprise reference. * Updated Go to 1.17.2. * Make LDAP desktop discovery disabled by default * Add timeout for RDP connections * Fix missing webauthn json field (#8701) * Align SNI routing logic (#8689) * Align the user message printed during the 'tsh proxy db' command (#8681) * [auto] Update webassets in master (#8697) * Enable the Rust logger at the same level as the Go logger * Ensure there are no '.' characters in dynamic desktop names * Add Proxy listener mode and proxy v2 configuration (#8511) * update certification link for boring crypto (#8676) * Correct terraform guide example (#8630) * Set expiry on LDAP-discovered desktops * Allow tctl admin user to delete windows desktops * Use a consistent, human-readable convention for static hosts * Return obscured user locked error message (#8596) * Fix port for listen_addr (#8624) * userACL (#8560) * Ensure that teleport start --roles=windowsdesktop works * Fix mysql log spam (#8654) * kubectl exec and port-forward requests use the right dialer (#8601) * Fix ALPN SNI Proxy errors logs (#8506) * Replace golint with revive (#8613) * Fix ALPN protocol routing (#8526) * Cleanup lint targets * docs: updates for desktop access * fix web_listen_addr example (#8650) * AWS CLI access (#8151) * Add constants for Windows-related timeouts * Include RDP port for desktops discovered via LDAP * Increase heartbeat period for Windows Desktops * Label Windows Desktops correctly * Label Windows hosts with teleport.dev/origin * Implement AD host discovery * Revert "Adds Rust 1.55.0 to CI buildbox (#8606)" (#8652) * Add KindAuthConnector permission to editor role. * Remove webassets before Enterprise images. * Adds Rust 1.55.0 to CI buildbox (#8606) * Add webauthn support for web terminal mfa prompt (#8642) * Add agent support to Teleport AMIs for use with Terraform (#8387) * Add CockroachDB guide (#8554) * Added metrics for missing SSH tunnels. * Automatically import RDS databases (#8481) * fileconf: change LDAP config from password to password_file * Use a separate event code for desktop session start failure * Make unit tests write JSON test logs (#8351) * Fix race condition in LoadBalancer (#8608) * Include event type filter in Firestore query (#8403) * Updated slack plugin instructions to allow for Teleport Cloud (#8540) * tctl: allow comma-separated --windows-logins * Misc desktop access cleanup * Fix ExtractConditionForIdentifier handling of verbs, empty where (#8552) * desktop access: add session start/end audit events * Consistent webauthn JSON field naming for web (#8559) * add watcher event metrics to docs and sort metrics alphabetically (#8491) * Support traits for Windows Logins (#8585) * Add CockroachDB support (#8505) * Add RBAC for Windows desktop access (#8520) * [auto] Update AMI IDs for 7.3.0 * fixed link, renamed img (#8573) * Added joining nodes in AWS documentation. * Desktop Access Beta documentation (#8504) * Throttle DynamoDB event migration based on provisioned capacity (#8468) * Desktop Access notes and comments (#8530) * Refresh locking article (#8542) * [auto] Update AMI IDs for 7.2.1 * Allow second_factor 'on' and 'optional' without U2F (#8498) * Do careful nil handling on Webauthn proto conversions (#8501) * Implement Simplified Node Joining (#8250) * Implement where conditions for session recordings list/read (#8289) * Expose SearchSessionEvents via proxy webapi (#8445) * ALPN DB Proxy fix insecure flag (#8440) * Notice on requiring kubernetes access enabled for agent (#8369) * TDP: add mouse scroll support * Publish Teleport CA to NTAuth store over LDAP (#8438) * add IDs to upload events (#8453) * Kube Proxy Forwarder handles kube services with same name (#8362) * Add support for MFA for DB access (#8270) * use aws sdk withcontext variants where possible (#8355) * Fix GenerateHostCerts http fallback with LegacyCerts. (#8469) * Adjust tsh language in regards to Webauthn (#8451) * teleport-kube-agent: postgresql -> postgres in README (#8496) * Update testplan for WebAuthn (#8480) * Remove pre-v7 device migration logic (#8448) * Remove 'deny' directive in example impersonation role. (#8399) * Accept multiple SANs in tctl auth sign for databases (#8449) * Release 8.0.0-alpha.1. * Remove RoleConditions type alias from lib/services. (#8441) * Adds OIDC logic for Ping Provider (#8308) * Wire Webauthn disabled flag into yaml config (#8452) * Auto-configure IAM for Redshift databases (#8348) * Bug fix: Get user from logged in context (#8460) * [auto] Update webassets in master (#8457) * PIV authentication for RDP (#8408) * Return preferred MFA method on ping endpoints (#8439) * Auto-configure IAM for RDS databases (#8339) * Update e-ref (#8446) * Remove extra Audit records entry. (#8426) * k8s misspelling (#8430) * Update U2F App ID guidance in documentation (#8434) * Specify platform when building our buildbox (#8429) * Unify RBAC checking functions (#8407) * Disable firestore tests by default (#8322) * correct app name example (#8422) * Implement attestation for Webauthn (#8392) * Test Webauthn global disable flag (#8393) * Migrate DynamoDB events to store fields as map type (#8292) * [auto] Update AMI IDs for 7.2.0 * Set flush interval when forwarding application http requests (#8359) * Update video to reflect RBAC changes and updates in Teleport 7 (#8301) * Rename VerifyAccountRecovery and token ID proto fields (#8395) * Watcher System Metrics (#8338) * Reduce the number of tests that run in parallel. * Revert e-ref (#8391) * Require enterprise license for HSM support (#8370) * Add additional context for Teleport Cloud users on how they can add the impersonator role to the user. (#8364) * HSM Docs (#8000) * Implement AddMFADeviceSync and GetAccountRecoveryCodes (#8287) * Unify creating u2f, totp, and webauthn MFA register challenges (#8342) * Fix ALPN SNI Proxy TLS termination for DB connections (#8303) * Remove ClusterConfig resource (#8150) * Add Webauthn support to ChangePassword and Ping (#8337) * Bump version to 8.0.0-dev * Update version.mk to set Helm chart versions. * [forward-port] Teleport lab - open 3024 port in and copy changes. * Implement User Privilege Token (#8076) * RDPDR virtual channel implementation for smartcards (#8282) * Add the DeviceType proto to Auth Service (#8336) * Simplify MFA testing and favor Webauthn over U2F (#8334) * Add a toy Webauthn web interface (#8326) * Replace `log` with `logrus` in Webclient (#8328) * move production and user manuals (#8341) * improve graceful restart behavior * [auto] Update AMI IDs for 7.1.3 * Add Webauthn devices via tsh mfa add (#8310) * Splits admin guide into setup sections (#8324) * Add app resource watcher/reconciler (#8228) * Add API and CLI for managing application resources (#8185) * ignore concurrent updates during tc load * add .idea to .gitignore for jetbrains (#8311) * fix double-init and buffer overflows * Fixes for cert checker and Postgres config builder (#8251) * host certs: pass the remote address along in the request (#8299) * Tidy up Webauthn login and registration (#8283) * Allow login over plain http in restricted situations (#7835) * Creates ansible guide. (#8297) (#8298) * Add support for `tsh ssh` on Windows (#7790) * Disable colorized error formatting on Windows (#8227) * Fix ConnectionMonitor DisconnectExpiredCert (#8288) * Return unique error message (#8284) * Support registration of Webauthn devices (#8278) * Improve performance, reliability of firestore backend (#8241) * RFD 41: Simplified Node Joining for AWS (#7292) * Update role-templates.mdx (#8280) * Improve FirestoreDB/KeepAlive test failure message (#8273) * Add mysql port to config and service in Teleport Cluster Helm Chart (#8183) * Fix node registration backwards compatibility (#8256) * Avoid watching for new Locks with empty LockTarget (#8253) * Update markdown table for kubeClusterName. (#8236) * Removes line break (#8267) * Fix linker flags in datalog CGO wrapper * Export hasBuiltinRole and clusterFeature to use in e repo (#8261) * Support custom paths for AWS roles in console access (#8224) * Allow getting MFA authenticate challenge with recovery token (#8231) * Add documentation for the nowait flag. (#8220) * Allow deleting/listing MFA devices with recovery tokens (#8197) * Add PublicAddr fix for kube service; Test that GetServerInfo gets kube public addr. (#8178) * Implement Webauthn registration (#8226) * correct role mapping in auth connector (#8242) * Rotate Mac signing certificates (#8230) * Introduce WebauthnDevice proto and registration messages (#8201) * seo updates (#8247) * Fix firestore (#8181) * Convert GenerateServerKeys to GRPC (#8193) * Add more context to the firestore backend test failure (#8223) * Skip etcd prefix test if disabled (#8202) * moves sso, labels and nodes to setup (#8216) * Fix linter: remove unused code (#8214) * Fix interactive sessions always exiting with code 0 (#8081) * RFD 39: SNI and ALPN telepot proxy routing (#7280) * ALPN SNI Proxy (#7524) * Adds SOC2 guide from Travis and ports EC2 tags guide (#7788) * Add VS Code guide and update docs for tsh on Windows (#8195) * fix broken links in api client readme (#8125) * Update the index.mdx file for Access Controls (#8129) * New video banners for BPF work (#8130) * Db access gui client improvements (#7950) * correct license file name in k8s cluster getting started(#8188) * Modified auth server example to only have one auth server (#8199) * Add a global disable flag for Webauthn (#8191) * Port backend tests to testify / fix racy tests (#8170) * Expand error message on tctl enterprise usage (#8093) * Expanded AWS Console examples (#8127) * Account Recovery Token Getter and Create New Codes (#8177) * Introduce app server and app resources (#8140) * Pick a number for the Webauthn RFD (#8187) * Support Webauthn challenges in tsh login (#8176) * RFD: WebAuthn Support (#7808) * LoadIdentityFileFromString (#8132) * Implement CompleteAccountRecovery, Step 3 in Account Recovery (#8103) * Implement ApproveAccountRecovery, Step 2 in Account Recovery (#8100) * support empty string ca_pin (#8154) * webclient: use the provided context (#7801) * New videos for MongoDB Atlas and PostgreSQL (#8097) * Require that public TLS and SSH keys are provided to register via token (#8135) * correct port number example (#8168) * Stop using ; as a separator in URL query strings (#8143) * Unparallel racy test (#8142) * Make TestLockWatcherStale more robust (#8134) * Do not attempt to sign Windows builds on push (#8137) * Sign tsh.exe on tag builds (#7897) * Generate Windows-compatible OpenSSH config in `tsh config` (#7848) * Wire Webauthn to login endpoints (#8094) * Fix session URL displayed by `teleport status` (#8072) * Correctly validate JWT CA on bootstrap (#8119) * Dynamically register/unregister database resources (#7957) * Implement StartAccountRecovery, Step 1 in Account Recovery (#8095) * auth: remove DataDir from RegisterParams (#8110) * Mask token in logs (#7955) * Update Architecture Docs link in Readme (#8107) * Cleanup docs on users and roles (#8098) (#8099) * Access & Review request docs (#7791) * Add kube-cluster env for tsh (#7867) * Adapt lib/auth/webauthn to Identity and type changes (#8082) * API workflows example (#6827) * Connect proxy <-> windows_desktop_service <-> RDP server (#7990) * Move newly-added Webauthn tests out of gocheck (#8074) * Lint and fix missing license headers (#8075) * [RC 2] Extend GetMFADevices to accept tokenID (#8036) * Implement Account Recovery Codes (#8034) * Update e (#8073) * Add the WebAuthn user ID to LocalAuthSecrets (#8013) * Implement WebAuthn login (#8009) * Add support for WebAuthn configuration (#7949) * Move and expand troubleshooting section (#8052) * RFD 32: Datalog based role tester (#6818) * Update e-ref for access tester (#8068) * Datalog based access tester (#7543) * Repeatable test naming (#8018) * [auto] Update AMI IDs for 7.1.0 * Update impersonation docs (#8053) * update e-ref * adding environment variables (#7954) * Add support for a profile specific kubeconfig file. (#7840) * Add docs for the locking feature (#7967) * update e-ref * disable build determinism in centos6 * Exclude tar flags for non-Linux platforms. * pipefail in make shell * Add Webauthn SessionData persistence to Identity (#8012) * RDP client implementation (#7824) * Add link to Access Requests page (#8021) * Switch bash to code component (#8019) (#8029) * Removed 443/3080 port from tsh login examples (#8016) * Ensure that test-root is marked as a PHONY target (#7847) * helm: Set correct fsGroup in teleport-kube-agent chart when using persistent storage (#7804) * Add imagePullSecrets in kube-agent chart (#6941) * helm: Make auth type configurable (#7508) * Add abilty to configure postStart handler for teleport-cluster chart (#7168) * allow websocket connections to the same host (csp) (#7929) * Update docs codeowners (#7998) * Sasha/fwd user (#7996) * Teleport Database Video Banners (#7977) * fix agent forwarding test on macOS (#7784) * fix parent shard tracking * Add WebAuthn protocol buffers (#7923) * Fix windows_desktop_service keepalives (#7987) * Fix make update-vendor on macOS (#7910) * Add support for PDB with the teleport-cluster helm chart (#7138) * Allow teleport-cluster-agent chart to use an existing volume for the data directory (#7096) * Add file configuration for HSMs (#7959) * Add support for HSM CA rotation (#7862) * Add support for multiple CA pins (#7905) * Add support for nowait on requests. (#7895) * Split UpsertWindowsDesktop into Create/Update * Address review comments, batch 1 * Windows desktop service boilerplate * [auto] Update webassets in master (#7917) * RFD 34: clarify windows host discovery * add conversion code for billing information update events * Fix incorrect zero value setting for web idle timeout (#7926) * Port Darwin CI pipelines to Dronegen (#7688) * Add MongoDB Atlas guide (#7864) (#7951) * Vendor our logrus fork to fix data race (#7940) * Don't log warning for all remoteSite.periodicUpdateLocks failures (#7908) * Allow custom webassets path if debug mode is on (#7925) * Make TestAuthorizeWithLocks* more robust (#7909) * correct tsh proxy alias (#7902) * fix race in etcd test * Make srv.TestMonitorStaleLocks more robust (#7877) * Emit audit events on lock upsert/delete (#7752) * Introduce `tctl lock` command (#7809) * Send web idle timeout with new web session response (#7839) * Update protobuf compiler release link * Update Drone pipeline for Teleport 7. * [auto] Update AMI IDs for 7.0.2 * Reject cert generation requests for locked-out users/hosts (#7746) * Sasha/fwd fixes (#7881) * API client tunnel address discovery fix (#7533) * Check out code to use for building Teleport lab image (#7879) * Remove initial 'v' from Teleport version tag (#7878) * Re-add GetLock methods for auth server cache (#7861) * Add curl for teleport-lab image build step (#7876) * Dead code removal (#7851) * Rename ResetPasswordToken to UserToken for general use (#7681) * Handle stale lock views with strict/best-effort modes (#7798) * Various fixes to SAML encryption key handling for SSO (#6767) * Update Enterprise reference. * Reduced shared library dependencies. * Updated CHANGELOG.md. * Do not exit teleport when unable to enumerate k8s cluster (#7523) * Replicate locks to remote clusters (#7737) * ClusterConfig fallback (#7702) * Adding database resource API and tctl commands (#7792) * Fix soundness issues in uacc (#7785) * fix stale event logging * fix memory backend mirror behavior * Added Admonition for postgres sql and tls (#7777) * Decouple database server from database (#7771) * Fix client.New race condition (#7774) * Do not deny logins in `isMFARequired` (#7739) * Update download query param filter for mac (#7778) * Fix CHANGELOG header indentation (#7789) * Ensure defaults are set for DB integration tests (#7787) * Use KeyStore instead of raw keys with CAs (#7615) * Fix tctl db resource UT (#7760) * Move session recording section to RFD 33 * Small tweaks based on review feedback * RFD 33-37: Windows desktop access * Update SSO guides (#7671) * Reference docs for AuthPreference (#7503) * Add Restricted Session docs (#7673) * Update docs/pages/includes/permission-warning.mdx * be more explicit about non-root user * Update PAM page (#7719) * Update DNS instructions in the AWS+EKS+Helm guide (#7672) * rollback - Upgrade api version. (#7751) * Add hsmKeyStore implementation (#7614) * Reset event checkpoint key property for non sub-page breaks (#7638) * RFD 9: Locking (#7286) * Mount teleport-tls to the init container for the teleport-cluster helm chart (#7166) * Add support for tctl get/rm DB resource (#7558) * mtls metrics service (#7079) * Updated Enterprise reference. * Updated BPF asset embedding. * Improved build determinism. * [auto] Update webassets in master (#7732) * Upgrade api version. (#7609) * Add missing kubeClusterName value in teleport-cluster helm chart (#7620) * Update the GCP+GKE+Helm guide (#7720) * config: Change mentions of kubeconfig_path -> kubeconfig_file (#7646) * clarity around ansible config for teleport (#6418) * Update test plan (#7639) * Enforce locks in auth.Authorize (#7625) * [auto] Update webassets in master (#7716) * ImplicitRole doesn't have wildcard labels (#7645) * Add KeyStore interface with rawKeyStore implementation (#7613) * Mark RFD 28 (ClusterConfig reorg) as implemented (#7706) * Fix ClusterConfig caching with pre-v7 remote clusters (#7698) * aws: Add s3:ListBucketMultipartUploads permissions to IAM policies (#7664) * docker: Automatically build teleport-lab image nightly based on latest Teleport version (#7692) * Add AWS console guide (#7640) * Try mini-diagrams and update launchpad titles (#7684) * AWS console access (#7590) * Add MongoDB Compass GUI guide (#7658) * Replace GenerateSelfSignedCAWithPrivateKey with GenerateSelfSignedCAWithSigner (#7612) * Apply locks to connections tracked by srv.Monitor (#7506) * Replace make tag with updated make update-tag. (#7627) * Fixed performance issues with the Web UI. * Tweaks, update and k8s agent getting started (#7656) * [auto] Update webassets in master (#7653) * fix init event emission * improve shard iteration * Removes double quotes from acme examples in docs (#7642) * Add `tsh config` helper to generate OpenSSH client configuration (#7437) * Tweak and add a few instructions regarding Audit Log testing (#7643) * add support for running agent helm chart on persistent volume (#7123) * Update test plan (#7617) * improve etcd event processing * concurrent queue * [auto] Update webassets in master (#7621) * Use web listener for web server (#7619) * Remove GetLock methods from Cache/ReadAccessPoint (#7593) * Tidy up trait application in `Role`. (#7562) * Fix profile credential loader known_hosts (#7532) * API Client UX fixes (#7521) * Adds WebClientTimeout to config (#7497) * Fall back to old CA schema when retrieving keys and certs (#7603) * Fix RBAC verbs checked for SetSessionRecordingConfig (#7466) * Adds Message of the Day (#7396) * Updated Enterprise reference. * Updated Makefile to fix FIPS BPF issues. * Include O in MongoDB certs and improve some errors (#7575) * set cluster name in lab (#7579) * Update cloud and add U2f guide (#7585) * Add restricted session * [auto] Update webassets in master (#7580) * Update upcoming-releases.mdx (#7584) * Make reference deployments more visible (#7583) * ListNodes limit exceeded test timeout fix (#7464) * Make commands more obvious (#7510) * Adds Teleport lab. (#7480) * RFD 27: mtls metrics (#6469) * Use descending order as default in webapi (#7550) * [auto] Update webassets in master (#7551) * Address security design review. (#6769) * docker: Add libelf1 as a dependency for building Teleport container images * Fixed vendoring issue. * Update ssh-pam.mdx (#7536) * libbpfgo has been moved out of tracee * Better handling of database access IAM errors (#7525) * Fix potential infinite loop in GetTrustedCertsPEM (#7540) * Implement an API for exporting session events (#7360) * aws: Add updates to AMIs for database access (#7487) * allow overrides of the AWS config for the service in the helm chart (#7287) * Update CODEOWNERS. * Allow querying for audit events in either an ascending or descending order (#7425) * Add MongoDB guide, MySQL Cloud SQL guide and other 7.0 docs updates (#7350) * integration: Add teletest namespace and instructions for Kubernetes tests (#7447) * [firestore] Set the cursor to empty when the end is reached (#7448) * Generalize ProxyWatcher to monitor other resources (#7489) * Release 7.0.0-beta.1. * Remove unnecessary sudo commands (#7505) * Add event handler (#7470) (#7485) * Update CODEOWNERS * Disable nonlocal SetClusterAuditConfig calls (#7465) * Introduce Lock resource (#7430) * Fixes racy backend test suite (#7481) * Use ssh.Signer instead of raw private keys (#7438) * Fixed issue that could cause commands to hang. * Paginated rpcs - Replace GetNodes with ListNodes (#7415) * [v7.0] docs: port of edit pass 7/9 (#7401) * docs: port of 7321 (#7399) * [v7.0] docs: update steps 2 (#7394) * docs: port to 7.0 (#7373) * [v7.0] docs: readme fixes (#7393) * enable json logging in the config (#6964) * Remove AWS OSS Guide Page (#6150) * Update API RFD. (#6764) * Configure env for teleport-cluster chart (#7167) * Allow setting diagnostics address via config file (#6865) * aws: Update reference deployments to handle timesearchV2 format (#7435) * docs: Fix typo in MacOS Terraform provider instructions (#7426) (#7440) * add support for dynamodb backups in helm chart (#7288) * Reduce Flakiness in TestAgentForward (#7236) * Bump e ref (#7434) * Add Video guide to server access page (#7429) * bpf: Add build support to FIPS Dockerfile (#7407) * Fixes racey tests in `tsh` (#7416) * Update tsh join (#7319) * drone: Disable CentOS 6 FIPS builds for Teleport 7.0+ (#7408) * Adds custom timeout message to SSH sessions (#7120) * Automatically download Cloud SQL root certs (#7397) * Make CSP more strict (#7390) * Fix ping endpoint when proxy has multiple public addrs (#7368) * Parse AWS info from RDS/Redshift endpoint (#7385) * Update codeowners (#7398) * licensed message check changed for application access * Fixed error check * Update kube.go * Update db.go * Update db.go * db license message * app access license message * Update kube.go * Modify language to say license instead of supports for features * hsm: fix CA migration for trusted clusters (#7348) * docs: readme updated (#6976) * Fix occasional data race when testing dynamically configurable resources (#7374) * Add MongoDB database access support (#7213) * [auto] Update webassets in master (#7381) * drone: Resign pipeline for drone.teleport.dev (#7367) * Update e ref. (#7364) * Relax ClusterName validation to allow ClusterID migration (#7363) * docs: port to 7 (#7361) * Add Cloud SQL MySQL support (#7302) * CheckAndSetDefaults sets all defaults. (#6846) * API version generated file (#7157) * Remove SetTTL methods in favor of SetExpiry. (#7234) * gRPC conversions - Auth Preference (#7220) * Move ClusterID field from ClusterConfig to ClusterName (#7050) * Perform event name filtering inside the database in the DynamoDB driver (#7231) * Cleans up and moves session recording section (#7341) * Add docs section on `provider` field in SSO connectors (#7339) * Adds per-node ability to disable ssh TCP forwarding (#6989) * Updated OIDC connector to return not found. * tsh play --format (#7331) * hsm: migrate CA storage schema (#7245) * Add workaround for Ping SAML auth requiring signing headers (#7297) * Limit event search responses sizes to not exceed gRPC limits (#7266) * remove no rbac in oss admonition (#7322) * [v7.0] docs: port of edit pass 2/9 (#7173) * [v7.0] docs: port of edit pass 3/9 (#7187) * [auto] Update webassets in master (#7237) * [v7.0] docs: port of edit pass 5/9 (#7316) * [v7.0] docs: port of edit pass 1/9 (#7158) * Better handle database access HA scenario (#7293) * Add gRPC conversion support for BillingCard events (#7303) * docs: port from 6.2 (#7300) * Downgrade V4 roles to V3 at webapi endpoints (#7289) * Turn AuditConfig into a standalone resource (#6997) * drone: GOCACHE and `docker:dind` fix, round 2 (#7281) * Terraform reference (#7291) * Update Teleport Cloud -> Teleport Pro (#7282) * define diag ports in helm (#7212) * grpc: call trail.ToGRPC from gRPC interceptors (#7217) * Add V4 Roles (#7118) * Add regexp.replace support in role templates (#7152) * teleport-kube-agent: Support multiple installations in a single cluster (#7057) * [v7.0] docs: fix dot (#7095) * Get startKey from query params and return startKey for clusterSearchEvents (#7228) * drone: Add missing GOCACHE path for `make image-ci` (#7206) * Remove remaining API aliases (#7137) * Make SessionRecordingConfig resource dynamically configurable (#7054) * Moves SSH tests to testify/testing package (#7119) * Update profile credential loader to work with tsh v6.0. (#7142) * [backport 7.0] Correct reference to helm chart in teleport kube agent install (#7209) * Move ClusterConfig auth fields into ClusterAuthPreference (#6876) * Introduce modules.ValidateResource for Cloud-specific validation (#7092) * Update terraform-provider.mdx (#7192) * docker-compose: Update default images used to version 6 (#7055) * OSS vs Enterprise (#7169) (#7175) * Pin dind version and remove GOCACHE from push pipelines (#7193) * Added GOCACHE to push pipelines. * Remove API aliases (#6983) * docs: port of 6871 (#7091) * Make ClusterNetworkingConfig resource dynamically configurable (#7013) * Emit backward compatible ClusterConfig events (#6836) * Skip the app.session.request event from AuditEvent (#7011) * Add support to configure `tsh` directory for data (#7035) * Remove the need for `--proxy` for session playback (#7052) * Expand client tests with mock server (#7004) * makefile: explicitly set SHELL to /bin/bash * Improve Access Request Events (#6863) * Add delay in TestRootLeafIdleTimeout test (#7116) * Buddy: https://github.com/gravitational/teleport/pull/6250 (#7165) * Fix file event driver inconsistencies (#7073) * Initial terraform guide (#7136) (#7149) * Fix flaky DB UT (#7139) * Updated Enterprise reference. * bpf: Disable failing builds * docs: port api changes (#7031) * docs: links for gsuite (#7070) * Couple app/db access docs updates (#7128) * [backport v7] Describe usage of TELEPORT_CONFIG_FILE in faq and cli page for remote tctl usage #6866 (#7067) * buddy: scp Is Not Parsing user@node Properly (#6927) * Remove JSON schema validation (#6685) * Fix variable shadowing error causing migration slowdown (#7097) * rpm: Don't include build-id artifacts in packages (#7080) * Support disconnect_expired_cert for database access (#6857) * Updated vendoring of tracee/libbpfgo. * Move from BCC to libbpf with CO-RE. * docs: Update post-release checklist (#7056) * Teleport Server Access Intro Video (#7087) * docs: Improve label documentation for db_service via teleport-kube-agent (#7077) * Improve RFD 24 Dynamo migration efficiency and performance (#7012) * keypaths package (#6848) * [v7.0] Port of 6.2 Server Access Section (#6936) * Ports some integration tests to Testify/Subtests (#6884) * Add Demo video to dual-auth and per session mfa (#7063) * [auto] Update webassets in master (#6977) * teleport-kube-agent: Add support for annotations.serviceAccount (#7060) * Updating teleport-quickstart.yml to latest release (#6970) * Update AMI IDs for 6.2.0 (#7037) * Make utmp support best-effort * Stop registering a Kubernetes cluster named after the Teleport cluster (#6786) * Allow users impersonating database service generate database certs (#7024) * helm: Don't package/update old teleport chart (#6902) * Log traits to role mapping warnings on case-insensitive matches (#6209) * docker: Restore Firestore emulator (#6901) * changelog: add a note about DynamoDB migration performance in 6.2.0 * Return unique kube cluster names when retrieving for ui display (#7002) * Resolve test issues and event driver bugs (#6990) * Variable exporting fix on AWS Terraform Guide (#6973) * docs: delay 6.2 release on upcoming releases page * Fixed IBM Cloud AppID SSO integration. * Fix tclt --auth-servers flag panic. (#6980) * Update tctl docs to include new global flags and remote functionality. (#6771) * Updated CHANGELOG.md. * mfa: user server instead of log context.Context for audit events * docs: improve best practices (#6809) * RFD 28: Cluster configuration related resources (#6472) * Add event handler for access request review event (#6966) * helm: Fix antiAffinity in teleport-cluster (#6944) * [v7.0] docs: update certbot section (#6697) * [v7.0] docs: update version in install and getting started guides #6810 (#6853) * docs: port make language consistent for versions (#6854) * docker: Override GOMODCACHE to always use a writable location (#6899) * Update test plan (#6934) * Applying suggestion * Re-enables `--k8s-users` & `--k8s-groups` in tctl users add * Buddy: Exit non-zero on tsh status for scripting. (#6957) * Update test plan (#6947) * docs: Update docker tags to use latest 7.x version tag (#6911) * mfa: strip trailing newline when reading TOTP codes (#6948) * Handle UserUpdatedEvent in event deserialization code (#6949) * Introduce SessionRecordingConfig extracting fields from ClusterConfig (#6708) * [auto] Update webassets in master (#6921) * etcd: use a separate connection to check peer versions (#6905) * Add `tctl rm cap` for resetting cluster auth preference to defaults (#6801) * lazy init of prometheus collectors (#6561) * AuditLog/grpc server data race (#6170) * Application and database access documentation updates (#6932) * Bump e-ref (#6925) * Add kube/db ui testing steps to test plan (#6926) * make update-vendor: run 'go mod tidy' in api/ * Add CheckAndSetDefaults call to UnmarshalAuthPreference (#6898) * Add missing database cli flags (#6739) * Update e ref to master (#6906) * Implement RFD 19: Event Iteration API (#6731) * tsh: Return more descriptive error on unimplemented grpc server method (#6812) * Fix typo in trusted clusters docs (#6904) * helm: Fixes for Linux/Mac interoperability (#6891) * Don't pull docsbox image if it's already present (#6228) * Remove http.NoBody check for web renew token endpoint (#6893) * RFD 21 (Cluster Routing): Mark as implemented (#6835) * helm: Adds 'aws', 'gcp', 'standalone' and ‘custom’ modes to `teleport-cluster` chart (#6344) * docs: Add Helm guides (#6390) * Update lib/client/api.go * Review feedback * More review additions * Review feedback * Doc fix * Addressing review feedback * Addressing review feedback * Address review feedback * Adds concurrent default-port selection to `tsh` * Add sudo to systemd example commands (#6603) * Add `session_recording` field to session start and end event (#6664) * Forbids use of --insecure in FIPS mode (#6191) * Move CheckAndSetDefaults definition to types.Resource (#6825) * Revert TLS cert usage for database certs * client: set TLS certificate usage for k8s/app/db certs (#6824) * Update admin-guide.mdx Teleport Upgrade section for clarity around the 4.4.x to 5.x transition (#6841) (#6842) * Making log lines proper sentences. (#6772) * YAML formatting (#5817) * Update CODEOWNERS * Update CODEOWNERS * Update locks.tf (#6798) * Gives inline info for Google Service account for SSO (#6728) * mfa: fix startup crash when SSO users with MFA expire (#6779) * Generate MinClientVersion based on server Version (#6018) * docs: update merge-kubeconfigs.sh reference to master * Emit session end event when completer finishes upload (#6756) * Align atomics to prevent segmentation faults on ARMv7 (#6711) * Stop changing kube context by default on tsh login (#6721) * Introduce ClusterNetworkingConfig extracting fields from ClusterConfig (#6638) * Add GetNode endpoint. (#6539) * Implements RFD-0022 - OpenSSH-compatible Agent Forwarding (#6525) * Remove whitespace * Add configure u2f for mfa test and add switchback test * Edits * Edits * Update test plan for access request and mfa * Handle missing IdP trait in PAM interpolation. (#6558) * Use cmp.Equal instead of manual Equals methods (#5828) * Add app access headers rewrite (#6601) * RFD 12: clarify that the versioning scheme is not strict (#6518) * Fix error in docs (#6070) * Implement RFD 24 for alternative DynamoDB event indexing (#6583) * Delete user k8s, etc. certificates on re-issue (#6492) * Clarify node connection debug logs. (#6722) * Check cloud feature before setting billing access for web (#6537) * Create GET db and kube list web handlers (#6672) * Updated CHANGELOG.md. * [auto] Update webassets in master (#6723) * ami: Update InfluxDB version to 1.8.5 (#6741) * Updated TLS handshake timeout. * Fix non-interactive ssh output in teleport log * Remove webassets.zip file before builds in Makefile (#6595) * Upgrade api's trace dependency to 1.1.15 (#6341) * mfa: only reject last device deletion of correct type (#6656) * Update README.md (#6712) * Delete unused RoleWeb * Fix missing quotes in CLI Adoption Survey (#6648) * docs: renamed (#6624) * docs: correct tables (#6618) * Draft account lifecycle (#6473) * Proxy line support for mysql (#6594) * kube: handle large number of trusted clusters in mTLS handshake (#6519) * docs: add a version disclaimer to per-session MFA guide (#6626) * Switch to tiles (#6611) (#6660) * docs: bump 6.2 release date to May 21st (#6652) * mfa: cancel TOTP prompt if U2F was used (#6542) * k8s: add merge-kubeconfigs.sh script (#5677) * Propagate external traits to leaf clusters (#6540) * Teleport opt-in adoption survey (#5505) * gRPC conversions - Nodes (#6535) * [auto] Update webassets in master (#6646) * Add additional Prometheus Metrics (#6511) * docs: reword (#6629) * mfa: prevent the user from deleting the last MFA device (#6585) * mfa: better OTP registration flow on CLI (#6567) * Fix test requiring gcp credentials (#6608) * Handle `tctl get`'s input ref more strictly (#5818) * RFD 16: Specify RBAC verbs needed for the tctl operations (#6463) * Update descriptions for labels and diag-addr parameters for Teleport (#5762) * Fix doc comment for Rule.HasVerb (#6598) * [v7.0] Merge style guide into docs (#6577) * Provide a dedicated API endpoint for app FQDN resolving (#6449) * Add redshift auth support to database access (#6479) * Add `tctl create cap` for dynamically configuring cluster auth preference (#5635) * Create SECURITY.md * Revert "Node session race (#6195)" * Improve error message for timeout errors (#6343) * forward-port 6.1.2 CHANGELOG (#6553) * Node session race (#6195) * [v7.0] Backport of editorial changes from v6.1 (#6564) * Update Go version requirement in README (#6555) * Adds releases preview (#6533) * [v6.1] Editorial Pass/Review - Home (#6544) * [auto] Update webassets in master (#6532) * Adding postgres_public_addr and mysql_public_addr (#6426) * docs: fix typos in sample roles in MFA guide * Enforce strict teleport.yaml validation (#6520) * Update Dockerfile (#6499) * Update per-session-mfa.mdx (#6531) * correct dir reference in build instrs for slack plugin (#6527) * Misspelling (#6503) * Teleport Slackbot for latest slackbot (#6522) * Improve process connection error handling and logging (#6471) * Refactor api package and docs to use pkg.go.dev effectively. (#6388) * Remove teleconsole reference in README (#6509) * Convert types.AuthPreference into a proto definition (#6510) * Wait for key agent to stop between key agent tests to improve reentrancy (#5342) * RFD-0022: Key Agent Forwarding (#6168) * [web] Add ability to switchback to default roles/expiry (#6373) * Revert "[web] Check for cloud feature before setting billing access (#6465)" (#6500) * oidc: allow non-GSuite OIDC providers from Google (#5820) * Update Terraform examples provider (#6332) * set correct auditlog instead of discard (#6431) * Update region list for AWS AMI publishing (#6282) * RFD 0: elaborate the deprecated state (#6468) * RFD 25: Hardware security module (HSM) support * Fix missing $ in token example (#6482) * [v7] cloud getting started updates (#6481) * [web] Check for cloud feature before setting billing access (#6465) * remove grafana pass var repeat * Always generate user certificates with RouteToCluster (#6115) * Implement alternative reverse tunnel address support and add a test case. (#6056) * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Phrase review the main README.md file * Update go-client to user new API client with tsh profile loader. (#6310) * Moves license_file to the correct section and adds unit test (#6420) * tctl: Return error if profile key is not for the root cluster (#6450) * Move introductions to the appropriate sections (#6456) * Fix infinite recursion in client.Config.WebProxyHostPort * Test flakes: use ordering tests for keep alives (#5358) * Capture postgres extended protocol messages in audit log (#6303) * [auto] Update webassets in master (#6436) * Added reverse tunnel port info to teleport-kube-agent readme (#5621) * RFD 0026 - Custom Approval Conditions (#5071) * Update docs on oidc prompt logic for 6.1+. (#6427) * RFD 24: DynamoDB Audit Event Overflow Handling (#6359) * Forward-port 6.1.1 CHANGELOG (#6417) * RFD 16: Reserve the `origin` label for system use (#6157) * drone: allow ARM builds in reprepro config (#6392) * Set status of RFD 18 to implemented. (#6358) * Add new syntax description to the docs (#6384) * Rename images to match logical pixels (#6381) * Add OpenSSH Video (#6371) * Documents dual authz with Mattermost (#6400) * Updated CHANGELOG.md. (#6345) * Update some variables and links (#6367) * Documents impersonation (#6293) (#6365) * Added Cloud Billing FAQ (#6363) * docs: document per-session MFA feature (#6285) * client: load all SSH certs when connecting to proxy * helm: Improve linting and add log level override (#6330) * improve cert rotation periodics * Add DialOpts and CallOpts to API client. (#6301) * Fix tctl profile loading logic by adding WithSSHCerts certOption. (#6336) * Always set an AuditLog (#6326) * Propogate user not found error from authenticater. (#6304) * web: fix AccessRequest loading on user cert reissue (#6264) * v7.0 syntax update (#6314) * [auto] Update webassets in master (#6324) * Update Google Workspace and Okta Docs (#6267) * [auto] Update AMI IDs for 6.0.2 (#6283) * add fix * Remove unused * from Roles output. This was a leftover from a old message about roles and enterprise version. (#6258) * Close leaky direct client. (#6297) * tsh: handle missing cluster name in profile (#6257) * Don't use OpaqueAccessDenied with CheckAccessToRule (#6246) * Make authToken optional if secret exists (#6273) * Revert "darwin fips builds (#5866)" (#6265) * Delete obsolete stored keys in LocalKeyAgent.AddKey (#6251) * Fix regression bug for DynamoDB scaling policy names (#6259) * Adds encrypted token docs (#6266) (#6269) * dronegen: add buildboxes (#6197) * GitLab Instructions for SSO (#6190) (#6262) * Ensure webassets are present when running 'make full' on a fresh clone (#6231) * Parse all CAs in CertPoolFromCertAuthorities * Refactor ssh.ClientConfig used by tctl and API clients to use the first valid principal as User. * Update Architecture Overview With Link To User Roles (#6224) * Add `lint-api` target and fix lint errors (#6169) * ssh: fix relogin with jumphosts (#6213) * drone: use emptyDir for /var/lib/docker filesystem and prevent repetitive docker pulls (#6145) * Remove ARM64 FIPS builds (#6236) * tsh Profile SSH certs fix (#6214) * mfa: fix gRPC unimplemented check in cert reissue * Open Sources Access Controls Docs (#6188) (#6217) * add PAM environment with interpolation support * Cache per-cluster SSH certificates under ~/.tsh (#5938) * add special resource type for access plugin data * Enable DynamoDB autoscaling on global secondary indices (#6112) * darwin fips builds (#5866) * kube: add kubernetes_labels to role JSON schema * mfa: send username instead of SSH login name in MFA cert request * fix nil slice bug * RFD 16: Add a section on `tctl rm` resetting resources back to defaults (#5673) * Update application access docs (#6055) (#6137) * Bump linux FIPS builds to use go1.16.2b7 release (#6143) * [auto] Update webassets in master (#6185) * Convert Token CRUD endpoints to gRPC. (#6105) * Convert Trusted Cluster CRUD endpoints to gRPC. (#6103) * [auto] Update webassets in master (#6135) * Embed webassets natively into teleport instead of attaching to the binary (#5935) * gRPC conversions - GithubConnector (#6101) * Test PR. (#6182) * gRPC conversions - SAMLConnector (#6100) * gRPC conversions - OIDCConnector (#6067) * ignore dangling tunnel conns * Added RFD for Cluster Routing. (#5566) * Remove duplicate sshutils package from merge failure. (#6165) * Profile credentials dialer fix (#6122) * Combine common crud proto messages into generic messages in types.proto. (#6058) * Allow file argument with tsh play (#5984) * Make SSO login failure event emit more specific errors (#6108) * mfa: per-session U2F challenge for web SSH (#6098) * Add Kubernetes follow along video (#6134) * Move usage of predicate package out of api. (#6136) * Set suggested reviewers field to the UI user context struct (#5467) * custom approval conditions * mfa: don't check MFA for teleport services in UpsertKubeService (#6129) * Skip enumerating keys when cluster name is empty (#5942) * Pass context through new gRPC converted endpoints. (#6118) * Define cloud billing event types and codes (#6037) * Add Credential loader support for tsh profiles. (#5993) * u2f: add optional attestation cert validation (#6057) * drone: Add ARM/ARM64 package builds (#6106) * API client connection overhaul (#5625) * dronegen: drone config generator (#6071) * Add Postgres Cloud SQL support (#5941) * App access cli flow (#5918) * Fix app access websockets support (#6072) * Properly marks k8s stream complete on error exit (#6068) * Fix an issue with impersonating SSO users (#6076) * Enforce valid UTF8 keys on all backends. * Adds controls for impersonation requests. (#6009) (#6073) * Move linter config to .golangci.yml and remove surplus Makefile lines (#6052) * Remove .bash suffix from bats includes to enable compatibility with older versions (#6053) * Updated with 6.0 video (#6065) * Edits to getting started guide (#6038) * updating the reference yaml for clarity and completeness (#6040) * mfa: handle older servers during IsMFARequired RPC from tsh (#6039) * Address review feedback * Avoid data race in audit writer test by syncing close with shutdown of event processing goroutine * Augment checking stream/streamer and AuditWriter with cluster name detail to automatically populate the field upon event emission. * mfa: add cluster-level require_session_mfa option (#5939) * added rfd 19 add example query to rfd 19 * implement rfd 18 * Optimize images (#6019) * Add support for building ARM/ARM64 RPM/DEB packages (#5937) * Added benches for GetNodes and GetClusterDetails. * Add unit tests to teleport-generate-config AMI script (#5682) * Add empty token check for 2fa optional type for web logins(#5995) * Fix unit-tests by updating ceritificates in fixtures (#6012) * Format logs and remove timestamp from default log format (#5979) * Update README.md (#5901) * Getting started with Kubernetes (#5981) * Updated to highlight default port for the plugin. (#5985) * Update README.md (#5989) * Updates starter-cluster to Terraform 0.14 (#5535) * Update Teleport Access Workflows Docs (#5930) * Update Helm charts to use Teleport 6 by default (#5983) * Adding keepalive parameters to configuration file (#5910) * Update mysql self hosted docs (#5912) * Creates preset roles (#5960) * Add google_service_account inline field option for Google Workspace/GSuite OIDC (#5563) * Update VERSION on master to v7.0.0-dev (#5931) * Address review comments * Remove proto-based ServerV2 implementation of DeepCopy in favor of the manual implementation to avoid issues with proto-based type merge panics. * Format Logs and add timestamp to logging output option (#5898) * add support for encrypted saml assertions with a seperate x509 pair * log agent forwarding failure at warn (#5907) * Fix broken link to video in docs (#5955) * [auto] Update webassets in master (#5957) * Add version header check in Marshalers (#5768) * Move redirects to docs config (#5950) * Update application-access.mdx (#5944) * mfa: unhide 'tsh mfa' commands and add docs (#5932) * Add Features and PublicAddrs to PingResponse (#5742) * Convert Role endpoints to gRPC. (#5458) * mfa: per-session MFA certs for SSH and Kubernetes (#5564) * Add Billing Access to default admin role (#5925) * Add teleport:6 nightly Docker image (#5896) * Update release table to 6.0.0 (#5851) * Update Kubernetes Access docs (#5865) (#5933) * grpc: use the regular buildbox and bump gogoproto version (#5879) * Add 'make update-webassets' script (#5853) * RFD 12: add git branching details (#5888) * mfa: reuse the same challenge for all U2F devices (#5837) * Run next linter on docs PRs (#5908) * Fix --insecure-no-tls flag (#5924) * Moves loadCredsFromProfile to OSS (#5891) * Update getting started to 6.0.1 (#5890) (#5914) * [auto] Update AMI IDs for 6.0.1 (#5894) * Lint markdown files syntax for master with the new linter (#5881) * Publish teleport-cluster Helm chart (#5895) * Fixes ACME default configuration (#5839) (#5877) * Fix ADFS provider and add debug message. * Sasha/ev readme (#5884) * mfa: add WithMFA to session-related audit events (#5833) * docs: add homebrew version compatibility note (#5613) * Run firestore tests as part of build.assets test target (#5830) * [auto] Update webassets in master (#5850) * mfa: audit events for adding/removing devices (#5665) * Update docs structure (#5849) * update e (#5786) * Remove args as these can be deduced automatically * Quote the address arguments to avoid issues with formats that use symbols that require escaping * Use non-greedy Mkdir variant and add a test-case for non-existing remote location with intermediate directories * Add more test coverage for sink mode * Check whether . is a base directory directly * Use correct target directory path. Handle target directory/file renames. * Update CHANGELOG.md * Fix db server test data race (#5832) * Updated CHANGELOG.md. * mfa: delete user MFA devices on account reset (#5805) * Include CA cert file path in the error message * Get rid of unnecessary var declarations * Fix support for insecure etcd mode * Remove support for migrating from legacy etcd prefix (#5798) * Add "billing_information" RBAC resource (#5676) * Fixed build failure for non-Linux platforms. (#5800) * fix #5783 utmp regression on macos (#5784) * Don't defer Close calls on writable files * [auto] Update webassets in andrej/master/security-fixes * Prevent AAP login CSRF with OAuth-style state tokens * Set cookies with '__Host-' prefix * Set stricter HTTP Content-Security-Policy directives * Assemble safe FQDN values for AAP redirects * Introduce utils.ReadAtMost to prevent resource exhaustion * Check CA expiration status when joining a cluster * Add obfuscation to diagnostic metrics * Fix AAP headers injection * Fix CLI content spoofing through access request reason * Require initialized TLS config in utils.TLSDial * Fix existence leak of label-restricted resources * Propagate the mapped local user identity via auth.Context (#5794) * fix last output timestamps on some systems * docs: clarify why etcd doesn't store audit events * Remove categories in favor of using labels instead. * Update Issue Templates. * Update ssh-kubernetes-fedramp.mdx * [tctl] Don't explicitly set value for config path and preserve backwards compatibility (#5731) * Fixed a typo in GCP documentation * Added RFD 18: Agent loading. * Update rfd/0008-application-access.md * Update 0008-application-access.md * Update old proxy version detection algorithm * Sasha/newlines (#5738) * Adds public_addr when using ACME (#5734) * [auto] Update webassets in master (#5735) * Make /lib/web tests more reliable (#5703) * testplan: add MFA management tests (#5661) * testplan: update EKS/GKE testing steps (#5662) * Add database access manual test plan (#5664) * utmp fix for symlinked path * Downgrades admin OSS role (#5710) * add utmp to manual test plan * Adds a Slack channel and a forum * Hide the k8s cluster defaulting error log on login * Update CHANGELOG.md for 6.0.0-rc.1 (#5689) ------------------------------------------------------------------- Sat Feb 12 20:48:45 UTC 2022 - Johannes Kastl - split up into three packages: teleport aka server/daemon, teleport-tctl and teleport-tsh ------------------------------------------------------------------- Sat Feb 12 08:10:06 UTC 2022 - Johannes Kastl - new package teleport: Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols.