| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: teleport-bash-completion | Distribution: openSUSE Tumbleweed |
| Version: 17.7.20 | Vendor: openSUSE |
| Release: 1.2 | Build date: Mon Mar 9 08:30:40 2026 |
| Group: System/Shells | Build host: reproducible |
| Size: 325 | Source RPM: teleport-17.7.20-1.2.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/gravitational/teleport | |
| Summary: Bash Completion for teleport | |
Bash command line completion support for teleport.
AGPL-3.0-only
* Mon Mar 09 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.20:
* Fix a bug where audit events could be created forever for an
expired access request. #64355
* Fixed an issue where the UI would display a white screen and no
error when an error occurred. #64245
* Fixed a bug that could cause desktop connection errors during
proxy upgrades for some cluster configurations. #64224
* Improve the layout of the web UI's message of the day. #64212
* Fixed an issue where VNet on Windows could fail to start after
an update with the error: The specified service does not exist
as an installed service.. #64207
* Fixed db session page refresh redirecting to empty page. #63988
* Fixed out of sequent audit logs rendering in ui for same
timestamp logs. #63819
* Fixed tsh kubectl failing when kubectl flags appear before
positional arguments (e.g., tsh kubectl -n default get pod).
[#63808]
* Added tctl recordings download command to download session
recordings to local files without requiring direct access to
the storage backend. #63727
* Fixed a bug that could cause Windows desktops discovered via
LDAP to be removed in error. #62472
* Tue Feb 17 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.19:
only enterprise-relevant changes
* Mon Feb 16 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.18:
Skipped 17.7.17 due to a build pipeline issue.
* Revised help messages for event handler CLI commands. #63642
* Fixed tsh ssh user@foo=bar uptime from running serially if
users did not have role:read permissions. #63611
* The minimum version of macOS required to run Teleport or
associated client tools is now macOS 12 (Monterey). #63588
* The minimal macOS version required by Teleport Connect is now
macOS 12. #63570
* Fixed bug where event handler would get stuck on DynamoDB
backend when handling large events. #63562
* Updated Go to 1.25.7. #63561
* Fixed bug where event handler would throw an error on Athena
backend when handling large events. #63551
* Fixed an issue where a role requiring a trusted device could
incorrectly block access to all applications. #63528
* Updated tsh/Linux to correctly capture the OS login user for
device trust. #63453
* Fixed a server error when rejecting a headless authentication
request in the Web UI. #63432
* Fixed tsh/Linux sending a too-large username for device trust.
[#63388]
* Fixed teleport join openssh on recent versions of Ubuntu.
[#63042]
* Fix an issue in the Teleport SSH Service where interactive PAM
Auth modules always fail when trying to run exec sessions with
tty allocated. e.g. tsh ssh --tty <node> ls. #62065
* Tue Feb 03 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.16:
* Improved robustness of the Slack hosted plugin to reduce the
likeliness of failed token refresh when experiencing external
disruption. #63347
* Ensure application session rejections for untrusted devices are
consistently audited as AppSessionStart failures after MFA.
[#63260]
* Fixed a CredentialContainer error when attempting to log in to
the Web UI with a hardware key using Firefox >=147.0.2. #63246
* Updated OpenSSL to 3.0.19. #63203
* Thu Jan 29 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.15:
* Updated indirect dependency go-chi/chi/v5 (addresses
GO-2026-4316). #63093
* The tbot systemd install command now supports a --pid-file flag
for setting the path to the PID file. #63038
* Fixed GCS session recording backend not respecting rate limits.
[#62987]
* Made the teleport-cluster Helm chart job resources configurable
again via the jobResources value. #62924
* Reverted a disruptive change from v17.7.11: teleport-cluster
Helm chart uses resources for Jobs again. If set jobResources
takes precedence. This will change in v18, only jobResources
will be used. #62924
* Mon Jan 19 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.14:
* Updated Go to 1.24.12. #62886
* Fixed launching AWS Identity Center from Teleport Connect.
[#62870]
* Fixed renewed X509-SVIDs not being proactively sent to Envoy
instances. #62829
* Updated rustcrypto/rsa dependency to fix potential panic
(CVE-2026-21895). #62769
* Fixed an issue that would prevent tsh from working when the
1password SSH agent is running. #62737
* Mon Jan 12 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.13 (.12 was not released):
* Fixed an issue where logging in to the Web UI with Device Trust
would lose query params of the redirect URL. #62678
* Fixed an issue where Teleport Connect could generate a flurry
of notifications about not being able to connect to a resource.
[#62672]
* Fixed issuance of wildcard DNS SANs with Workload Identity.
[#62669]
* Added IAM joining support from new AWS regions in asia. #62628
* Added cleanup of access entries for EKS auto-discovered
clusters when they no longer match the filtering criteria and
are removed. #62599
* Fixed some auto update audit events showing up as unknown in
the web UI. #62548
* The join tokens UI now indicates which tokens are managed by
the Teleport Cloud platform. #62543
* Audit log and session uploader now respect region field of
external_audit_storage resource when present. #62519
* Fixed an issue that prevented searching for users by role in
the web UI. #62475
* Acknowledging a cluster alert no longer requires the create
permission. #62469
* Fixed tilde expansion for moderated SFTP. #62454
* Fixed a potential SSRF vulnerability in the Azure join method
implementation. #62420
* Updated github.com/quic-go/quic-go to 0.57.0 to mitigate
CVE-2025-64702. #62294
* Fixed issue where AltGr key combinations did not work correctly
in remote desktop sessions. #62197
* Fixed a memory leak in access list reminder notifications
affecting clusters with more than 1000 pending Access List
reviews. #62664
* Thu Dec 11 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.11:
* Reduced memory consumption of the Application service. #62013
* Prevented stuck teleport-cluster Helm chart rollouts in small
Kubernetes clusters. Removed resource requests from
configuration check hooks. #62004
* Updated Go to 1.24.11. #61954
* Updates tsh workload-identity issue-x509 to automatically
create the specified folder if it does not exist. #61951
* Fixed a bug where JWT-SVID timestamp claims would be
represented using scientific notation. #61922
* Fixed a bug causing high memory consumption in the Teleport
Auth Service when clients were listing large resources. #61848
* Prevent data races when terminating interactive Kubernetes
sessions. #61822
* Fix tsh db connect failing to connect to databases using
separate ports configuration (non-TLS routing mode). #61811
* Fixed bug where Kubernetes App Discovery poll_interval is not
set correctly. #61792
* Fixed relative path evaluation for SFTP in proxy recording
mode. #61759
* Fixed tsh kube ls showing deleted clusters. #61743
* Fixed workload identity templating to support certain numeric
values that previously gave a "expression did not evaluate to a
string" error. #61739
* Fixed AWS Console access when using AWS IAM Roles Anywhere or
AWS OIDC integrations, when IP Pinning is enabled. #61655
* Added ability to update existing Azure OIDC integration with
tctl. #61593
* Prevented Trivy from reporting false positives when scanning
the Teleport binaries. #61540
* Updated tsh debug output to include tsh client version when
- -debug flag is set. #61526
* Fixed web upload/download failure behind load balancers when
web listen address is unspecified. #61394
* Fixed corrupted private keys breaking tsh. #61387
* Fix an issue connections to MongoDB Atlas clusters fail if
clusters use certs signed by Google Trust Services (GTS).
[#61325]
* GOAWAY errors received from Kubernetes API Servers configured
with a non-zero --goaway-chance are now forward to clients to
be retried. #61255
* Added a Workload Identities page to the web UI to list workload
identities. #59478
* Fri Nov 14 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.10:
* Improved reverse tunnel dialing recovery from default route
changes by 1min on average. #61318
* Fixed an issue with the Identity Center resource cache that
could cause the account resources to be deleted from the cache.
[#61313]
* Fixed an issue Postgres database cannot be accessed via
Teleport Connect when per-session MFA is enabled and the role
does not have wildcard db_names. #61300
* Improved conflict detection of application public address and
Teleport cluster addresses. #61292
* Fixed rare error in the authorized_keys secret scanner when
running the Teleport agent on MacOS. #61267
* Updated Go to v1.24.10. #61210
* Instrumented tbot to better support teleport-update. #61190
* Improved error message of tsh when there is a certificate DNS
SAN mismatch when connecting to Auth via Proxy. #61187
* Improved error handling during desktop sessions that encounter
unknown/invalid smartcard commands. This prevents abrupt
desktop session termination with a "PDU error" message when
using certain applications. #61179
* Updated github.com/containerd/containerd dependency to fix
GHSA-pwhc-rpq9-4c8w. #61145
* Updated quic-go dependency to fix CVE-2025-59530. #61111
* Fixed a bug causing tsh to stop waiting for access request
approval and incorrectly report that the request had been
deleted. #61110
* Fixed an issue where resources in Teleport Connect were not
always refreshed correctly after re-logging in as a different
user. #61100
* Fixed an issue which could lead to session recordings saved on
disk being truncated. #60965
* Fri Nov 14 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.9:
* Fixed configuration files such as .kube/config referring to
non-existent tsh binaries. #60872
* Fixed an issue in the web UI where a bot with zero tokens would
show a validation error. #60759
* The browser window for SSO MFA is slightly taller in order to
accommodate larger elements like QR codes. #60702
* Fixed MongoDB topology monitoring connection leak in the
Teleport Database Service. #60693
* Okta-managed apps are now pinned correctly in the web UI.
[#60677]
* Slack access plugin no longer crashes in the event access list
is unsupported. #60674
* Fixed tsh scp failing on files that grow during transfer.
[#60608]
* Allowed moderated session peers to perform file transfers.
[#60605]
* Fixed a startup error EADDRINUSE: address already in use in
Teleport Connect on macOS and Linux that could occur with long
system usernames. #60577
* MWI: tbot's auto-generated service names are now simpler and
easier to use in the /readyz endpoint. #60459
* Client tools managed updates stores OS and ARCH in the
configuration. This ensures compatibility when TELEPORT_HOME
directory is shared with a virtual instance running a different
OS or architecture. #60413
* Updated LDAP dial timeout from 15 seconds to 30 seconds. #60392
* Fixed a bug that prevented using database role names longer
than 30 chars for MySQL auto user provisioning. Now role names
as long as 32 chars, which is the MySQL limit, can be used.
[#60378]
* Fixed a bug in Proxy Recording Mode that causes SSH sessions in
the WebUI to fail. #60368
* Added extraEnv and extraArgs to the teleport-operator helm
chart. #60356
* Fixed malformed audit events breaking the audit log. #60335
* Added editing bot description to the web UI. #60213
* Fri Oct 17 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.8:
* Updated error messages displayed by tsh ssh when access to
hosts is denied and when attempting to connect to a host that
is offline or not enrolled in the cluster. #60226
* Fixed an issue in Teleport Connect where Ctrl+D would sometimes
not close a terminal tab. #60222
* Added support for PodSecurityContext to tbot helm chart. #60207
* MWI: Add teleport_bot_instances metric. #60205
* The tbot Workload API now logs errors encountered when handling
requests. #60192
* Added explicit timeout to tbot when the Trust Bundle Cache is
establishing an event watch. #60187
* Fixed a bug where OpenSSH EICE node connections would fail.
[#60125]
* Updated Go to 1.24.9. #60114
* Fixed SFTP audit events breaking the audit log. #60070
* Fixed excessive memory usage on Teleport Proxy Service
instances when using the the Teleport Web UI PostgreSQL REPL.
[#60001]
* Fixed tsh scp getting stuck in symlink loops. #59995
* Fixed handling of local tsh scp targets that contain a colon.
[#59982]
* Fixed issue where temporarily unreachable app servers were
permanently removed from session cache, causing persistent
connection failures: no application servers remaining to
connect. #59955
* Fixed the issue with automatic access requests for tsh ssh when
spec.allow.request.max_duration is set on the requester role.
[#59925]
* Fixes a bug with the check for a running Teleport process in
the install-node.sh script. #59888
* MWI: The kubernetes/v2 output now supports customizing context
names with a template. #59740
* Updated mongo-driver to v1.17.4 to include fixes for possible
connection leaks that could affect Teleport Database Service
instances. #59733
* The event-handler plugin will now skip over Windows desktop
session recording events by default. #59682
* MWI: The kubernetes/argo-cd output now supports customizing
cluster names with a template. #59576
* Tue Sep 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.7:
* Fixed auto-approvals in the Datadog Incident Management
integration by updating the on-call API client. #59669
* Fixed auto-approvals in the Datadog Incident Management
integration to ignore case sensitivity in user emails. #59669
* Fixed tsh play not returning an error when playing a session
fails. #59626
* Fixed an issue in Teleport Connect where clicking 'Restart' to
apply an update could close the window without actually
restarting the app. #59593
* Introduced application-proxy service to tbot for HTTP proxying
to applications protected by Teleport. #59588
* Fixed persistence of metadata.description field for the Bot
resource. #59571
* Fixed a crash in Teleport's Windows Desktop Service introduced
in 17.7.3. Compaction of certain shared directory read/write
audit events could result in a stack overflow error. #59514
* Enabled Oracle Cloud joining in Machine ID's tbot client.
[#59041]
* Fixed an issue that prevented connecting to agents over peered
tunnels when proxy peering was enabled. #59557
* Wed Sep 24 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.6:
* Made the check for a running Teleport process in the
install-node.sh script more robust. #59495
* Fixed tctl edit producing an error when trying to modify a Bot
resource. #59481
* Improved app access error messages in case of network
error. #59467
* Fixed database IAM configurator potentially getting stuck and
never recovering. #59418
* Fixed tsh config binary path after managed updates. #59385
* Fri Sep 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.5:
* Fix issue preventing auto enrollment of EKS clusters when using
the Web UI. #59273
* Terraform provider: Allow creating access lists without setting
spec.grants. #59238
* Fixes a panic that occurs when creating a Bound Keypair join
token with the spec.onboarding field unset. #59179
* Added desktop name for Windows Directory and Clipboard audit
events. #59154
* Added the ability to update the AWS Identity Center SCIM token
in tctl. #59115
* Fixed client tools managed updates sequential update. #59089
* Fixed headless login so that it supports both WebAuthn and SSO
for MFA. #59077
* When selecting a login for an SSH server, Teleport Connect now
shows only logins allowed by RBAC for that specific server
rather than showing all logins which the user has access to.
[#59068]
* Added services to correctly choose Access Request roles in
remote clusters. #59063
* Install script allows specifying a group for agent installation
with managed updates V2 enabled. #59060
* Fixed a bug preventing users to create access lists with empty
grants through Terraform. #59031
* Fixed a DynamoDB bug potentially causing event queries to
return a different range of events. In the worst case scenario,
this bug would block the event-handler. #59030
* Teleport Connect now runs in the background by default on macOS
and Windows. On Linux, this behavior can be enabled in the app
configuration. #58924
* Added fdpass-teleport binary to install script for Teleport tar
downloads. #58920
* Support multiple resource editing in tctl edit when editing
collections. #58901
* Fixed an issue that would cause trusted cluster resource
updates to fail silently. #58887
* Added ability for user to select whether IC integration creates
roles for all possible Account Assignments. #58862
* Allow controlling the description of auto-discovered Kubernetes
apps with an annotation. #58816
* Added new bound_keypair join method for Machine and Workload ID
to better support bots in on-prem and other environments
without a platform-specific join method. #58334
* Thu Sep 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.4:
* Updated Go to 1.24.7. #58836
* Added support for tbot configuration of a default namespace for
kubeconfig files generated by the kubernetes/v2 service. #58791
* Prevented an application from being registered if its public
address matches a Teleport cluster address. #58767
* Removed AccessList review notification check from tsh login /
status flow. #58666
* Added Lock, unlock and delete operations to the Bot Details
page, as well as viewing lock status. #58647
* Fixed panic in tbot's ssh-multiplexer service. #58596
* MWI: Added support to tbot for managing Argo CD clusters via
the kubernetes/argo-cd output service. #58567
* Added support for configure SCIM Plugin with OIDC or Github
Teleport Connectors. #58555
* Appended headers to configuration files generated by
teleport-update. #56578
* Thu Sep 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.3:
* A namespace can now be specified for the tbot Kubernetes Secret
destination. #58553
* Fixed nested access list hierarchy propagation in case of tctl
using UpsertAccessList API call. #58550
* Added support for setting "*" in role kubernetes_users. #58478
* Reduced audit log clutter by compacting contiguous shared
directory read/write events into a single audit log event.
[#58445]
* Fixed an issue where VNet could not start because of "VNet is
already running" error. #58389
* Fixed incorrect scp exit status between OpenSSH clients and
servers. #58328
* Fixed sftp readdir failing due to broken symlinks. #58321
* The following Helm charts now support obtaining the plugin
credentials using tbot: teleport-plugin-discord,
teleport-plugin-email, teleport-plugin-jira,
teleport-plugin-mattermost, teleport-plugin-msteams,
teleport-plugin-pagerduty, teleport-plugin-event-handler.
[#58300]
* Enabled separate request_object_mode setting for MFA flow in
OIDC connectors. #58280
* Teleport Connect now supports managed updates. #58261
* Teleport Connect now brings focus back from the browser to
itself after a successful SSO login. #58261
* Fixed failure to close user accounting session. #58164
* Fixed an uncaught exception in Teleport Connect on Windows when
closing the app while the TELEPORT_TOOLS_VERSION environment
variable is set. #58132
* Fixed a Teleport Connect crash that occurred when assuming an
access request while an application or database connection was
active. #58110
* Added paginated API ListDatabases, deprecate GetDatabases.
[#58104]
* Fixed modifier keys getting stuck during remote desktop
sessions. #58102
* Enable Azure joining with VMSS. #58093
* Windows desktop LDAP discovery now auto-populates the
resource's description field. #58081
* TBot now emits a log message stating the current version on
startup. #58057
* Added experimental bound keypair joining method, disabled by
default behind a flag. #57961
* Updated Go to 1.24.6. #57860
* Added new oidc joining mode for Kubernetes delegated joining to
support providers that can be configured to provide public OIDC
endpoints, like EKS, AKS, and GKE. #57800
* Newly enrolled Kubernetes agents in will now use Managed
Updates by default. #57783
* Thu Aug 21 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.2:
* Fixed an issue that could cause some hosts not to register
dynamic Windows desktops. #58062
* Improve error message when a User without any MFA devices
enrolled attempts to access a resource that requires MFA.
[#58044]
* Add TELEPORT_UNSTABLE_GRPC_RECV_SIZE env var which can be set
to overwrite client side max grpc message size. #58028
* Add support for JWT-Secured Authorization Requests to OIDC
Connector. #58013
* Fixed an issue that could cause revocation checks to fail in
Windows environments. #57879
* Fixed the case where the auto-updated client tools did not use
the intended version. #57871
* Fix database PKINIT issues caused missing CDP information in
the certificate. #57851
* Device Trust: added required-for-humans mode to allow bots to
run on unenrolled devices, while enforcing checks for human
users. #57845
* Updated Go to 1.23.12. #57765
* Added the --auth flag to the tctl plugins install scim CLI
command to support Bearer token and OAuth authentication
methods. #57758
* Fix Alt+Click not being registered in remote desktop sessions.
[#57756]
* Kubernetes Access: kubectl port-forward now exits cleanly when
backend pods are removed. #57742
* Kubernetes Access: Fixed a bug when forwarding multiple ports
to a single pod. #57737
* Fixed unlink-package during upgrade/downgrade. #57721
* Teleport event-handler now accepts HTTP Status Code 204 from
the recipient. This adds support for sending events to Grafana
Alloy and newer Fluentd versions. #57681
* Enrich the windows.desktop.session.start audit event with
additional certificate metadata. #57678
* Added --force option to tctl workload-identity
x509-issuer-overrides sign-csrs to allow displaying the output
of partial failures, intended for use in clusters that make use
of HSMs. #57661
* Tctl top can now display raw prometheus metrics. #57634
* Fixed access denied error messages not being displayed in the
Teleport web UI PostgreSQL client. #57569
* Use the bot details page to view and edit bot configuration,
and see active instances with their upgrade status. #57543
* Fix a bug in the default discovery script that can happen
discovering instances whose PATH doesn't contain
/usr/local/bin. #57531
* Fix a race condition in the Terraform Provider potentially
causing "does not exist" errors the following resources:
auth_preference, autoupdate_config, autoupdate_version,
cluster_maintenance_config, cluster_network_config, and
session_recording_config. #57528
* Fix a Terraform provider bug causing resource creation to be
retried more times than the MaxRetries setting. #57528
* Make it easier to identify Windows desktop certificate issuance
on the audit log page. #57520
* Fix a bug in the TF provider happening when autoupdate_version
or autoupdate_config have non-empty metadata. #57517
* Fix a bug on Windows where a forwarded SSH agent would become
dysfunctional after a single connection using the agent. #57512
* Machine and Workload ID: Add experimental implementation of new
bound_keypair join method for improved bot joining in on-prem
environments. #55037
* Sun Aug 03 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.1:
* Fixed usage print for global --help flag. #57452
* Tctl top respects local teleport config file. #57353
* Fixed an issue backfilling CRLs during startup for
long-standing clusters. #57322
* Disable NLA in FIPS mode. #57308
* Fri Aug 01 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.7.0:
* Managed Updates canary support
Managed Updates v2 now support performing canary updates. When
canary updates are enabled for a group, Teleport will update a
few agents first and confirm they come back healthy before
updating the rest of the group.
You can unable canary updates by setting canary_count in your
autoupdate_config:
kind: autoupdate_config
spec:
agents:
mode: enabled
schedules:
regular:
- name: dev
days:
- Mon
- Tue
- Wed
- Thu
start_hour: 20
canary_count: 5
strategy: halt-on-error
Each group can have a maximum of 5 canaries, canaries are
picked randomly among the connected agents.
Canary update support is currently only support by Linux
agents, Kubernetes support will be part of a future release.
* Other fixes and improvements
- Allow YubiKeys running 5.7.4+ firmware to be usable as PIV
hardware keys. #57217
- Tctl will now warn the user when importing a SPIFFE issuer
override chain that contains the root CA. #57168
- Fixed fallback for web login when second factor is set to on
but only OTP is configured. #57159
- Fix a bug causing tctl/tsh to fail on read-only file systems.
[#57148]
- The teleport-distroless container image now disables client
tools updates by default (when using tsh/tctl, you will
always use the version from the image). You can enable them
back by unsetting the TELEPORT_TOOLS_VERSION environment
variable. #57148
- Fixed a crash in Teleport Connect that could occur when
copying large clipboard content during desktop sessions.
[#57131]
- Audit log events for SPIFFE SVID issuances now include the
name/label selector used by the client. #57128
- Fixed client tools managed updates downgrade to older
version. #57111
- Removed unnecessary macOS entitlements from Teleport Connect
subprocesses. #57067
- Machine and Workload ID: The tbot client will now discard
expired identities if needed during renewal to allow
automatic recovery without restarting the process. #57062
- Define access-plugin preset role. #57057
- Resolved an issue where RemoteCluster objects stored in the
cache had incorrect revisions, causing Update calls to fail.
[#56974]
- Update Application APIs to use pagination to avoid exceeding
message size limitations. #56949
- Fix certificate revocation failures in Active Directory
environments when Teleport is using HSM-backed key material.
[#56928]
* Thu Jul 24 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.6.0:
* VNet for SSH
- Teleport VNet now has native support for SSH, enabling any SSH
client to connect to Teleport SSH servers with zero
configuration. Advanced Teleport features like per-session MFA
now have first-class support for a seamless user
experience. #55313
* Other fixes and improvements
- tctl top now supports the local unix sock debug endpoint. #57027
- Added support to tsh App Access commands for Azure CLI (az)
version 2.73.0 and newer. #56951
- Fixed a bug in the Teleport install scripts when running on
MacOS. The install scripts now error instead of trying to
install non existing MacOS FIPS binaries. #56942
- Fixed using relative path TELEPORT_HOME env with client tools
managed update. #56934
- Client tools managed updates support multi-cluster environments
and track each version in the configuration file. #56934
* Fri Jul 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.5.6:
* Fix backward compatibility issue introduced in the 17.5.5 / 18.0.1
release related to Access List type, causing the unknown
access_list type "dynamic" validation error. #56888
* Added support for glob-style matching to Spacelift join rules. #56878
* Improve PKINIT compatibility by always including CDP information
in the certificate. #56876
* Wed Jul 16 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.5.5:
* Fixed backward compatibility for Access List
'membershipRequires is missing' for older terraform providers.
[#56743]
* Fixed VNet DNS configuration on Windows hosts joined to Active
Directory domains. #56739
* Updated default client timeout and upload rate for Pyroscope.
[#56731]
* Bot instances are now sortable by latest heartbeat time in the
web UI. #56685
* Updated Go to 1.23.11. #56680
* Fixed tbot SPIFFE Workload API failing to renew SPIFFE SVIDs.
[#56663]
* Fixed some icons displaying as white/black blocks. #56620
* Terraform Provider: add support for skipping proxy certificate
verification in development environments. #56530
* Made VNet DNS available over IPv4. #56476
* Fixed heartbeat_connections_received_total undercounting
Database and Kubernetes heartbeats by 1. #54726
* Thu Jul 03 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.5.4:
* Fixes broken tbot joining in the Terraform provider. #56343
* Machine and Workload Identity: tbot's /readyz endpoint is now
representative of the bot's health. #56306
* Machine and Workload Identity: service names used in tbot's logs
and /readyz endpoint can now be overridden. #56306
* Resolved an issue where directory sharing could become unavailable
after sharing a directory, disconnecting the desktop session, and
reconnecting again. #56275
* Wed Jul 02 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.5.3 (17.5.2 was not released):
* Security fixes
This release also includes fixes for the following security
issues:
- [Critical] Remote authentication bypass
Removed special handling for *ssh.Certificate authorities in
the IsHostAuthority and IsUserAuthority callbacks used by
x/crypto/ssh.CertChecker. #56252
Resolved an issue that allowed remote SSH authentication
bypass on servers with Teleport SSH agents,
OpenSSH-integrated deployments and Teleport Git proxy
deployments. CVE-2025-49825. Refer to the RCA for the full
details.
* Other fixes and improvements
- Fixed duplicated entries in tctl inventory list when using
DynamoDB as cluster state storage. #56182
- Fixed an issue that prevented deletion of an integration
resource if AWS Identity Center plugin was installed in the
Teleport cluster. #56173
- Updated WindowsDesktop and WindowsDesktopService APIs to use
pagination to avoid exceeding message size limitations.
[#56155]
- Fixed users not being redirected back to the login page when
their session expires. #56152
- Fixed error on setting up Teleport Discovery Service step of
the EC2 SSM web UI flow when admin action is enabled
(webauthn). #56145
- Fixed Hardware Key Support for YubiKey firmware versions
5.7.x. #56107
- Added SSO MFA support for desktop access. #56058
- Fixed an issue that could prevent Windows desktop sessions
from terminating when the idle timeout was exceeded. #56048
- Added the teleport-update status --is-up-to-date flag to
change the return code based on the update status. #55950
- Added fork after authentication to tsh ssh. #55894
- Fixed error when creating or updating join tokens in the web
UI when admin action is enabled (second_factor set to
webauthn). #55832
- Machine and Workload Identity: tbot no longer supports
providing a proxy server address via --auth-server or
auth_server, use --proxy-server or proxy_server instead.
[#55820]
- Machine and Workload Identity: tbot will keep retrying if the
auth server is unavailable on startup, instead of exiting
immediately. #55820
- Fixed a memory leak in Kubernetes Access caused by resources
not being cleaned up when clients terminate watch streams.
[#55767]
- Added support for tsh db exec which executes commands across
multiple target databases. When per-session MFA is required,
only one MFA prompt is needed within a 5-minute window.
[#55736]
- Fixed an issue where the output from tctl sso configure
github could not be used with tctl create -f in OSS Teleport.
[#55727]
- Fixed a bug that could cause Kubernetes exec requests to fail
when the Kubernetes cluster had the WebSocket-based exec
protocol disabled. #55722
- Fixed an issue that prevented changes to default shell from
propagating for host users and static host users. #55650
- Updated Go to 1.23.10. #55602
- User experience: Forbid creating Access Requests to
user_group resources when Okta bidirectional sync is
disabled. #55586
- Teleport Connect: Add support for custom reason prompts.
[#55584]
- Fixed database connect options dialog displaying wrong
database username options. #55559
- Fixed updating the default PIN and PUK for hardware key
support in Teleport Connect. #55508
- The tbot client now ensures the O_CLOEXEC flag is used when
opening files on Linux hosts. #55503
- Fixed a bug that caused clipboard and directory sharing to
remain unavailable when the initial desktop connection
failed. #55454
- The Windows installer of Teleport Connect now adds the folder
with tsh to the system path rather than the user path. #55449
- Added support for AWS KMS multi-region keys with key
replication. #55212
- Database protocols using Kerberos (SQL Server, Oracle) can
now be configured to fetch user SID for Full Enforcement
mapping. #54870
* Thu Jun 05 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.5.1 (release 17.5.0 was yanked):
Rerelease of 17.5.0 due to some build issues.
* Azure Console via SAML IdP
Teleport SAML IdP now supports Azure web console as a service
provider.
* Desktop Access in Teleport Connect
Teleport Connect now allows users to connect to Windows
desktops directly from the Teleport Connect application without
needing to use a browser.
* Desktop Access latency detector
Teleport's web UI now shows latency measurements during remote
desktop sessions which indicate both the latency between the
user and the Teleport proxy as well as the latency between the
Teleport proxy and the target host.
* Machine & Workload Identity - Sigstore attestation
Machine & Workload Identity now supports attesting Sigstore
signatures of workloads running on Docker, Podman and
Kubernetes. This allows the issuance of credentials to be
restricted to workloads with container images produced by
legitimate CI/CD systems.
* Azure DevOps joining
Teleport now supports secretless authentication for Bots
running within Azure DevOps pipelines.
* Security fixes
This release also includes fixes for the following security
issues.
These issues are present in previous v17 releases.
Impacted users are recommended to upgrade their auth and proxy
servers to the latest version.
- [High] Unauthorized deletion in AWS IAM Identity Center
integration
- Fixed an issue that allowed unauthenticated access to
delete resources created by Identity Center integration.
[#55400]
This vulnerability affects all AWS IAM Identity Center
integration users. You can check whether you have AWS
Identity Center integration installed either in the Teleport
web UI under Zero Trust Access / Integrations or by running
“tctl get plugins/aws-identity-center” CLI command.
- [High] Short to long term access escalation in Okta
integration
- Enterprise fix: Verify required Okta OAuth scopes during
plugin creation/update.
In Okta integration configurations with enabled access lists
sync, a user with an approved just-in-time access request to
an Okta application could be unintentionally promoted to an
access list granting access to the same application. This
would result in the access to the Okta app/group persisting
after the access request expiration.
This vulnerability affects Okta integration users who have
access lists sync enabled. You can check whether you have an
Okta integration installed with access lists sync enabled
either in the Teleport web UI under Zero Trust Access /
Integrations page or by running “tctl get plugins/okta” CLI
command and looking at the
“spec.settings.okta.sync_settings.sync_access_lists” flag.
- [High] Credential theft via GitHub SSO authentication flow
- Fix improper redirect URL validation for SSO login which
could be taken advantage of in a phishing attack. #55399
This vulnerability affects GitHub SSO users. You can check
whether you’re using GitHub SSO either on the Zero Trust
Access / Auth Connectors page in Teleport web UI or by
running “tctl get connectors” CLI command against your
cluster.
* Other fixes and improvements
- Allow the ssh_service.listen_addr to forcibly be enabled when
operating in reverse tunnel mode to provide an optional
direct access path to hosts. #54215
- View details for a bot instance. #55347
- Prevent unknown resource kinds from rendering errors in the
web UI. #55208
- View and explore "active" bot instances. #55201
- UI: Access Request reason prompts configured in
Role.spec.options.request_prompt are now displayed in the
reason text box, if such a role is assigned to the user.
[#55173]
- Okta: Fixed RBAC sync and Access Requests when only App and
Group sync is enabled (no Access Lists sync). #55169
- Fixed tctl rendering of timestamps in BotInstance resource
YAML. #55163
- Fix the impact of malicious --db-user values on PKINIT flow.
[#55142]
- Fix an issue with Hardware Key Support on Windows where a
command would fail if the PIN prompt was not answered within
5 seconds. #55110
- Fix an issue "Allowed Users" from "tsh db ls" may include
irrelevant entities. #55068
- Updated Web UI, tsh and Connect SSO login to support SAML
http-post binding authentication method. The feature can be
enabled from the SSO connector configuration by adding a new
field as preferred_request_binding: http-post. #55065
- Fix an issue database discovery fails when there are more
than 5 OpenSearch domains. #55058
- Fixed an issue with Device Trust web authentication
redirection that lost the original encoding of SAML
authentication data during service provider initiated SAML
login. #55048
- Fix configured X509 CA override chain not being used by AWS
Roles Anywhere exchange. #54947
- Disabled the "another session is active" prompt when
per-session MFA is enabled, since MFA already enforces user
confirmation when starting a desktop session. #54928
- Added support for desktop access in Teleport Connect. #54926
- Added workload_identity_x509_issuer_override kind to editor
preset role. #54913
- Hardware Key Agent validates known keys by checking active or
expired login session. #54907
- Expose the Teleport service cache health via prometheus
metrics. #54902
- Updated Go to 1.23.9. #54896
- Okta: Fix creating Access Requests for Okta-originated
resources in the legacy okta_service setup. #54876
- Introduced the azure_devops join method to support Bot
joining from the Azure Devops CI/CD platform. #54875
- Add support for exclude filter for AWS IC account and groups
filters. #54835
- Terraform: Fixed Access List resource import. #54802
- Fixed Proxy cache initialization errors in clusters with
large amounts of open web sessions. #54781
- Prevent restrictive validation of cluster auth preferences
from causing non-auth instances to become healthy. #54761
- Improved performance of joining & improved audit log entries
for failed joins. #54747
- Resolved an issue that could cause Teleport Connect to crash
after downgrading from a newer version. #54740
- Reverted the default behavior of the teleport-cluster Helm
chart to use authentication.secondFactor rather than
authentication.secondFactors to avoid incompatibility during
upgrades. #54735
- Workload ID: Added binary_path and binary_hash to the Unix
workload attestor's attributes. #54716
- Includes the attributes used in templating and rule
evaluation within the audit log event for a workload identity
credential issuance. #54714
- Fix an issue with PIV PIN caching where a PIN that is
incorrect would be cached. #54697
- Fix a bug causing a malformed user to break Teleport web UI's
"Users" page. #54681
- Machine ID: Allow --no-oneshot and similar flags to override
config file values. #54651
- Fixed major version check for stateless environment. #54639
- Teleport-update: full support for FIPS agent installations.
[#54609]
- Added support for SSO MFA as a headless MFA method. #54599
- Fixed an issue preventing connections due to missing client
IPs when using class E address space with GKE or CloudFlare
pseudo IPv4 forward headers. #54597
- Create and edit GitHub join tokens from the Join Tokens page.
[#54477]
* Wed May 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.8:
* Fixed a possible moderator/observer terminal freeze when
joining a Kubernetes moderated session. #54523
* Removed background color for resources that required access
request in the web UI Resources view. #54465
* Show human readable title for access list audit logs. #54459
* Fixed race conditions in tsh ssh multi-node output. #54456
* Fixed an issue causing Join Token expiries to be overwritten
when editing a token. #54450
* Workload Identity: Fixed bugs for the Kubernetes workload
attestor's container resolution. #54442
* Fixed a bug in the EC2 installer script causing Illegal option
- o pipefail errors on several distros when Managed Updates v2
are enabled. #54429
* Include access request's max duration in MsTeams plugin
messages. #54388
* Wed Apr 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.7:
* AWS Roles Anywhere output now includes the expiration time as
milliseconds since unix epoch. #54386
* Increased the email access plugin timeout for sending e-mails
from 5 to 15 seconds. #54381
* Fixed a potential panic during Auth Server startup when the
backend returns an error. #54327
* Added a Hardware Key Agent to Teleport Connect along with other
significant UX improvements for Hardware Key support. With the
agent enabled, Teleport Connect will handle prompts on behalf
of other Teleport Clients (tsh, tctl), with an additional
option to cache the PIN between client calls (New cluster
option:cap.hardware_key.pin_cache_ttl). #54297
* More customizability options for the AWS Roles Anywhere MWI
service. #54260
* Thu Apr 24 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.6:
* User Kind is now correctly reported for Bots in the
app.session.start audit log event. #54241
* Fix a goroutine leak on TLS routing handler errors when Proxy
is behind TLS-terminated load balancers. #54224
* Fix issue that prevent Kubernetes agents from connecting to GKE
control plane using the new DNS-based access mechanism. #54216
* Tbot can now be configured to use a non-standard environment
variable when sourcing the ID Token for GitLab joining. #54187
* Teleport-update: stabilize binary paths in generated tbot
config. #54178
* Fix a bug where the terraform-provider preset role to lacked
permissions to list Windows Desktops on clusters that got
updated from v16 to v17. #54170
* Fixed OIDC SSO MFA with multiple redirect URLs. #54167
* Fix a bug causing the Terraform provider to fail to update
dynamic_windows_desktop resources. #54162
* Reduce log spam in discovery service error messaging. #54149
* The web UI now shows role descriptions in the roles table.
[#54137]
* Leaf cluster joining attempts that conflict with an existing
cluster registered with the root now generate an error instead
of failing silently. #54134
* Reduce backend load in clusters with large numbers of Windows
desktops. #53719
* Sat Apr 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.5:
* The Teleport Terraform Provider now supports setting the
Managed Updates v2 resources autoupdate_config and
autoupdate_version. #54109
* Fix a bug in managed updates v1 causing updaters v2 and AWS
integrations to never update if weekdays were set in the
cluster_maintenance_config resource. #54088
* Teleport-update: ensure teleport-upgrade is always disabled
when teleport-update is used. #54087
* Added an option for users to select database roles when
connecting to PostgreSQL databases using WebUI. #54068
* Allow the use of expressions in the Where condition on Role
RBAC rules for the Bot resource. #54065
* Machine and Workload Identity: Increase the maximum allowed bot
certificate TTL to 7 days, up from 24 hours. Larger values than
the default 12 hours must be explicitly requested using the new
- -max-session-ttl flag in tctl bots add. #54063
* Teleport-update: Improve defaulting for update groups. #54050
* Fixed VNet on MacOS with hardware keys. #54037
* Added SAML IdP service provider preset for Microsoft Entra
External ID. #54021
* Fixed TLS errors when switching between VNet apps on Windows.
[#54010]
* Wed Apr 16 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.4:
* Fixed formatting of Ed25519 SSH keys for PuTTY users. #53972
* Support Oracle join method in Workload Identity templating and
rule evaluation. #53945
* Workload ID: the Kubernetes, Podman, and Docker attestors now
capture the container image digest. #53939
* Fixed web UI and tsh issues when a SAML metadata URL takes an
unusually long time to respond. #53933
* Updated Go to 1.23.8. #53918
* Added support for specifying a WorkloadIdentity-specific
maximum TTL. #53902
* Fixed Azure VM auto discovery when not filtering by resource
group. #53899
* Added new proxy_protocol_allow_downgrade field to the
proxy_service configuration in support of environments where
single stack IPv6 sources are connecting to single stack IPv4
destinations. This feature is not compatible with IP pinning.
[#53885]
* Support for managing the WorkloadIdentity resource in the
Teleport Kubernetes Operator. #53862
* Added detailed audit events for SFTP sessions on agentless
nodes. #53836
* Teleport-update: Add last_update metadata and update tracking
UUID. #53828
* Restrict agent update days to Mon-Thu on Cloud. #53765
* Wed Apr 09 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.3:
* Fixed throttling in the DynamoDB backend event stream for tables
with a high amount of stream shards. #53804
* Support for managing the Bot resource in the Teleport Kubernetes
Operator. #53708
* Kubernetes app discovery now supports an additional annotation for
apps that are served on a sub-path of an HTTP service. #53094
* Wed Apr 02 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.2:
* Reduced resource consumption and improve latency of tsh
ssh. #53645
* Fixed an issue where expired app session won't redirect to login
page when Teleport is using DynamoDB backend. #53591
* Workload ID: Support for adding custom claims to JWT-SVIDs. #53585
* Sat Mar 29 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.1:
* Fix a bug causing the discovery service to fail to configure
teleport on discovered nodes when managed updates v2 are
enabled. #53543
* Fri Mar 28 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.4.0:
* Database access for Oracle RDS
Teleport database access now supports connecting to Oracle RDS
with Kerberos authentication.
* AWS integration status dashboard
Teleport web UI now provides a detailed status dashboard for
AWS integration as well as the new "user tasks" view that
highlights integration issues requiring user attention along
with suggested remediation steps.
* Windows desktop improvements
Teleport now supports registering the same host twice - once as
a domain-joined machine, and one as a standalone machine. This
allows Teleport users to connect as Active Directory users and
local users to the same host.
* Other fixes and improvements
- Enable support for joining Kubernetes sessions in the web UI.
[#53450]
- Fixed an issue tsh proxy db does not honour --db-roles when
renewing certificates. #53445
- Fixed an issue that could cause backend instability when
running very large numbers of app/db/kube resources through a
single agent. #53419
- Added static_jwks field to the GitLab join method
configuration to support cases where Teleport Auth Service
cannot reach the GitLab instance. #53413
- Introduced workload-identity-aws-ra service for generating
AWS credentials using Roles Anywhere directly from tbot.
[#53408]
- Helm chart now supports specifying a second factor list, this
simplifies setting up SSO MFA with the teleport-cluster
chart. #53319
- Improved resource consumption when retrieving resources via
the Web UI or tsh ls. #53302
- Added support for topologySpreadConstraints to the
teleport-cluster Helm chart. #53287
- Fixed rare high CPU usage bug in reverse tunnel agents.
[#53281]
- Fixed an issue PostgreSQL via WebUI fails when IP pinning is
enabled. PostgreSQL via WebUI no longer requires Proxy to
dial its own public address. #53250
- Added overview information to "Enroll New Resource" guides in
the web UI. #53218
- Added support for SendEnv OpenSSH option in tsh. #53216
- Added support for using DynamoDB Streams FIPS endpoints.
[#53201]
- Allow AD and non-AD logins to single Windows desktop. #53199
- Workload ID: support for attesting Systemd services. #53108
* Thu Mar 20 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.3.4:
* Improved clarity of error logs and address UX edge cases in
teleport-update, part 2. #53197
* Fixed the teleport-update systemd service in CentOS 7 and
distros with older systemd versions. #53196
* Fixed panic when trimming audit log entries. #53195
* Fixed an issue causing the teleport process to crash on group
database errors when host user creation was enabled. #53082
* Workload ID: support for attesting Docker workloads. #53069
* Added a --join-method flag to the teleport configure command.
[#53061]
* Improved clarity of error logs and address UX edge cases in
teleport-update. #53048
* The event handler can now generate certificates for DNS names
that are not resolvable. #53026
* Machine ID: Added warning when generated certificates will not
last as long as expected. #53019
* Improve support for teleport-update on CentOS 7 and distros
with older systemd versions. #53017
* You can now use == and != operators with integer operands in
Teleport predicate language. #52991
* Workload ID: support for attesting Podman workloads. #52978
* Web UI now properly shows per-session MFA errors in desktop
sessions. #52916
* Allow specifying the maximum number of PKCS#11 HSM connections.
[#52870]
* Resolved an issue where desktop session recordings could have
incorrect proportions. #52866
* The audit log web UI now renders Teleport Autoupdate Config and
Version events properly. #52838
* Fixed terraform provider data sources. #52816
* Fri Mar 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.3.3:
* Updated golang.org/x/net (addresses CVE-2025-22870). #52846
* Fix the issue with multiple Okta app links that is causing a
high level of Okta API usage. #52841
* Wed Mar 05 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.3.2:
* Updated Go to 1.23.7. #52772
* Updated tctl create to automatically fill the metadata and name
on the autoupdate_config and autoupdate_version resources.
[#52751]
* Added version compatibility warnings to Teleport Connect when
logging in to a cluster. #52709
* Support setting the public address for discovered apps based on
Kubernetes annotations. #52700
* Fixed cannot execute: required file not found error with the
teleport-spacelift-runner image. #52560
* Machine ID: Added new Prometheus metrics to track success and
failure of renewal loops. #52496
* Wed Mar 05 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.3.1:
* Escape user provided labels when creating the shell script that
enrolls servers, applications and databases into Teleport.
[#52698]
* Disable legacy alpn upgrade fallback during TLS routing
connection upgrades. Now only WebSocket upgrade headers are
sent by default. TELEPORT_TLS_ROUTING_CONN_UPGRADE_MODE=legacy
can still be used to force legacy upgrades but it will be
deprecated in v18. #52620
* Workload ID: Support for Teleport Predicate Language in
Workload Identity templates and rules. #52564
* Sat Mar 01 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.3.0:
Note for openSUSE users:
The automatic updates via the teleport-update are not included in
this package. if you require this functionality, please use the
official packages from upstream.
* Delegated joining for Oracle Cloud Infrastructure
Teleport agents running on Oracle Cloud Infrastructure (OCI)
are now able to join the Teleport cluster without a static join
token.
* Stable UIDs for host-user creation
Teleport now provides the ability to create host users with
stable UIDs across the entire Teleport cluster.
* Improved GitHub Proxy enrollment flow
Teleport web UI now provides wizard-like guided enrollment flow
for the new GitHub Proxy integration.
* AWS Identity Center integration improvements
AWS Identity Center integration now supports using IAM
authentication instead of OIDC (useful for private clusters)
and a hybrid setup that allows to use another IdP as external
identity source.
* Okta integration improvements
Teleport Okta integration now provides updated guided
enrollment flow and will allow updating integration settings
(such as sync configuration or group filters) without having to
recreate the integration.
Note that the new enrollment flow uses OAuth authentication
method instead of API tokens. If the Okta integration is
installed on v17.3 and the cluster is downgraded the Okta
plugin must be reinstalled to ensure proper functionality.
* Readiness endpoint changes
The Auth Service readiness now reflects the connectivity from
the instance to the backend storage, and the Proxy Service
readiness reflects the connectivity to the Auth Service API. In
case of Auth or backend storage failure, the instances will now
turn unready. This change ensures that control plane components
can be excluded from their relevant load-balancing pools. If
you want to preserve the old behaviour (the Auth Service or
Proxy Service instance stays ready and runs in degraded mode)
in the teleport-cluster Helm chart, you can now tune the
readiness setting to have the pods become unready after a high
number of failed probes.
* Other fixes and improvements
- Added tctl edit support for Identity Center plugin resources.
[#52605]
- Added Oracle join method to web UI provision token editor.
[#52599]
- Added auto-importing of Oracle Cloud tags. #52543
- Added support for X509 revocations to Workload Identity.
[#52503]
- Git proxy commands executed in terminals now support
interactive login prompts when the tsh session expires.
[#52475]
* Wed Feb 26 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.2.9:
* Updated go-jose/v4 to v4.0.5 (addresses CVE-2025-27144). #52467
* Updated /x/crypto and /x/oauth2 (addresses CVE-2025-22869 and
CVE-2025-22868). #52437
* Fixed missing audit event on GitHub proxy RBAC failure. #52427
* Allow to provide tbot configurations via environment variables.
Update tbot-distroless image to run start command by default.
[#52351]
* Logging out from a cluster no longer clears the client
autoupdate binaries. #52337
* Added tctl installer for Identity Center integration. #52336
* Added JSON response support to the /webapi/auth/export public
certificate API endpoint. #52325
* Resolves an issue with tbot where the web proxy port would be
used instead of the SSH proxy port when ports separate mode is
in use. #52291
* Fix Azure SQL Servers connect failures when the database agent
runs on a VM scale set. #52267
* Add filter drop-downs and pinning support for the "Enroll a New
Resource" page in the web UI. #52176
* Improve latency and reduce resource consumption of generating
Kubernetes certificates via tctl auth sign and tsh kube login.
[#52146]
* Thu Feb 20 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- increase constraint for ppc64le to 24Gi
* Thu Feb 20 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.2.8:
* Fixed broken Download Metadata File button from the SAML
enrolling resource flow in the web UI. #52276
* Fixed broken Refresh button in the Access Monitoring reports
page in the web UI. #52276
* Fixed broken Download app.zip menu item in the Integrations
list dropdown menu for Microsoft Teams in the web UI. #52276
* Fixed Unexpected end of JSON input error in an otherwise
successful web API call. #52276
* Teleport Connect now features a new menu for quick access
request management. #52217
* Remove the ability of tctl to load the default configuration
file on Windows. #52188
* Tbot: support overriding credential_ttl and renewal_interval on
most outputs and services. #52185
* Fix an issue that GitHub integration CA gets deleted during
Auth restart for non-software key stores like KMS. For broken
GitHub integrations, the integration resource must be deleted
and recreated. #52149
* Added support for non-FIPS AWS endpoints for IAM and STS on
FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes) #52127
* Introduced the allow_reissue property to the tbot identity
output for compatibility with tsh based reissuance. #52116
* Fri Feb 14 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.2.7 (there are no releases between 17.2.1 and this):
* Security Fixes
- Fixed security issue with arbitrary file reads on SSH nodes.
[#52136]
- Verify that cluster name of TLS peer certs matches the
cluster name of the CA that issued it to prevent Auth
bypasses. #52130
- Reject authentication attempts from remote identities in the
git forwarder. #52126
* Other fixes and improvements
- Added an escape hatch to allow non-FIPS AWS endpoints on FIPS
binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #52069
- Fixed Postgres database access control privileges
auto-provisioning to grant USAGE on schemas as needed for
table privileges and fixed an issue that prevented user
privileges from being revoked at the end of their session in
some cases. #52047
- Updated OpenSSL to 3.0.16. #52037
- Added ability to disable path-style S3 access for third-party
endpoints. #52009
- Fixed displaying Access List form when request reason is
required. #51998
- Fixed a bug in the WebUI where file transfers would always
prompt for MFA, even when not required. #51962
- Reduced CPU consumption required to map roles between
clusters and perform trait to role resolution. #51935
- Client tools managed updates require a base URL for the
open-source build type. #51931
- Fixed an issue leaf AWS console app shows "not found" error
when root cluster has an app of the same name. #51928
- Added securityContext value to the tbot Helm chart. #51907
- Fixed an issue where required apps wouldn't be authenticated
when launching an application from outside the Teleport Web
UI. #51873
- Prevent Teleport proxy failing to initialize when listener
address's host component is empty. #51864
- Fixed connecting to Apps in a leaf cluster when Per-session
MFA is enabled. #51853
- Updated Go to 1.23.6. #51835
- Fixed bug where role max_duration is not respected unless
request max_duration is set. #51821
- Improved instance.join event error messaging. #51779
- Teleport agents always create the debug.sock UNIX socket. The
configuration field debug_service.enabled now controls if the
debug and metrics endpoints are available via the UNIX
socket. #51771
- Backport new Azure integration functionality to v17, which
allows the Discovery Service to fetch Azure resources and
send them to the Access Graph. #51725
- Added support for caching Microsoft Remote Desktop Services
licenses. #51684
- Added Audit Log statistics to tctl top. #51655
- Redesigned the profile switcher in Teleport Connect for a
more intuitive experience. Clusters now have distinct colors
for easier identification, and readability is improved by
preventing truncation of long user and cluster names. #51654
- Fixed a regression that caused the Kubernetes Service to
reuse expired tokens when accessing EKS, GKE and AKS clusters
using dynamic credentials. #51652
- Fixes issue where the Postgres backend would drop App Access
events. #51643
- Fixed a rare crash that can happen with malformed SAML
connector. #51634
- Fixed occasional Web UI session renewal issues (reverts
"Avoid tight renewals for sessions with short TTL"). #51601
- Introduced tsh workload-identity issue-x509 as the
replacement to tsh svid issue and which is compatible with
the new WorkloadIdentity resource. #51597
- Machine ID's new kubernetes/v2 service supports access to
multiple Kubernetes clusters by name or label without needing
to issue new identities. #51535
- Quoted the KUBECONFIG environment variable output by the tsh
proxy kube command. #51523
- Fixed a bug where performing an admin action in the WebUI
would hang indefinitely instead of getting an actionable
error if the user has no MFA devices registered. #51513
- Added support for continuous profile collection with
Pyroscope. #51477
- Added support for customizing the base URL for downloading
Teleport packages used in client tools managed updates.
[#51476]
- Improved handling of client session termination during
Kubernetes Exec sessions. The disconnection reason is now
accurately returned for cases such as certificate expiration,
forced lock activation, or idle timeout. #51454
- Fixed an issue that prevented IPs provided in the
X-Forwarded-For header from being honored in some scenarios
when TrustXForwardedFor is enabled. #51416
- Added support for multiple active CAs in the /auth/export
endpoint. #51415
- Fixed integrations status page in WebUI. #51404
- Fixed a bug in GKE auto-discovery where the process failed to
discover any clusters if the identity lacked permissions for
one or more detected GCP project IDs. #51399
- Introduced the new workload_identity resource for configuring
Teleport Workload Identity. #51288
* Mon Jan 27 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.2.1:
* Security Fixes
- Improve Azure join validation by verifying subscription ID.
[#51328]
* Other Improvements and Fixes
- Added support for multiple active CAs in tctl auth export.
[#51375]
- Teleport Connect now shows a resource name in the status bar.
[#51374]
- Role presets now include default values for
github_permissions and the git_server resource kind.
github_permissions now supports traits. #51369
- Fix backwards compatibility error where users were unable to
login with Teleport Connect if Connect version is below
v17.2.0 with Teleport cluster version v17.2.0. #51368
- Added wildcard-workload-identity-issuer preset role to
improve Day 0 experience with configuring Teleport Workload
Identity. #51341
- Added more granular audit logging surrounding SSH port
forwarding. #51325
- Fixes a bug causing the terraform-provider preset role to not
automatically allow newly supported resources. #51320
- GitHub server resource now shows in Web UI. #51303
* Mon Jan 27 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.2.0:
* Per-session MFA via IdP
- Teleport users can now satisfy per-session MFA checks by
authenticating with an external identity provider as an
alternative to using second factors registered with Teleport.
* GitHub access
- Teleport now natively supports GitHub access allowing users
to transparently interact with GitHub with RBAC and audit
logging support.
* Oracle Toad client support
- Oracle Database Access users can now use the Toad GUI client.
* Trusted clusters support for Kubernetes operator
- Kubernetes operator users can now create trusted clusters
using Kubernetes custom resources.
* Other improvements and fixes
- Fixed WebAuthn attestation for Windows Hello. #51247
- Include invited and reason fields in SessionStartEvents.
[#51175]
- Updated Go to 1.23.5. #51172
- Fixed client tools auto-updates executed by aliases (causes
recursive alias error). #51154
- Support proxying Git commands for github.com. #51086
- Assuming an Access Request in Teleport Connect now propagates
elevated permissions to already opened Kubernetes tabs.
[#51055]
- Fixed AWS SigV4 parse errors in app access when the
application omits the optional spaces between the SigV4
components. #51043
- Fixed a Database Service bug where
db_service.resources.aws.assume_role_arn settings could
affect non-AWS dynamic databases or incorrectly override
db_service.aws.assume_role_arn settings. #51039
- Adds support for defining labels in the web UI Discover flows
for single resource enroll (server, AWS and web applications,
Kubernetes, EKS, RDS). #51038
- Added support for using multi-port TCP apps in Teleport
Connect without VNet. #51014
- Fix naming conflict of DynamoDB audit event auto scaling
policy. #50990
- Prevent routing issues for agentless nodes that are created
with non-UUID metadata.name fields. #50924
- Honor the cluster routing strategy when client initiated host
resolution via proxy templates or label matching is
ambiguous. #50799
- Emit audit events on access request expiry. #50775
- Add full SSO MFA support for the WebUI. #50529
* Tue Jan 14 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.1.6:
* Fix panic in EKS Auto Discovery. #50998
* Add trusted clusters support to Kubernetes operator. #50995
* Sat Jan 11 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.1.5:
- Fixes an issue causing Azure join method to fail due to
throttling. #50928
- Fix Teleport Connect Oracle support. Requires updated Teleport
database agents (v17.1.5+). #50922
- Prevent quoting errors in log messages. #50821
- Fixed an issue that could cause teleport event handlers to
become stuck in an error loop upon upgrading to v17 (fix
requires upgrading auth server). #50820
- Add user_agent field to db.session.start audit events. #50806
- Fix an issue "tsh aws ssm start-session" fails when KMS
encryption is enabled. #50796
- Support wider range of Oracle clients and simplified
configuration. #50740
- Added support for multi-port TCP apps to tsh proxy app. #50691
* Tue Jan 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- add _constraints to fix builds on ppc64le
* Tue Jan 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.1.4:
* Fixed a Postgres database-access auto-user provisioning syntax
error that caused a misleading debug level error log in most
cases, unless the database admin is not a superuser and the
database was upgraded from Postgres v15 or lower to Postgres
v16 or higher, in which case the role "teleport-auto-user" must
be granted to the database admin with the ADMIN option
manually. #50782
* Fixes a bug where S3 bucket details fail to fetch due to
incorrect bucket region. #50763
* Present connection errors to the Web UI terminal during
database sessions. #50700
* Fri Jan 03 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.1.3:
* Fixes a bug where v16 Teleport cannot connect to v17.1.0,
v17.1.1 and v17.1.2 clusters. #50658
* Prevent panicking during shutdown when SQS consumer is
disabled. #50648
* Add a --labels flag to the tctl tokens ls command. #50624
* Tue Dec 31 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.1.2:
* Fixed a bug in the WebUI that could cause an access denied
error when accessing application. #50611
* Improve session playback initial delay caused by an additional
events query. #50592
* Fix a bug in the tbot Helm chart causing invalid configuration
when both default and custom outputs were used. #50526
* Restore the ability to play session recordings in the web UI
without specifying the session duration in the URL. #50459
* Fix regression in tbot on Linux causing the Kubernetes
credential helper to fail. #50413
* Sat Dec 21 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.1.1:
17.1.1 fixes a regression in 17.1.0 that causes SSH server
heartbeats to disappear after a few minutes. Please skip 17.1.0
and upgrade straight to 17.1.1 or above. #50490
* Access requests support for AWS Identity Center
- AWS Identity Center integration now allows users to request
short or long term access to permission sets via Access
Requests.
* Database access for PostgreSQL via web UI
- Database access users can now connect to PostgreSQL databases
connected to Teleport right from the web UI and use
psql-style interface to query the database.
* Hosted email plugin for Access Requests
- Users now have the ability to setup Mailgun or generic SMTP
server for Access Request notifications using Teleport web UI
without needing to self-host the email plugin.
* Multi-port support for VNet
- Users now supports multiple ports (or a range of ports) with
a single TCP application, and Teleport VNet will make all of
the application's ports accessible on the virtual network.
* Graphical Role Editor
- Teleport's web UI includes a new role editor that allows
users to create and modify roles without resorting to a raw
YAML editor.
* Granular SSH port forwarding controls
- Teleport now allows cluster administrators to enable local
and remote port forwarding separately rather than grouping
both types of port forwarding behind a single option.
* Other improvements and fixes
- Fixed an issue that could cause some antivirus tools to block
Teleport's Device Trust feature on Windows machines. #50453
- Updates the UI login redirection service to honor redirection
to enterprise/saml-idp/sso path even if user is already
authenticated with Teleport. #50442
- Reduced cluster state storage load in clusters with a large
amount of resources. #50430
- Updated golang.org/x/net to v0.33.0 (addresses
CVE-2024-45338). #50397
- Fixed an issue causing panics in SAML app or OIDC integration
deletion relating to AWS Identity Center integration. #50360
- Fix missing roles in Access Lists causing users to be locked
out of their account. #50298
- Added support for connecting to PostgreSQL databases using
WebUI. #50287
- Improved the performance of Teleport agents serving a large
number of resources in Kubernetes. #50279
- Improve performance of Kubernetes App Auto Discover. #50269
- Added more granular access controls for SSH port forwarding.
Access to remote or local port forwarding can now be
controlled individually using the new ssh_port_forwarding
role option. #50241
- Properly close ssh port forwarding connections to prevent
requests hanging indefinitely. #50238
- Teleport's RDP client now sets the load balancing cookie to
improve compatibility with local traffic managers. #50226
- Fixes an intermittent EKS authentication failure when dealing
with EKS auto-discovery. #50197
- Expose /.well-known/jwks-okta public endpoint for Okta API
services type App. #50177
- Switched to a new role editor UI. #50030
- Added support for multiple ports to TCP applications. #49711
- Allow multiple consecutive occurrences of - and . in SSH
server hostnames. #50410
- Fixed bug causing users to see notifications for their own
access requests in some cases. #50076
- Improved the cluster initialization process's ability to
recovery from errors. #49966
* Fri Dec 20 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.1.0:
* Access requests support for AWS Identity Center AWS Identity
Center integration now allows users to request short or long
term access to permission sets via Access Requests.
* Database access for PostgreSQL via web UI Database access users
can now connect to PostgreSQL databases connected to Teleport
right from the web UI and use psql-style interface to query the
database.
* Hosted email plugin for Access Requests Users now have the
ability to setup Mailgun or generic SMTP server for Access
Request notifications using Teleport web UI without needing to
self-host the email plugin.
* Multi-port support for VNet Users now supports multiple ports
(or a range of ports) with a single TCP application, and
Teleport VNet will make all of the application's ports
accessible on the virtual network.
* Graphical Role Editor Teleport's web UI includes a new role
editor that allows users to create and modify roles without
resorting to a raw YAML editor.
* Granular SSH port forwarding controls Teleport now allows
cluster administrators to enable local and remote port
forwarding separately rather than grouping both types of port
forwarding behind a single option.
* Other improvements and fixes
- Fixed an issue that could cause some antivirus tools to block
Teleport's Device Trust feature on Windows machines. #50453
- Updates the UI login redirection service to honor redirection
to enterprise/saml-idp/sso path even if user is already
authenticated with Teleport. #50442
- Reduced cluster state storage load in clusters with a large
amount of resources. #50430
- Updated golang.org/x/net to v0.33.0 (addresses
CVE-2024-45338). #50397
- Fixed an issue causing panics in SAML app or OIDC integration
deletion relating to AWS Identity Center integration. #50360
- Fix missing roles in Access Lists causing users to be locked
out of their account. #50298
- Added support for connecting to PostgreSQL databases using
WebUI. #50287
- Improved the performance of Teleport agents serving a large
number of resources in Kubernetes. #50279
- Improve performance of Kubernetes App Auto Discover. #50269
- Added more granular access controls for SSH port forwarding.
Access to remote or local port forwarding can now be
controlled individually using the new ssh_port_forwarding
role option. #50241
- Properly close ssh port forwarding connections to prevent
requests hanging indefinitely. #50238
- Teleport's RDP client now sets the load balancing cookie to
improve compatibility with local traffic managers. #50226
- Fixes an intermittent EKS authentication failure when dealing
with EKS auto-discovery. #50197
- Expose /.well-known/jwks-okta public endpoint for Okta API
services type App. #50177
- Switched to a new role editor UI. #50030
- Added support for multiple ports to TCP applications. #49711
- Allow multiple consecutive occurrences of - and . in SSH
server hostnames. #50410
- Fixed bug causing users to see notifications for their own
access requests in some cases. #50076
- Improved the cluster initialization process's ability to
recovery from errors. #49966
* Thu Dec 12 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.0.5:
* Updated golang.org/x/crypto to v0.31.0 (CVE-2024-45337). #50078
* Fixed tsh ssh -Y when jumping between multiple servers. #50031
* Reduced Auth memory consumption when agents join using the
azure join method. #49998
* Our OSS OS packages (rpm, deb, etc) now have up-to-date
metadata. #49962
* tsh correctly respects the --no-allow-passwordless flag. #49933
* The web session authorization dialog in Teleport Connect is now
a dedicated tab, which properly shows a re-login dialog when
the local session is expired. #49931
* Added an interactive mode for tctl auth rotate. #49896
* Fixed a panic when the auth server does not provide a license
expiry. #49876
* Sun Dec 08 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.0.4:
* Fixed a bug introduced in 17.0.3 breaking in-cluster joining on
some Kubernetes clusters. #49841
* SSH or Kubernetes information included for audit log list for
start session events. #49832
* Avoid tight web session renewals for sessions with short TTL
(between 3m and 30s). #49768
* Updated Go to 1.23.4. #49758
* Fixed re-rendering bug when filtering Unified Resources. #49744
* Wed Dec 04 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.0.3:
* Restore ability to disable multi-factor authentication for
local users. #49692
* Bumping one of our dependencies to a more secure version to
address CVE-2024-53259. #49662
* Add ability to configure resource labels in teleport-cluster's
operator sub-chart. #49647
* Fixed proxy peering listener not using the exact address
specified in peer_listen_addr. #49589
* Teleport Connect now shows whether it is being used on a
trusted device or if enrollment is required for full access.
[#49577]
* Kubernetes in-cluster joining now also accepts tokens whose
audience is the Teleport cluster name (before it only allowed
the default Kubernetes audience). Kubernetes JWKS joining is
unchanged and still requires tokens with the cluster name in
the audience. #49556
* Session recording playback in the web UI is now searchable.
[#49506]
* Fixed an incorrect warning indicating that tsh v17.0.2 was
incompatible with cluster v17.0.1, despite full compatibility.
[#49491]
* Increase CockroachDB setup timeout from 5 to 30 seconds. This
mitigates the Auth Service not being able to configure TTL on
slow CockroachDB event backends. #49469
* Fixed a potential panic in login rule and SAML IdP expression
parser. #49429
* Support for long-running kube exec/port-forward, respect
client_idle_timeout config. #49421
* Fixed a permissions error with Postgres database user
auto-provisioning that occurs when the database admin is not a
superuser and the database is upgraded to Postgres v16 or
higher. #49390
* Tue Nov 26 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.0.2:
* Fixed missing user participants in session recordings listing
for non-interactive Kubernetes recordings. #49343
* Support delegated joining for Bitbucket Pipelines in Machine
ID. #49335
* Fix a bug in the Teleport Operator chart that causes the
operator to not be able to watch secrets during secret
injection. #49327
* You can now search text within SSH sessions in the Web UI and
Teleport Connect. #49269
* Teleport Connect now refreshes the resources view after
dropping an access request. #49264
* Fixed an issue where teleport park processes could be leaked
causing runaway resource usage. #49260
* Fixed VNet not being able to connect to the daemon. #49199
* The tsh puttyconfig command now disables GSSAPI auth settings
to avoid a "Not Responding" condition in PuTTY. #49189
* Allow Azure VMs to join from a different subscription than
their managed identity. #49156
* Fix an issue loading the license file when Teleport is started
without a configuration file. #49150
* Added support for directly configuring JWKS for GitHub joining
for circumstances where the GHES is not reachable by the
Teleport Auth Service. #49049
* Fixed a bug where Access Lists imported from Microsoft Entra ID
fail to be created if their display names include special
characters. #5551
* Wed Nov 20 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.0.1 (17.0.0 was not released):
* Teleport 17 brings the following new features and improvements:
- Refreshed web UI
- Modern signature algorithms
- (Preview) AWS IAM Identity Center integration
- Hardware key support for Teleport Connect
- Nested access lists
- Access lists UI/UX improvements
- Signed and notarized macOS assets
- Datadog Incident Management plugin for access requests
- Hosted Microsoft Teams plugin for access requests
- Dynamic registration for Windows desktops
- Support for images in web SSH sessions
- tbot CLI updates
* Refreshed Web UI
We have updated and improved designs and added a new navigation
menu to Teleport 17’s web UI to enhance its usability and
scalability.
* Modern signature algorithms
Teleport 17 admins have the option to use elliptic curve
cryptography for the majority of user, host, and certificate
authority key material. This includes Ed25519 SSH keys and
ECDSA TLS keys, replacing the RSA keys used today. New
clusters will leverage modern signature algorithms by default.
Existing Teleport clusters will continue to use RSA2048 until a
CA rotation is performed.
* (Preview) AWS IAM Identity Center integration
Teleport 17 integrates with AWS IAM Identity Center to allow
users to sync and manage AWS IC group members via Access Lists.
See documentation guide.
* Hardware key support for Teleport Connect
We have extended Teleport 17’s support for hardware-backed
private keys to Teleport Connect.
* Nested access lists
Teleport 17 admins and access list owners can add access lists
as members in other access lists. See details in the
documentation.
* Access lists UI/UX improvements
Teleport 17 web UI has an updated access lists page that will
include the new table view, improved search and filtering
capabilities.
* Datadog Incident Management plugin for access requests
Teleport 17 supports PagerDuty-like integration with Datadog's
on-call and incident management APIs for access request
notifications. See the configuration guide.
* Hosted Microsoft Teams plugin for access requests
Teleport 17 adds support for Microsoft Teams integration for
access request notifications using Teleport web UI without
needing to self-host the plugin.
* Dynamic registration for Windows desktops
Dynamic registration allows Teleport administrators to register
new Windows desktops without having to update the static
configuration files read by Teleport Windows Desktop Service
instances.
* Support for images in web SSH sessions
The SSH console in Teleport’s web UI includes support for
rendering images via both the SIXEL and iTerm Inline Image
Protocol (IIP).
* tbot CLI updates
The tbot client now supports starting most outputs and services
directly from the command line with no need for a configuration
file using the new tbot start <mode> family of commands. If
desired, a given command can be converted to a YAML
configuration file with tbot configure <mode>. Additionally,
tctl now supports inspection and management of bot instances
using the tctl bots instances family of commands. This allows
onboarding of new instances for existing bots with tctl bots
instances add, and inspection of existing instances with tctl
bots instances list.
* Breaking changes and deprecations
- Enforced stricter requirements for SSH hostnames
Hostnames are only allowed if they are less than 257
characters and consist of only alphanumeric characters and
the symbols . and -. Any hostname that violates the new
restrictions will be changed, the original hostname will be
moved to the teleport.internal/invalid-hostname label for
discoverability. Any Teleport agents with an invalid
hostname will be replaced with the host UUID. Any Agentless
OpenSSH Servers with an invalid hostname will be replaced
with the host of the address, if it is valid, or a randomly
generated identifier. Any hosts with invalid hostnames
should be updated to comply with the new requirements to
avoid Teleport renaming them.
- TELEPORT_ALLOW_NO_SECOND_FACTOR removed
As of Teleport 16, multi-factor authentication is required
for local users. To assist with upgrades, Teleport 16
included a temporary opt-out mechanism via the
TELEPORT_ALLOW_NO_SECOND_FACTOR environment variable. This
opt-out mechanism has been removed.
- TOTP for per-session MFA
Teleport 17 is the last release where tsh will allow for
using TOTP with per-session MFA. Starting with Teleport 18,
tsh will require a strong webauthn credential for per-session
MFA. TOTP will continue to be accepted for the initial
login.
* Fri Nov 15 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- add completions for teleport, tsh, tctl and tbot
* Tue Nov 12 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.4.7:
* Fixed bug in Kubernetes session recordings where both root and
leaf cluster recorded the same Kubernetes session. Recordings
of leaf resources are only available in leaf clusters. #48738
* Machine ID can now be forced to use the explicitly configured
proxy address using the TBOT_USE_PROXY_ADDR environment
variable. This should better support split proxy address
operation. #48675
* Fixed undefined error in open source version when clicking on
Add Application tile in the Enroll Resources page in the Web
UI. #48616
* Updated Go to 1.22.9. #48581
* The teleport-cluster Helm chart now uses the configured
serviceAccount.name from chart values for its pre-deploy
configuration check Jobs. #48579
* Fixed a bug that prevented the Teleport UI from properly
displaying Plugin Audit log details. #48462
* Fixed an issue preventing migration of unmanaged users to
Teleport host users when including teleport-keep in a role's
host_groups. #48455
* Fixed showing the list of access requests in Teleport Connect
when a leaf cluster is selected in the cluster selector. #48441
* Added Connect support for selecting Kubernetes namespaces
during access requests. #48413
* Fixed a rare "internal error" on older U2F authenticators when
using tsh. #48402
* Fixed tsh play not skipping idle time when --skip-idle-time was
provided. #48397
* Added a warning to tctl edit about dynamic edits to statically
configured resources. #48392
* Define a new role.allow.request field called
kubernetes_resources that allows admins to define what kinds of
Kubernetes resources a requester can make. #48387
* Fixed a Teleport Kubernetes Operator bug that happened for
OIDCConnector resources with non-nil max_age. #48376
* Updated host user creation to prevent local password expiration
policies from affecting Teleport managed users. #48163
* Added support for Entra ID directory synchronization for
clusters without public internet access. #48089
* Fixed "Missing Region" error for teleport bootstrap commands.
[#47995]
* Fixed a bug that prevented selecting security groups during the
Aurora database enrollment wizard in the web UI. #47975
* During the Set Up Access of the Enroll New Resource flows, Okta
users will be asked to change the role instead of entering the
principals and getting an error afterwards. #47957
* Fixed teleport_connected_resource metric overshooting after
keepalive errors. #47949
* Fixed an issue preventing connections with users whose
configured home directories were inaccessible. #47916
* Added a resolve command to tsh that may be used as the target
for a Match exec condition in an SSH config. #47868
* Respect HTTP_PROXY environment variables for Access Request
integrations. #47738
* Updated tsh ssh to support the -- delimiter similar to openssh.
It is now possible to execute a command via tsh ssh user@host
- - echo test or tsh ssh -- host uptime. #47493
* Wed Oct 23 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.4.6 (16.4.4 and 16.4.5 do not exist):
* Security Fix - [High] Privilege persistence in Okta SCIM-only
integration
When Okta SCIM-only integration is enabled, in certain cases
Teleport could calculate the effective set of permission based
on SSO user's stale traits. This could allow a user who was
unassigned from an Okta group to log into a Teleport cluster
once with a role granted by the unassigned group being present
in their effective role set.
Note: This issue only affects Teleport clusters that have
installed a SCIM-only Okta integration as described in this
guide. If you have an Okta integration with user sync enabled
or only using Okta SSO auth connector to log into your Teleport
cluster without SCIM integration configured, you're unaffected.
To verify your configuration:
- Use tctl get plugins/okta --format=json | jq
".[].spec.Settings.okta.sync_settings.sync_users"
command to check if you have Okta integration with user sync
enabled. If it outputs null or false, you may be affected and
should upgrade.
- Check SCIM provisioning settings for the Okta application you
created or updated while following the SCIM-only setup guide.
If SCIM provisioning is enabled, you may be affected and
should upgrade.
We strongly recommend customers who use Okta SCIM integration
to upgrade their auth servers to version 16.3.0 or later.
Teleport services other than auth (proxy, SSH, Kubernetes,
desktop, application, database and discovery) are not impacted
and do not need to be updated.
* Other improvements and fixes
- Added a new teleport_roles_total metric that exposes the
number of roles which exist in a cluster. #47812
- Teleport's Windows Desktop Service now filters domain-joined
Linux hosts out during LDAP discovery. #47773
- The join_token.create audit event has been enriched with
additional metadata. #47765
- Propagate resources configured in teleport-kube-agent chart
values to post-install and post-delete hooks. #47743
- Add support for the Datadog Incident Management plugin helm
chart. #47727
- Automatic device enrollment may be locally disabled using the
TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable.
[#47720]
- Fixed the Machine ID and GitHub Actions wizard. #47708
- Added migration to update the old import_all_objects database
object import rule to the new preset. #47707
- Alter ServiceAccounts in the teleport-cluster Helm chart to
automatically disable mounting of service account tokens on
newer Kubernetes distributions, helping satisfy security
linters. #47703
- Avoid tsh auto-enroll escalation in machines without a TPM.
[#47695]
- Fixed a bug that prevented users from canceling tsh scan keys
executions. #47658
- Postgres database session start events now include the
Postgres backend PID for the session. #47643
- Reworked the teleport-event-handler integration to
significantly improve performance, especially when running
with larger --concurrency values. #47633
- Fixes a bug where Let's Encrypt certificate renewal failed in
AMI and HA deployments due to insufficient disk space caused
by syncing audit logs. #47622
- Adds support for custom SQS consumer lock name and disabling
a consumer. #47614
- Fixed an issue that prevented RDS Aurora discovery
configuration in the AWS OIDC enrollment wizard when any
cluster existed without member instances. #47605
- Extend the Datadog plugin to support automatic approvals.
[#47602]
- Allow using a custom database for Firestore backends. #47583
- Include host name instead of host uuid in error messages when
SSH connections are prevented due to an invalid login. #47578
- Fix the example Terraform code to support the new larger
Teleport Enterprise licenses and updates output of web
address to use fqdn when ACM is disabled. #47512
- Add new tctl subcommands to manage bot instances. #47225
* Fri Oct 18 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.4.3:
* Extended Teleport Discovery Service to support resource
discovery across all projects accessible by the service
account. #47568
* Fixed a bug that could allow users to list active sessions even
when prohibited by RBAC. #47564
* The tctl tokens ls command redacts secret join tokens by
default. To include the token values, provide the new
- -with-secrets flag. #47545
* Added missing field-level documentation to the terraform
provider reference. #47469
* Fixed a bug where tsh logout failed to parse flags passed with
spaces. #47460
* Fixed the resource-based labels handler crashing without
restarting. #47452
* Install teleport FIPS binary in FIPS environments during Server
Auto Discover. #47437
* Fix possibly missing rules when using large amount of Access
Monitoring Rules. #47430
* Added ability to list/get AccessMonitoringRule resources with
tctl. #47401
* Include JWK header in JWTs issued by Teleport Application
Access. #47393
* Teleport Workload ID now supports issuing JWT SVIDs via the
Workload API. #47389
* Added kubeconfig context name to the output table of tsh proxy
kube command for enhanced clarity. #47383
* Improve error messaging when connections to offline agents are
attempted. #47361
* Allow specifying the instance type of AWS HA Terraform bastion
instance. #47338
* Added a config option to Teleport Connect to control how it
interacts with the local SSH agent (sshAgent.addKeysToAgent).
[#47324]
* Teleport Workload ID issued JWT SVIDs are now compatible with
OIDC federation with a number of platforms. #47317
* The "ha-autoscale-cluster" terraform module now support default
AWS resource tags and ASG instance refresh on configuration or
launch template changes. #47299
* Fixed error in Workload ID in cases where the process ID cannot
be resolved. #47274
* Teleport Connect for Linux now requires glibc 2.31 or later.
[#47262]
* Fixed a bug where security group rules that refer to another
security group by ID were not displayed in web UI enrollment
wizards when viewing security group rules. #47246
* Improve the msteams access plugin debug logging. #47158
* Fix missing tsh MFA prompt in certain OTP+WebAuthn scenarios.
[#47154]
* Updates self-hosted db discover flow to generate 2190h TTL
certs, not 12h. #47125
* Fixes an issue preventing access requests from displaying user
friendly resource names. #47112
* Fixed a bug where only one IP CIDR block security group rule
for a port range was displayed in the web UI RDS enrollment
wizard when viewing a security group. #47077
* The tsh play command now supports a text output format. #47073
* Updated Go to 1.22.8. #47050
* Fixed the "source path is empty" error when attempting to
upload a file in Teleport Connect. #47011
* Added static host users to Terraform provider. #46974
* Enforce a global device_trust.mode=required on OSS processes
paired with an Enterprise Auth. #46947
* Added a new config option in Teleport Connect to control SSH
agent forwarding (ssh.forwardAgent); starting in Teleport
Connect v17, this option will be disabled by default. #46895
* Correctly display available allowed logins of leaf AWS Console
Apps on tsh app login. #46806
* Allow all audit events to be trimmed if necessary. #46499
* Fri Sep 27 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.4.2:
* Fixed a panic when using the self-hosted PagerDuty plugin.
[#46925]
* A user joining a session will now see available controls for
terminating & leaving the session. #46901
* Fixed a regression in the SAML IdP service which prevented
cache from initializing in a cluster that may have a service
provider configured with unsupported acs_url and relay_state
values. #46845
* Wed Sep 25 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.4.1:
* Secrets support for Kubernetes Operator
- Kubernetes Operator is now able to lookup values from
Kubernetes secrets for GithubConnector.ClientSecret and
OIDCConnector.ClientSecret.
* Other improvements and fixes
- Fixed a regression that made it impossible to read the
Teleport Audit Log after creating a plugin if the audit event
is present. #46831
- Added a new flag to static host users spec that allows
teleport to automatically take ownership across matching
hosts of any users with the same name as the static host
user. #46828
- Added support for Kubernetes SPDY over Websocket Protocols
for PortForward. #46815
- Fixed a regression where Teleport swallowed Kubernetes API
errors when using kubectl exec with a Kubernetes cluster
newer than v1.30.0. #46811
- Added support for Access Request Datadog plugin. #46740
* Sat Sep 21 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.4.0:
* Machine ID for HCP Terraform and Terraform Enterprise
Teleport now supports secure joining via Terraform Cloud,
allowing Machine ID workflows to run on Terraform Cloud without
shared secrets.
* SPIFFE Federation for Workload Identity
Teleport Workload Identity now supports SPIFFE Federation,
allowing trust relationships to be established between a
Teleport cluster's trust domain and trust domains managed by
other SPIFFE compatible platforms. Establishing a relationship
between the trust domains enables workloads belonging to one
trust domain to validate the identity of workloads in the other
trust domain, and vice versa.
* Multi-domain support for web applications
Teleport now supports web application access where one
application depends on another. For example, you may have a web
application that depends on a backend API service, both of
which are separate apps protected by Teleport.
* Okta integration status dashboard
Cluster admins are now able to get a detailed overview of the
Okta integration status in the Teleport web UI.
* Other improvements and fixes
- Fixed the web favicon not displaying on specific builds.
[#46736]
- Fixed regression in private key parser to handle mismatched
PEM headers. #46727
- Removed TXT record validation from custom DNS zones in VNet;
VNet now supports any custom DNS zone, as long as it's
included in vnet_config. #46722
- Fixed audit log not recognizing static host user events.
[#46697]
- Fixes a bug in Kubernetes access that causes the error
expected *metav1.PartialObjectMetadata object when trying to
list resources. #46694
- Added a new default_shell configuration for the static host
users resource that works exactly the same as the
create_host_user_default_shell configuration added for roles.
[#46688]
- Machine ID now generates cluster-specific ssh_config and
known_hosts files which will always direct SSH connections
made using them via Teleport. #46684
- Fixed a regression that prevented the fish shell from
starting in Teleport Connect. #46662
- Added a new create_host_user_default_shell configuration
under role options that changes the default shell of auto
provisioned host users. #46648
- Fixed an issue that prevented host user creation when the
username was also listed in host_groups. #46635
- Fixed tsh scp showing a login prompt when attempting to
transfer a folder without the recursive option. #46603
- The Teleport Terraform provider now supports
AccessMonitoringRule resources. #46582
- The teleport-plugin-slack chart can now deploy tbot to obtain
and renew the Slack plugin credentials automatically. This
setup is easier and more secure than signing long-lived
credentials. #46581
- Always show the device trust green shield for authenticated
devices. #46565
- Add new terraform_cloud joining method to enable secretless
authentication on HCP Terraform jobs for the Teleport
Terraform provider. #46049
- Emit audit logs when creating, updating or deleting Teleport
Plugins. #4939
* Sat Sep 14 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.3.0:
* Out-of-band user creation
- Cluster administrators are now able to configure Teleport's
ssh_service to ensure that certain host users exist on the
machine without the need to start an SSH session. #46498
* Other improvements and fixes
- Allow the cluster wide ssh dial timeout to be set via
auth_service.ssh_dial_timeout in the Teleport config file.
[#46507]
- Fixed an issue preventing session joining while host user
creation was in use. #46501
- Added tbot Helm chart for deploying a Machine ID Bot into a
Teleport cluster. #46373
* Sat Sep 14 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.2.2:
* Fixed an issue that prevented the Firestore backend from
reading existing data. #46433
* The teleport-kube-agent chart now correctly propagates
configured annotations when deploying a StatefulSet. #46421
* Fixed regression with Slack notification rules matching on
plugin name instead of type. #46391
* Update tsh puttyconfig to respect any defined proxy templates.
[#46384]
* Ensure that additional pod labels are carried over to
post-upgrade and post-delete hook job pods when using the
teleport-kube-agent Helm chart. #46232
* Fix bug that renders WebUI unusable if a role is deleted while
it is still being in use by the logged in user. #45774
* Sat Sep 14 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.2.1 (there is no 16.2.0 release):
* Fixed debug service not being turned off by configuration;
Connect My Computer in Teleport Connect should no longer fail
with "bind: invalid argument". #46293
* Fixed an issue that could result in duplicate session
recordings being created. #46265
* Connect now supports bulk selection of resources to create an
access request in the unified resources view. #46238
* Added support for the teleport_installer resource to the
Teleport Terraform provider. #46200
* Fixed an issue that would cause reissue of certificates to fail
in some scenarios where a local auth service was present.
[#46184]
* Updated OpenSSL to 3.0.15. #46180
* Extend Teleport ability to use non-default cluster domains in
Kubernetes, avoiding the assumption of cluster.local. #46150
* Fixed retention period handling in the CockroachDB audit log
storage backend. #46147
* Prevented Teleport Kubernetes access from resending resize
events to the party that triggered the terminal resize,
avoiding potential resize loops. #46066
* Fixed an issue where attempts to play/export certain session
recordings would fail with gzip: invalid header. #46035
* Fixed a bug where Teleport services could not join the cluster
using iam, azure, or tpm methods when the proxy service
certificate did not contain IP SANs. #46010
* Prevent connections from being randomly terminated by Teleport
proxies when proxy_protocol is enabled and TLS is terminated
before Teleport Proxy. #45992
* Updated the icons for server, application, and desktop
resources. #45990
* Added eks:UpdateAccessEntry to IAM permissions generated by the
teleport integration IAM setup command and to the documentation
reference for auto-discovery IAM permissions. #45983
* Added ServiceNow support to access request notification routing
rules. #45965
* Added PagerDuty support to access request notification routing
rules. #45913
* Fixed an issue where host_sudoers could be written to Teleport
proxy server sudoer lists in Teleport v14 and v15. #45958
* Prevent interactive sessions from hanging on exit. #45952
* Fixed kernel version check of Enhanced Session Recording for
distributions with backported BPF. #45941
* Added a flag to skip a relogin attempt when using tsh ssh and
tsh proxy ssh. #45929
* The hostname where the process is running is returned when
running tctl get db_services. #45909
* Add buttons to clear all selected Roles/Reviewers in new Access
Requests. #45904
* Fixed an issue WebSocket upgrade fails with MiTM proxies that
can remask payloads. #45899
* When a database is created manually (without auto-discovery)
the teleport.dev/db-admin and
teleport.dev/db-admin-default-database labels are no longer
ignored and can be used to configure database auto-user
provisioning. #45891
* Add support for non-RSA SSH signatures with imported CA keys.
[#45890]
* Update tsh login and tsh status output to truncate a list of
roles. #45581
* Fri Aug 09 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.1.4:
* Improved tsh ssh performance for concurrent execs. #45162
* Fixed issue with loading cluster features when agents are
upgraded prior to auth. #45226
* Updated Go to 1.22.6. #45194
* Wed Aug 07 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.1.3 (not release 16.1.2):
* Fixed an issue where tsh aws may display extra text in addition
to the original command output. #45168
* Fixed regression that denied access to launch some Apps. #45149
* Bot resources now honor their metadata.expires field. #45130
* Teleport Connect now sets TERM_PROGRAM: Teleport_Connect and
TERM_PROGRAM_VERSION: <app_version> environment variables in
the integrated terminal. #45063
* Fixed a panic in the Microsoft Teams plugin when it receives an
error. #45011
* Added a background item for VNet in Teleport Connect; VNet now
prompts for a password only during the first launch. #44994
* Added warning on tbot startup when the requested certificate
TTL exceeds the maximum allowed value. #44989
* Fixed a race condition between session recording uploads and
session recording upload cleanup. #44978
* Prevented Kubernetes per-Resource RBAC from blocking access to
namespaces when denying access to a single resource kind in
every namespace. #44974
* SSO login flows can now authorize web sessions with Device
Trust. #44906
* Added support for Kubernetes Workload Attestation into Teleport
Workload Identity to allow the authentication of pods running
within Kubernetes without secrets. #44883
* Thu Aug 01 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.1.1:
* Added option to allow client redirects from IPs in specified
CIDR ranges in SSO client logins. #44846
* Machine ID can now be configured to use Kubernetes Secret
destinations from the command line using the kubernetes-secret
schema. #44801
* Prevent discovery service from overwriting Teleport dynamic
resources that have the same name as discovered resources.
[#44785]
* Reduced the probability that the event-handler deadlocks when
encountering errors processing session recordings. #44771
* Improved event-handler diagnostics by providing a way to
capture profiles dynamically via SIGUSR1. #44758
* Teleport Connect now uses ConPTY for better terminal resizing
and accurate color rendering on Windows, with an option to
disable it in the app config. #44742
* Fixed event-handler Helm charts using the wrong command when
starting the event-handler container. #44697
* Improved stability of very large Teleport clusters during
temporary backend disruption/degradation. #44694
* Resolved compatibility issue with Paramiko and Machine ID's SSH
multiplexer SSH agent. #44673
* Teleport no longer creates invalid SAML Connectors when calling
tctl get saml/<connector-name> | tctl create -f without the
- -with-secrets flag. #44666
* Fixed a fatal error in tbot when unable to lookup the user from
a given UID in containerized environments for checking ACL
configuration. #44645
* Fixed Application Access regression where an HTTP header wasn't
set in forwarded requests. #44628
* Added Server auto-discovery support for Rocky and AlmaLinux
distros. #44612
* Use the registered port of the target host when tsh puttyconfig
is invoked without --port. #44572
* Added more icons for guessing application icon by name or by
label teleport.icon in the web UI. #44566
* Remove deprecated S3 bucket option when creating or editing AWS
OIDC integration in the web UI. #44485
* Fixed terminal sessions with a database CLI client in Teleport
Connect hanging indefinitely if the client cannot be found.
[#44465]
* Added application-tunnel service to Machine ID for establishing
a long-lived tunnel to a HTTP or TCP application for Machine to
Machine access. #44443
* Fixed a regression that caused Teleport Connect to fail to
start on Intel Macs. #44435
* Improved auto-discovery resiliency by recreating Teleport
configuration when the node fails to join the cluster. #44432
* Fixed a low-probability panic in audit event upload logic.
[#44425]
* Fixed Teleport Connect binaries not being signed correctly.
[#44419]
* Prevented DoSing the cluster during a mass failed join event by
agents. #44414
* The availability filter is now a toggle to show (or hide)
requestable resources. #44413
* Moved PostgreSQL auto provisioning users procedures to pg_temp
schema. #44409
* Added audit events for AWS and Azure integration resource
actions. #44403
* Fixed automatic updates with previous versions of the
teleport.yaml config. #44379
* Added support for Rocky and AlmaLinux when enrolling a new
server from the UI. #44332
* Fixed PostgreSQL session playback not rendering queries line
breaks correctly. #44315
* Fixed Teleport access plugin tarballs containing a build
directory, which was accidentally added upon v16.0.0 release.
[#44300]
* Prevented an infinite loop in DynamoDB event querying by
advancing the cursor to the next day when the limit is reached
at the end of a day with an empty iterator. This ensures the
cursor does not reset to the beginning of the day. #44275
* The clipboard sharing tooltip for desktop sessions now
indicates why clipboard sharing is disabled. #44237
* Prevented redirects to arbitrary URLs when launching an app.
[#44188]
* Added a --skip-idle-time flag to tsh play. #44013
* Added audit events for discovery config actions. #43793
* Enabled Access Monitoring Rules routing with Mattermost plugin.
[#43601]
* SAML application can now be deleted from the Web UI. #4778
* Fixed an Access List permission bug where an access list owner,
who is also a member, was not able to add/remove access list
member. #4744
* Fixed a bug in Web UI where clicking SAML GCP Workforce
Identity Federation discover tile would throw an error,
preventing from using the guided enrollment feature. #4720
* Fixed an issue with incorrect yum/zypper updater packages being
installed. #4684
* Tue Jul 16 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.1.0:
* Database Access session replay
- Database Access users will be able to watch PostgreSQL query
replays in the web UI or with tsh.
* Other improvements and fixes
- Fixed "staircase" text output for non-interactive Kube exec
sessions in Web UI. #44249
- Fixed a leak in the admin process spawned by starting VNet
through tsh vnet or Teleport Connect. #44225
- Fixed a kube-agent-updater bug affecting resolutions of
private images. #44191
- The show_resources option is no longer required for
statically configured proxy ui settings. #44181
- The teleport-cluster chart can now use existing ingresses
instead of creating its own. #44146
- Ensure that tsh login outputs accurate status information for
the new session. #44143
- Fixes "device trust mode x requires Teleport Enterprise"
errors on tctl. #44133
- Added the tbot install systemd command for installing tbot as
a service on Linux systems. #44083
- Added ability to list access list members in json format in
tctl. #44071
- Update grpc to v1.64.1 (patches GO-2024-2978). #44067
- Batch access review reminders into 1 message and provide link
out to the web UI. #44034
- Fixed denying access despite access being configured for
Notification Routing Rules in the web UI. #44029
- Honor proxy templates in tsh ssh. #44026
- Fixed eBPF error occurring during startup on Linux RHEL 9.
[#44023]
- Fixed Redshift auto-user deactivation/deletion failure that
occurs when a user is created or deleted and another user is
deactivated concurrently. #43968
- Lower latency of detecting Kubernetes cluster becoming
online. #43967
- Teleport AMIs now optionally source environment variables
from /etc/default/teleport as regular Teleport package
installations do. #43962
- Make tbot compilable on Windows. #43959
- Add a new event to the database session recording with
query/command result information. #43955
- Enabled setting event types to forward, skip events, skip
session types in event-handler helm chart. #43938
- extraLabels configured in teleport-kube-agent chart values
are now correctly propagated to post-delete hooks. A new
extraLabels.job object has been added for labels which should
only apply to the post-delete job. #43932
- Add support for Teams to Opsgenie plugin alert creation.
[#43916]
- Machine ID outputs now execute individually and concurrently,
meaning that one failing output does not disrupt other
outputs, and that performance when generating a large number
of outputs is improved. #43876
- SAML IdP service provider resource can now be updated from
the Web UI. #4651
- Fixed empty condition from unquoted string with YAML editor
for Notification Routing Rules in the Web UI. #4636
- Teleport Enterprise now supports the
TELEPORT_REPORTING_HTTP(S)_PROXY environment variable to
specify the URL of the HTTP(S) proxy used for connections to
our usage reporting ingest service. #4568
- Fixed inaccurately notifying user that access list reviews
are due in the web UI. #4521
* Thu Jul 11 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.0.4:
* Omit control plane services from the inventory list output for
Cloud-Hosted instances. #43779
* Updated Go toolchain to v1.22.5. #43768
* Reduced CPU usage in auth servers experiencing very high
concurrent request load. #43755
* Machine ID defaults to disabling the use of the Kubernetes exec
plugin when writing a Kubeconfig to a directory destination.
This removes the need to manually configure
disable_exec_plugin. #43655
* Fixed startup crash of Teleport Connect on Ubuntu 24.04 by
adding an AppArmor profile. #43653
* Added support for dialling leaf clusters to the tbot SSH
multiplexer. #43634
* Extend Teleport ability to use non-default cluster domains in
Kubernetes, avoiding the assumption of cluster.local. #43631
* Wait for user MFA input when reissuing expired certificates for
a kube proxy. #43612
* Improved error diagnostics when using Machine ID's SSH
multiplexer. #43586
* Thu Jul 11 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.0.3 (skipping 16.0.2 that was not released):
This release of Teleport contains a fix for a medium-level
security issue impacting Teleport Enterprise, as well as various
other updates and improvements
=> the security fix has no relevance on openSUSE
* Other updates and improvements
- Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104).
[#43474]
- Fixed Discover setup access error when updating user. #43560
- Added audit event field describing if the "MFA for admin
actions" requirement changed. #43541
- Fixed remote port forwarding validation error. #43516
- Added support to trust system CAs for self-hosted databases.
[#43493]
- Added error display in the Web UI for SSH and Kubernetes
sessions. #43485
- Fixed accurate inventory reporting of the updater after it is
removed. #43454
- tctl alerts ls now displays remaining alert ttl. #43436
- Fixed input search for Teleport Connect's access request
listing. #43429
- Added Debug setting for event-handler. #43408
- Fixed Headless auth for sso users, including when local auth
is disabled. #43361
- Added configuration for custom CAs in the event-handler helm
chart. #43340
- Updated VNet panel in Teleport Connect to list custom DNS
zones and DNS zones from leaf clusters. #43312
- Fixed an issue with Database Access Controls preventing users
from making additional database connections. #43303
- Fixed bug that caused gRPC connections to be disconnected
when their certificate expired even though
DisconnectCertExpiry was false. #43290
- Fixed Connect My Computer in Teleport Connect failing with
"bind: invalid argument". #43287
- Fix a bug where a Teleport instance running only Jamf or
Discovery service would never have a healthy /readyz
endpoint. #43283
- Added a missing [Install] section to the teleport-acm systemd
unit file as used by Teleport AMIs. #43257
- Patched timing variability in curve25519-dalek. #43246
- Fixed setting request reason for automatic ssh access
requests. #43178
- Improved log rotation logic in Teleport Connect; now the
non-numbered files always contain recent logs. #43161
- Added tctl desktop bootstrap for bootstrapping AD
environments to work with Desktop Access. #43150
* Thu Jul 11 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.0.1:
* tctl now ignores any configuration file if the auth_service
section is disabled, and prefer loading credentials from a
given identity file or tsh profile instead. #43115
* Skip jamf_service validation when the service is not enabled.
[#43095]
* Fix v16.0.0 amd64 Teleport plugin images using arm64 binaries.
[#43084]
* Add ability to edit user traits from the Web UI. #43067
* Enforce limits when reading events from Firestore for large
time windows to prevent OOM events. #42966
* Allow all authenticated users to read the cluster vnet_config.
[#42957]
* Improve search and predicate/label based dialing performance in
large clusters under very high load. #42943
* Wed Jul 10 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- major update to 16.0.0:
Teleport 16 brings the following new features and improvements:
* Teleport VNet
* Device Trust for the Web UI
* Increased support for per-session MFA
* Web UI notification system
* Access requests from the resources view
* tctl for Windows
* Teleport plugins improvements
Breaking changes:
* Multi-factor authentication is now required for local users
* Community Edition license
* Incompatible clients are rejected
* Opsgenie plugin annotations
* New required permissions for DynamoDB
* Machine ID and OpenSSH client config changes
* Removal of Active Directory configuration flow
* Teleport Assist is removed
Full changelog:
https://github.com/gravitational/teleport/releases/tag/v16.0.0
* Thu Jul 04 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.4.7:
* Added audit events for discovery config actions. #43794
* Updated Go toolchain to v1.22.5. #43769
* Reduced CPU usage in auth servers experiencing very high
concurrent request load. #43760
* Machine ID defaults to disabling the use of the Kubernetes exec
plugin when writing a Kubeconfig to a directory destination.
This removes the need to manually configure
disable_exec_plugin. #43656
* Fixed startup crash of Teleport Connect on Ubuntu 24.04 by
adding an AppArmor profile. #43652
* Added support for dialling leaf clusters to the tbot SSH
multiplexer. #43635
* Extend Teleport ability to use non-default cluster domains in
Kubernetes, avoiding the assumption of cluster.local. #43632
* Wait for user MFA input when reissuing expired certificates for
a kube proxy. #43613
* Improved error diagnostics when using Machine ID's SSH
multiplexer. #43587
* Wed Jul 03 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.4.6:
* Security Fixes
- [Medium] Fixes issue where a SCIM client could potentially
overwrite. Teleport system Roles using specially crafted
groups. This issue impacts Teleport Enterprise deployments
using the Okta integration with SCIM support enabled.
* Other updates and improvements
- Fixed Discover setup access error when updating user. #43561
- Updated Go toolchain to 1.22. #43550
- Fixed remote port forwarding validation error. #43517
- Added support to trust system CAs for self-hosted databases.
[#43500]
- Added error display in the Web UI for SSH and Kubernetes
sessions. #43491
- Update go-retryablehttp to v0.7.7 (fixes CVE-2024-6104).
[#43475]
- Fixed accurate inventory reporting of the updater after it is
removed.. #43453
- tctl alerts ls now displays remaining alert ttl. #43435
- Fixed input search for Teleport Connect's access request
listing. #43430
- Added Debug setting for event-handler. #43409
- Fixed Headless auth for sso users, including when local auth
is disabled. #43362
- Added configuration for custom CAs in the event-handler helm
chart. #43341
- Fixed an issue with Database Access Controls preventing users
from making additional database connections depending on
their permissions. #43302
- Fixed Connect My Computer in Teleport Connect failing with
"bind: invalid argument". #43288
* Fri Jun 21 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.4.5:
* Added a missing [Install] section to the teleport-acm systemd
unit file as used by Teleport AMIs. #43256
* Patched timing variability in curve25519-dalek. #43249
* Updated tctl to ignore a configuration file if the auth_service
section is disabled, and prefer loading credentials from a
given identity file or tsh profile instead. #43203
* Fixed setting request reason for automatic ssh access requests.
[#43180]
* Updated teleport to skip jamf_service validation when the Jamf
service is not enabled. #43169
* Improved log rotation logic in Teleport Connect; now the
non-numbered files always contain recent logs. #43162
* Made tsh and Teleport Connect return early during login if ping
to proxy service was not successful. #43086
* Added ability to edit user traits from the Web UI. #43068
* Enforce limits when reading events from Firestore to prevent
OOM events. #42967
* Fixed updating groups for Teleport-created host users. #42884
* Added support for crown_jewel resource. #42866
* Added ability to edit user traits from the Web UI. #43068
* Fixed gRPC disconnection on certificate expiry even though
DisconnectCertExpiry was false. #43291
* Fixed issue where a Teleport instance running only Jamf or
Discovery service would never have a healthy /readyz endpoint.
[#43284]
* Wed Jun 19 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- change license to AGPL-3.0-only, as license was changed upstream
in 15.0.0 already
* Fri Jun 14 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.4.4:
* Improve search and predicate/label based dialing performance in
large clusters under very high load. #42941
* Fix an issue Oracle access failed through trusted cluster.
[#42928]
* Fix errors caused by dynamoevents query StartKey not being
within the [From, To] window. #42915
* Fix Jira Issue creation when Summary exceeds the max allowed
size. #42862
* Fix editing reviewers from being ignored/overwritten when
creating an access request from the web UI. #4397
* Thu Jun 13 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- new subpackage teleport-fdpass-teleport, see below
- update to 15.4.3:
Note: This release includes a new binary, fdpass-teleport, that
can be optionally used by Machine ID to significantly reduce
resource consumption in use-cases that create large numbers of
SSH connections (e.g. Ansible). Refer to the documentation for
more details.
* Update azidentity to v1.6.0 (patches CVE-2024-35255). #42859
* Remote rate limits on endpoints used extensively to connect to
the cluster. #42835
* Machine ID SSH multiplexer now only writes artifacts if they
have not changed, resolving a potential race condition with the
OpenSSH client. #42830
* Use more efficient API when querying SSH nodes to resolve Proxy
Templates in tbot. #42829
* Improve the performance of the Athena audit log and S3 session
storage backends. #42795
* Prevent a panic in the Proxy when accessing an offline
application. #42786
* Improve backoff of session recording uploads by teleport
agents. #42776
* Introduce the new Machine ID ssh-multiplexer service for
significant improvements in SSH performance. #42761
* Reduce backend writes incurred by tracking status of
non-recorded sessions. #42694
* Fix not being able to logout from the web UI when session
invalidation errors. #42648
* Fix access list listing not updating when creating or deleting
an access list in the web UI. #4383
* Fix crashes related to importing GCP labels. #42871
* Tue Jun 11 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.4.2 (15.4.1 was never released):
* Fixed a Desktop Access resize bug which occurs when window was
resized during MFA. #42705
* Fixed listing available db users in Teleport Connect for
databases from leaf clusters obtained through access requests.
[#42679]
* Fixed file upload/download for Teleport-created users in
insecure-drop mode. #42660
* Updated OpenSSL to 3.0.14. #42642
* Fixed fetching resources with tons of metadata (such as labels
or description) in Teleport Connect. #42627
* Added support for Microsoft Entra ID directory synchronization
(Teleport Enterprise only, preview). #42555
* Added experimental support for storing audit events in
cockroach. #42549
* Teleport Connect binaries for Windows are now signed. #42472
* Updated Go to 1.21.11. #42404
* Added GCP Cloud SQL for PostgreSQL backend support. #42399
* Added Prometheus metrics for the Postgres event backend. #42384
* Fixed the event-handler Helm chart causing stuck rollouts when
using a PVC. #42363
* Fixed web UI notification dropdown menu height from growing too
long from many notifications. #42336
* Disabled session recordings for non-interactive sessions when
enhanced recording is disabled. There is no loss of auditing or
impact on data fidelity because these recordings only contained
session.start, session.end, and session.leave events which were
already captured in the audit log. This will cause all teleport
components to consume less resources and reduce storage costs.
[#42320]
* Fixed an issue where removing an app could make teleport app
agents incorrectly report as unhealthy for a short time. #42270
* Fixed a panic in the DynamoDB audit log backend when the cursor
fell outside of the [From,To] interval. #42267
* The teleport configure command now supports a --node-name flag
for overriding the node's hostname. #42250
* Added support plugin resource in tctl tool. #42224
* Sat Jun 01 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.4.0:
* Access requests notification routing rules
Hosted Slack plugin users can now configure notification
routing rules for role-based access requests.
* Database access for Spanner
Database access users can now connect to GCP Spanner.
* Unix Workload Attestation
Teleport Workload ID now supports basic workload attestation on
Unix systems, allowing cluster administrators to restrict the
issuance of SVIDs to specific workloads based on UID/PID/GID.
* Other improvements and fixes
- Fixed an issue where mix-and-match of join tokens could
interfere with some services appearing correctly in
heartbeats. #42189
- Added an alternate EC2 auto discover flow using AWS Systems
Manager as a more scalable method than EICE in the "Enroll
New Resource" view in the web UI. #42205
- Fixed kubectl exec functionality when Teleport is running
behind L7 load balancer. #42192
- Fixed the plugins AMR cache to be updated when Access
requests are removed from the subject of an existing rule.
[#42186]
- Improved temporary disk space usage for session recording
processing. #42174
- Fixed a regression where Kubernetes Exec audit events were
not properly populated and lacked error details. #42145
- Fixed Azure join method when using Resource Groups in the
allow section. #42141
- Added new teleport debug set-log-level / profile commands
changing instance log level without a restart and collecting
pprof profiles. #42122
- Added ability to manage access monitoring rules via tctl.
[#42092]
- Added access monitoring rule routing for slack access plugin.
[#42087]
- Extended Discovery Service to self-bootstrap necessary
permissions for Kubernetes Service to interact with the
Kubernetes API on behalf of users. #42075
- Fixed resource leak in session recording cleanup. #42066
- Reduced memory and CPU usage after control plane restarts in
clusters with a high number of roles. #42062
- Added an option to send a Ctrl+Alt+Del sequence to remote
desktops. #41720
- Added support for GCP Spanner to Teleport Database Service.
[#41349]
* Thu May 23 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.3.6 (no releases between .1 and .6):
This release contains fixes for several high-severity security
issues, as well as numerous other bug fixes and improvements.
Security Fixes
* [High] Unrestricted redirect in SSO Authentication
Teleport didn’t sufficiently validate the client redirect URL.
This could allow an attacker to trick Teleport users into
performing an SSO authentication and redirect to an
attacker-controlled URL allowing them to steal the credentials.
[#41834].
Warning: Teleport will now disallow non-localhost callback URLs
for SSO logins unless otherwise configured. Users of the tsh
login --callback feature should modify their auth connector
configuration as follows:
The allowed_https_hostnames field is an array containing
allowed hostnames, supporting glob matching and, if the string
begins and ends with ^ and $ respectively, full regular
expression syntax. Custom callback URLs are required to be
HTTPS on the standard port (443).
* [High] CockroachDB authorization bypass
When connecting to CockroachDB using Database Access, Teleport
did not properly consider the username case when running RBAC
checks. As such, it was possible to establish a connection
using an explicitly denied username when using a different
case. #41823.
* [High] Long-lived connection persistence issue with expired
certificates
Teleport did not terminate some long-running mTLS-authenticated
connections past the expiry of client certificates for users
with the disconnect_expired_cert option. This could allow such
users to perform some API actions after their certificate has
expired. #41827.
* [High] PagerDuty integration privilege escalation
When creating a role access request, Teleport would include
PagerDuty annotations from the entire user’s role set rather
than a specific role being requested. For users who run
multiple PagerDuty access plugins with auto-approval, this
could result in a request for a different role being
inadvertently auto-approved than the one which corresponds to
the user’s active on-call schedule. #41837.
* [High] SAML IdP session privilege escalation
When using Teleport as SAML IdP, authorization wasn’t properly
enforced on the SAML IdP session creation. As such,
authenticated users could use an internal API to escalate their
own privileges by crafting a malicious program. #41846.
We strongly recommend all customers upgrade to the latest
releases of Teleport.
Other fixes and improvements
* Fixed access request annotations when annotations contain
globs, regular
* expressions, trait expansions, or claims_to_roles is used.
[#41936].
* Added AWS Management Console as a guided flow using AWS OIDC
integration in
* the "Enroll New Resource" view in the web UI. #41864.
* Fixed spurious Windows Desktop sessions screen resize during an
MFA ceremony. #41856.
* Fixed session upload completion with large number of
simultaneous session
* uploads. #41854.
* Fixed MySQL databases version reporting on new connections.
[#41819].
* Added read-only permissions for cluster maintenance config.
[#41790].
* Stripped debug symbols from Windows builds, resulting in
smaller tsh and
* tctl binaries. #41787
* Fixed passkey deletion so that a user may now delete their last
passkey if
* the have a password and another MFA configured. #41771.
* Changed the default permissions for the Workload Identity Unix
socket to 0777
* rather than the default as applied by the umask. This will
allow the socket to
* be accessed by workloads running as users other than the user
that owns the
* tbot process. #41754
* Added ability for teleport-event-handler to skip certain events
type when
* forwarding to an upstream server. #41747.
* Added automatic GCP label importing. #41733.
* Fixed missing variable and script options in Default Agentless
Installer
* script. #41723.
* Removed invalid AWS Roles from Web UI picker. #41707.
* Added remote address to audit log events emitted when a Bot or
Instance join
* completes, successfully or otherwise. #41700.
* Simplified how Bots are shown on the Users list page. #41697.
* Added improved-performance implementation of ProxyCommand for
Machine ID and
* SSH. This will become the default in v16. You can adopt this
new mode early by
* setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694.
* Improved EC2 Auto Discovery by adding the SSM script output and
more explicit
* error messages. #41664.
* Added webauthn diagnostics commands to tctl. #41643.
* Upgraded application heartbeat service to support 1000+ dynamic
applications. #41626
* Fixed issue where Kubernetes watch requests are written out of
order. #41624.
* Fixed a race condition triggered by a reload during Teleport
startup. #41592.
* Updated discover wizard Install Script to support Ubuntu 24.04.
[#41589].
* Fixed systemd unit to always restart Teleport on failure unless
explicitly stopped. #41581.
* Updated Teleport package installers to reload Teleport service
config after
* upgrades. #41547.
* Fixed file truncation bug in Desktop Directory Sharing. #41540.
* Fixed WebUI SSH connection leak when browser tab closed during
SSH connection
* establishment. #41518.
* Fixed AccessList reconciler comparison causing audit events
noise. #41517.
* Added tooling to create SCIM integrations in tctl. #41514.
* Fixed Windows Desktop error preventing rendering of the remote
session. #41498.
* Fixed issue in the PagerDuty, Opsgenie and ServiceNow access
plugins that
* causing duplicate calls on access requests containing duplicate
service names.
* Also increases the timeout so slow external API requests are
less likely to
* fail. #41488.
* Added basic Unix workload attestation to the tbot SPIFFE
workload API. You
* can now restrict the issuance of certain SVIDs to processes
running with a
* certain UID, GID or PID. #41450.
* Added "login failed" audit events for invalid passwords on
password+webauthn
* local authentication. #41432.
* Fixed Terraform provider issue causing the Provision Token
options to default
* to false instead of empty. #41429.
* Added support to automatically download CA for MongoDB Atlas
databases. #41338.
* Fixed broken "finish" web page for SSO Users on auto discover.
[#41335].
* Allow setting Kubernetes Cluster name when using non-default
addresses. #41331.
* Added fallback on GetAccessList cache miss call. #41326.
* Fixed DiscoveryService panic when auto-enrolling EKS clusters.
[#41320].
* Added validation for application URL extracted from the web
application launcher request route. #41304.
* Allow defining custom database names and users when selecting
wildcard during test connection when enrolling a database
through the web UI. #41301.
* Fixed broken link for alternative EC2 installation during EC2
discover flow. #41292
* Updated Go to v1.21.10. #41281.
* Updated user management to explicitly deny password resets and
local logins to
* SSO users. #41270.
* Fixed fetching suggested access lists with large IDs in
Telepor...
* Wed May 08 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.3.1:
* Fixed screen_size behavior for Windows Desktops, which was
being overridden by the new resize feature. #41241
* Ensure that the active sessions page shows up in the web UI for
users with permissions to join sessions. #41221
* Added indicators on the account settings page that tell which
authentication methods are active. #41169
* Fix a bug that was preventing tsh proxy kube certificate
renewal from working when accessing a leaf kubernetes cluster
via the root. #41158
* Fixed AccessDeniedException for dynamodb:ConditionCheckItem
operations when using AWS DynamoDB for cluster state storage.
[#41133]
* Added lock target to lock deletion audit events. #41112
* Fixed a permissions issue that prevented the teleport-cluster
helm chart operator from registering agentless ssh servers.
[#41108]
* Improve the reliability of the upload completer. #41103
* Allows the listener for the tbot database-tunnel service to be
set to a unix socket. #41008
* Thu May 02 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.3.0:
* Improved Roles UI
The Roles page of the web UI is now backed by a paginated API,
ensuring fast load times even on clusters with large numbers of
roles.
* Resizing for Windows desktop sessions
Windows desktop sessions now automatically resize as the size
of the browser window changes.
* Hardware key support for agentless nodes
Teleport now supports connecting to agentless OpenSSH nodes
even when Teleport is configured to require hardware key MFA
checks.
* TPM joining
The new TPM join method enables secure joining for agents and
Machine ID bots that run on-premise. Based on the secure
properties of the host's hardware trusted platform module, this
join method removes the need to create and distribute secret
tokens, significantly reducing the risk of exfiltration.
* Other improvements and fixes
- Fixed user SSO bypass by performing a local passwordless
login. #41067
- Enforce allow_passwordless server-side. #41057
- Fixed a memory leak caused by incorrectly passing the offset
when paginating all Access Lists' members when there are more
than the default pagesize (200) Access Lists. #41045
- Added resize capability to windows desktop sessions. #41025
- Fixed a regression causing roles filtering to not work.
[#40999]
- Allow AWS integration to be used for global services without
specifying a valid region. #40991
- Made account id visible when selecting IAM Role for accessing
the AWS Console. #40987
* Sat Apr 27 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.2.5:
* Extend proxy templates to allow the target host to be resolved
via a predicate expression or fuzzy matching. #40966
* Fix an issue where access requests would linger in UI and tctl
after expiry. #40964
* The teleport-cluster Helm chart can configure AccessMonitoring
when running in aws mode. #40957
* Make podSecurityContext configurable in the teleport-cluster
Helm chart. #40951
* Allow to mount extra volumes in the updater pod deployed by the
teleport-kube-agentchart. #40946
* Improve error message when performing an SSO login with a
hardware key. #40923
* Fix a bug in the teleport-cluster Helm chart that happened when
sessionRecording was off. #40919
* Fix audit event failures when using DynamoDB event storage.
[#40913]
* Allow setting additional Kubernetes labels on resources created
by the teleport-cluster Helm chart. #40909
* Fix Windows cursor getting stuck. #40890
* Issue cert.create events during device authentication. #40872
* Add the ability to control ssh_config generation in Machine
ID's Identity Outputs. This allows the generation of the
ssh_config to be disabled if unnecessary, improving performance
and removing the dependency on the Proxy being online. #40861
* Prevent deleting AWS OIDC integration used by External Audit
Storage. #40851
* Introduce the tpm join method, which allows for secure joining
in on-prem environments without the need for a shared secret.
[#40823]
* Reduce parallelism when polling AWS resources to prevent API
throttling when exporting them to Teleport Access Graph. #40811
* Fix spurious deletion of Access List Membership metadata during
SCIM push or sync. #40544
* Properly enforce session moderation requirements when starting
Kubernetes ephemeral containers. #40906
* Thu Apr 25 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.2.4 (skipping non-existing release 15.2.3):
* Fixed a deprecation warning being shown when tbot is used with
OpenSSH. #40837
* Added a new Audit log event that is emitted when an Agent or
Bot request to join the cluster is denied. #40814
* Fixed regenerating cloud account recovery codes. #40786
* Changed UI for the sign-up and authentication reset flows.
[#40773]
* Added a new Prometheus metric to track requests initiated by
Teleport against the control plane API. #40754
* Fixed an issue that prevented uploading a zip file larger than
10MiB when updating an AWS Lambda function via tsh app access.
[#40737]
* Patched CVE-2024-32650. #40735
* Fixed possible data race that could lead to concurrent map read
and map write while proxying Kubernetes requests. #40720
* Fixed access request promotion of windows_desktop resources.
[#40712]
* Fixed spurious ambiguous host errors in ssh routing. #40706
* Patched CVE-2023-45288 and CVE-2024-32473. #40695
* generic "not found" errors are returned whether a remote
cluster can't be found or access is denied. #40681
* Fixed a resource leak in the Teleport proxy server when using
proxy peering. #40672
* Added Azure CLI access support on AKS with Entra Workload ID.
[#40660]
* Allow other issue types when configuring JIRA plugin. #40644
* Added regexp.match to access request filter and where
expressions. #40642
* Notify the requester in slack review request messages. #40624
* Handle passwordless in MFA audit events. #40617
* Added auto discover capability to EC2 enrollment in the web UI.
[#40605]
* Fixes RDP licensing. #40595
* Added support for the ascii variants of smartcard calls. #40566
* Added the ability to configure labels that should be set on the
Kubernetes secret when using the kubernetes_secret destination
in tbot. #40550
* Updated cosign to address CVE-2024-29902 and CVE-2024-29903.
[#40497]
* The Web UI now supports large number of roles by paginating
them. #40463
* Improved the responsiveness of the session player during long
periods of idle time. #40442
* Fixed incorrect format for database_object_import_rule
resources with non-empty expiry. #40203
* Updated Opsgenie annotations so approve-schedules is used for
both alert creation and auto approval if notify schedules is
not set. #40121
* Sat Apr 13 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.2.2:
* Updated the cluster selector in the UI to now only be visible
when more than one cluster is available. #40478
* Fixed accidental passkey "downgrades" to MFA. #40409
* Added tsh proxy kube --exec mode that spawns kube proxy in the
background, which re-executes the user shell with the
appropriate kubeconfig. #40395
* Made Amazon S3 fields optional when creating or editing AWS
OIDC integration on the web UI. #40368
* Fixed a bug that prevented the available logins from being
displayed for Windows desktops in leaf clusters that were being
accessed via the root cluster web ui. #40367
* Changed Teleport Connect to hide cluster name in the connection
list if there is only a single cluster available. #40356
* Fixed invalid session TTL error when creating access request
with tsh. #40335
* Added missing discovery AWS matchers fields "Integration" and
"KubeAppDiscovery" to the file configuration. #40320
* Added automatic role access requests. #40285
* Redesigned the login UI. #40272
* Added friendly role names for Okta sourced roles. These will be
displayed in access list and access request pages in the UI.
[#40260]
* Added Teleport Machine ID Workload Identity support for legacy
systems which are not able to parse DNS SANs, and which are not
SPIFFE aware. #40180
* Sat Apr 06 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.2.1:
* Teleport Connect now shows all recent connections instead of
capping them at 10. #40250
* Limit max read size for the tsh device trust DMI cache file on
Linux. #40234
* Fix an issue that prevents the teleport service from restarting.
[#40229]
* Add new resource filtering predicates to allow exact matches on
a single item of a delimited list stored in a label value. For
example, if given the following label containing a string
separated list of values foo=bar,baz,bang, it is now possible to
match on any resources with a label foo that contains the
element bar via contains(split(labels[foo], ","), bar). #40183
* Updated Go to 1.21.9. #40176
* Adds disable_exec_plugin option to the Machine ID Kubernetes
Output to remove the dependency on tbot existing in the target
environment. #40162
* Adds the database-tunnel service to tbot which allows an
authenticated database tunnel to be opened by tbot. This is an
improvement over the original technique of using tbot proxy db.
[#40151]
* Allow diagnostic endpoints to be accessed behind a PROXY
protocol enabled loadbalancer/proxy. #40138
* Include system annotations in audit event entries for access
requests. #40123
* Fixed GitHub Auth Connector update event to show in Audit Log
with name and description. #40116
* Re-enabled the show_desktop_wallpaper flag. #40088
* Reduce default Jamf inventory page size, allow custom values to
be provided. #3817
* Sat Mar 30 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.2.0:
* Improved Access Requests UI
The access requests page of the web UI will be backed by a
paginated API, ensuring fast load times even on clusters with
many access requests.
Additionally, the UI allows you to search for access requests,
sort them based on various attributes, and includes several new
filtering options.
* Zero-downtime web asset rollout
Teleport 15.2 changes the way that web assets are served and
cached, which will allow multiple compatible versions of the
Teleport Proxy to run behind the same load balancer.
* Workload Identity MVP
With Teleport 15.2, Machine ID can bootstrap and issue identity
to services across multiple computing environments and
organizational boundaries. Workload Identity issues
SPIFFE-compatible x509 certificates that can be used for mTLS
between services.
* Support for Kubernetes 1.29+
The Kubernetes project is deprecating the SPDY protocol for
streaming commands (kubectl exec, kubectl port-forward, etc)
and replacing it with a new websocket-based subprotocol.
Teleport 15.2.0 will support the new protocol to ensure
compatibility with newer Kubernetes clusters.
* Automatic database access requests
Both tsh db connect and tsh proxy db will offer the option to
submit an access request if the user attempts to connect to a
database that they don't already have access to.
* GCP console access via Workforce Identity Federation
Teleport administrators will be able to setup access to GCP web
console through Workforce Identity Federation using Teleport as
a SAML identity provider.
* IaC support for OpenSSH nodes
Users will be able to register OpenSSH nodes in the cluster
using Terraform and Kubernetes Operator.
* Access requests start time
Users submitting access requests via web UI will be able to
request specific access start time up to a week in advance.
* Terraform and Operator support for agentless SSH nodes
The Teleport Terraform provider and Kubernetes operator now
support declaring agentless OpenSSH and OpenSSH EC2 ICE
servers. You can follow this guide to register OpenSSH agents
with infrastructure as code.
Setting up EC2 ICE automatic discovery with IaC will come in a
future update.
* Operator and CRDs can be deployed separately
The teleport-operator and teleport-cluster charts now support
deploying only the CRD, the CRD and the operator, or only the
operator.
From the teleport-cluster Helm chart:
operator:
enabled: true|false
installCRDs: always|never|dynamic
From the teleport-operator Helm chart:
enabled: true|false
installCRDs: always|never|dynamic
In dynamic mode (by default), the chart will install CRDs if
the operator is enabled, but will not remove the CRDs if you
temporarily disable the operator.
* Operator now propagates labels
Kubernetes CR labels are now copied to the Teleport resource
when applicable.
This allows you to configure RBAC for operator-created
resources, and to filter Teleport resources more easily.
* Terraform provider no longer forces resource re-creation on
version change
Teleport v15 introduced two Terraform provider changes:
- setting the resource version is now mandatory
- a resource version change triggers the resource re-creation
to ensure defaults were correctly set
The second change was too disruptive, especially for roles, as
they cannot be deleted if a user or an access list references
them. Teleport 15.2 lifts this restriction and allows version
change without forcing the resource deletion.
Another change to ensure resource defaults are correctly set
during version upgrades will happen in v16.
* Other improvements and fixes
- Fixed "Invalid URI" error in Teleport Connect when starting
mongosh from database connection tab. #40033
- Adds support for easily exporting the SPIFFE CA using tls
auth export --type tls-spiffe and the /webapi/auth/export
endpoint. #40007
- Update Rust to 1.77.0, enable RDP font smoothing. #39995
- The role, server and token Teleport operator CRs now display
additional information when listed with kubectl get. #39993
- Improve performance of filtering resources via predicate
expressions. #39972
- Fixes a bug that prevented CA import when a SPIFFE CA was
present. #39958
- Fix a verbosity issue that caused the
teleport-kube-agent-updater to output debug logs by default.
[#39953]
- Reduce default Jamf inventory page size, allow custom values
to be provided. #39933
- AWS IAM Roles are now filterable in the web UI when launching
a console app. #39911
- The teleport-cluster Helm chart now supports using the Amazon
Athena event backend. #39907
- Correctly show the users allowed logins when accessing leaf
resources via the root cluster web UI. #39887
- Improve performance of resource filtering via labels and
fuzzy search. #39791
- Enforce optimistic locking for AuthPreferences,
ClusterNetworkingConfig, SessionRecordingConfig. #39785
- Fix potential issue with some resources expiry being set to
01/01/1970 instead of never. #39773
- Update default access request TTLs to 1 week. #39509
- Fixed an issue where creating or updating an access list with
Admin MFA would fail in the WebUI. #3827
* Fri Mar 29 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.10:
* Fixed possible phishing links which could result in code
execution with install and join scripts. #39837
* Fixed MFA checks not being prompted when joining a session.
[#39814]
* Added support for Kubernetes websocket streaming subprotocol v5
connections. #39770
* Fixed a regression causing MFA prompts to not show up in
Teleport Connect. #39739
* Fixed broken SSO login landing page on certain versions of
Google Chrome. #39723
* Teleport Connect now shows specific error messages instead of
generic "access denied". #39720
* Added audit events for database auto user provisioning. #39665
* Updated Electron to v29 in Teleport Connect. #39657
* Added automatic access request support for tsh db login, tsh db
connect and tsh proxy db. #39617
* Fixed a bug in Teleport Cloud causing the hosted ServiceNow
plugin to crash when setting up the integration. #39603
* Fixed a bug of the discovery script failing when jq was not
installed. #39599
* Ensured that audit events are emitted whenever the
authentication preferences, cluster networking config, or
session recording config are modified. #39522
* Database object labels will now support templates. #39496
* Tue Mar 19 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.9:
* Improved performance when listing nodes with tsh or tctl.
[#39567]
* Require AWS S3 bucket fields when creating/editing AWS OIDC
integration in the web UII. #39510
* Added remote port forwarding to tsh. #39441
* Added support for setting default relay state for SAML IdP
initiated logins via the web interface and tctl. For supported
preset service provider types, a default value will be applied
if the field is not configured. #39401
* Mon Mar 18 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.8:
* Fixed an issue with AWS IAM permissions that may prevent AWS
database access when discovery_service is enabled in the same
Teleport config as the db_service, namely AWS RDS, Redshift,
Elasticache, and MemoryDB. #39488
* Mon Mar 18 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.7:
* Fixed issue with Teleport auth server panicking when Access
Graph is enabled in discovery service. [#39456]
* Added remote port forwarding for Teleport nodes. #39440
* Added remote port forwarding for OpenSSH nodes. #39438
* Sun Mar 17 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.6:
* Added remote port forwarding for Teleport nodes. #39440
* Added remote port forwarding for OpenSSH nodes. #39438
* Sun Mar 17 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.5:
* Improve error messaging when creating resources fails because
they already exist or updating resources fails because they
were removed. #39395
* The audit entry for access_request.search will now truncate the
list of roles in the audit UI if it exceeds 80 characters.
[#39372]
* Re-enable AWS IMDSv1 fallback due to some EKS clusters having
their IMDSv2 hop limit set to 1, leading to IMDSv2 requests
failing. Users who wish to keep IMDSv1 fallback disabled can
set the AWS_EC2_METADATA_V1_DISABLED environmental variable.
[#39366]
* Only allow necessary operations during moderated file transfers
and limit in-flight file transfer requests to one per session.
[#39351]
* Make the Jira access plugin log Jira errors properly. #39346
* Fixed allowing invalid access request start time date to be
set. #39322
* Teleport Enterprise now attempts to load the license file from
the configured data directory if not otherwise specified.
[#39314]
* Improve the security for MFA for Admin Actions when used
alongside Hardware Key support. #39306
* The saml_idp_service_provider spec adds a new preset field that
can be used to specify predefined SAML service provider
profile. #39277
* Fixed a bug that caused some MFA for Admin Action flows to fail
instead of retrying: ex: tctl bots add --token=<token>. #39269
* Sun Mar 17 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.4:
* Raised concurrent connection limits between Teleport Cloud
regions and in clusters that use proxy peering. #39233
* Improved clean up of system resources during a fast shutdown of
Teleport. #39211
* Resolved sporadic errors caused by requests fail to comply with
Kubernetes API spec by not specifying resource identifiers.
[#39168]
* Added a new password change wizard. #39124
* Fixed the NumLock and Pause keys for Desktop Access sessions
not working. #39095
* Sun Mar 17 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.3:
* Fix a bug when using automatic updates and the discovery
service. The default install script now installs the correct
teleport version by querying the version server. #39099
* Fix a regression where tsh kube credentials fails to re-login
when credentials expire. #39075
* TBot now supports --proxy-server for explicitly configuring the
Proxy address. We recommend switching to this if you currently
specify the address of your Teleport proxy to --auth-server.
[#39055]
* Expand the EC2 joining process to include newly created AWS
regions. #39051
* Added GCP MySQL access IAM Authentication support. #39040
* Fixed compatibility of the Teleport service file with older
versions of systemd. #39032
* Update WebUI database connection instructions. #39027
* Teleport Proxy Service now runs a version server by default
serving its own version. #39017
* Significantly reduced latency of network calls in Teleport
Connect. #39012
* SPIFFE SVID generation introduced to tbot (experimental).
[#39011]
* Adds tsh workload issue command for issuing SVIDs using tsh.
[#39115]
* Fixed an issue in SAML IdP entity descriptor generator process,
which would fail to generate entity descriptor if the
configured Entity ID endpoint would return HTTP status code
above 200 and below 400 . #38987
* Updated Go to 1.21.8. #38983
* Updated electron-builder dependency to address possible
arbitrary code execution in the Windows installer of Teleport
Connect (CVE-2024-27303). #38964
* Fixed an issue where it was possible to skip providing old
password when setting a new one. #38962
* Added database permission management support for Postgres.
[#38945]
* Improved reliability and performance of tbot. #38928
* Filter terminated sessions from the tsh sessions ls output.
[#38887]
* Make it easier to identify Teleport browser tabs by placing the
session information before the cluster name. #38737
* The teleport-ent-upgrader package now gracefully restarts the
Teleport binary if possible, to avoid cutting off ongoing
connections. #3578
* Trusted device authentication failures may now include a brief
explanation message in the corresponding audit event. #3572
* Okta access lists sync will now sync groups without members.
[#3636]
* Sun Mar 17 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.2:
* Fix a bug when using automatic updates and the discovery
service. The default install script now installs the correct
teleport version by querying the version server. #39099
* Fix a regression where tsh kube credentials fails to re-login
when credentials expire. #39075
* TBot now supports --proxy-server for explicitly configuring the
Proxy address. We recommend switching to this if you currently
specify the address of your Teleport proxy to --auth-server.
[#39055]
* Expand the EC2 joining process to include newly created AWS
regions. #39051
* Added GCP MySQL access IAM Authentication support. #39040
* Fixed compatibility of the Teleport service file with older
versions of systemd. #39032
* Update WebUI database connection instructions. #39027
* Teleport Proxy Service now runs a version server by default
serving its own version. #39017
* Significantly reduced latency of network calls in Teleport
Connect. #39012
* SPIFFE SVID generation introduced to tbot (experimental).
[#39011]
* Adds tsh workload issue command for issuing SVIDs using tsh.
[#39115]
* Fixed an issue in SAML IdP entity descriptor generator process,
which would fail to generate entity descriptor if the
configured Entity ID endpoint would return HTTP status code
above 200 and below 400 . #38987
* Updated Go to 1.21.8. #38983
* Updated electron-builder dependency to address possible
arbitrary code execution in the Windows installer of Teleport
Connect (CVE-2024-27303). #38964
* Fixed an issue where it was possible to skip providing old
password when setting a new one. #38962
* Added database permission management support for Postgres.
[#38945]
* Improved reliability and performance of tbot. #38928
* Filter terminated sessions from the tsh sessions ls output.
[#38887]
* Make it easier to identify Teleport browser tabs by placing the
session information before the cluster name. #38737
* The teleport-ent-upgrader package now gracefully restarts the
Teleport binary if possible, to avoid cutting off ongoing
connections. #3578
* Trusted device authentication failures may now include a brief
explanation message in the corresponding audit event. #3572
* Okta access lists sync will now sync groups without members.
[#3636]
* Sun Mar 17 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.1:
* Fixed panic when an older tsh or proxy changes an access list.
[#38861]
* SSH connection resumption now works during graceful upgrades of
the Teleport agent. #38842
* Fixed an issue with over counting of reported Teleport updater
metrics. #38831
* Fixed tsh returning "private key policy not met" errors instead
of automatically initiating re-login to satisfy the private key
policy. #38819
* Made graceful shutdown and graceful restart terminate active
sessions after 30 hours. #38803
* Sun Mar 17 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.1.0:
* New Features
- Standalone tbot Docker image
We now ship a new container image that contains tbot but
omits other Teleport binaries, providing a light-weight
option for Machine ID users.
- Custom mouse pointers for remote desktop sessions
Teleport remote desktop sessions now automatically change the
mouse cursor depending on context (when hovering over a link,
resizing a window, or editing text, for example).
- Synchronization of Okta groups and apps
Okta integration now support automatic synchronization of
Okta groups and app assignments to Teleport as access lists
giving users ability to request access to Okta apps without
extra configuration.
- EKS auto-discovery in Access Management UI
Users going through EKS enrollment flow in Access Management
web UI now have an option to enable auto-discovery for EKS
clusters.
* Other changes
- Fixed application access events being overwritten when using
DynamoDB as event storage. #38815
- Fixed a regression that had reintroduced long freezes for
certain actions like "Run as different user". #38805
- When teleport is configured to require MFA for admin actions,
MFA is required to get certificate authority secrets. Ex:
tctl auth export --keys or tctl get
cert_authority/host/root.example.com --with-secrets. #38777
- Added auto-enrolling capabilities to EKS discover flow in the
web UI. #38773
- Heavily optimized the Access List page in the UI, speeding
things up considerably. #38764
- Align DynamoDB BatchWriteItem max items limit. #38763
- tbot-distroless image is now published. This contains just
the tbot binary and therefore has a smaller image size.
[#38718]
- Fixed a regression with Teleport Connect not showing the
re-login reason and connection errors when accessing
databases, Kube clusters, and apps with an expired cert.
[#38716]
- Re-enabled the Windows key and prevents it from sticking or
otherwise causing problems when cmd+tab-ing or alt+tab-ing
away from the browser during desktop sessions. #38699
- Resource limits are now correctly applied to the
wait-auth-update initContainer in the teleport-cluster Helm
chart. #38692
- When teleport is configured to require MFA for admin actions,
MFA is required to create, update, or delete trusted
clusters. #38690
- Fixed error in tctl get users --with-secrets when using SSO.
[#38663]
- When device trust is required and MFA is optional, users will
need to add their first MFA device from a trusted device.
[#38657]
- Temporary files are no longer created during Discover UI EKS
cluster enrollment. #38649
- When teleport is configured to require MFA for admin actions,
MFA is required to get or list tokens with tctl. Ex: tctl
tokens ls or tctl get tokens/foo. #38645
- Implemented dynamic mouse pointer updates to reflect
context-specific actions, e.g. window resizing. #38614
- MFA approval is no longer required in the beginning of EKS
Discover flow. #38580
- Fixed Postgres v16.x compatibility issue preventing multiple
connections for auto-provisioned users. #38543
- Fixed incorrect color of resource cards after changing the
theme in Web UI and Connect. #38537
- Updated the dialog for adding new authentication methods in
the account settings screen. #38535
- Displays review dates for access lists in dates, not
remaining hours in tsh. #38525
- Ensure that tsh continues to function if one of its profiles
is invalid. #38514
- Fixed logging output for teleport configure ... commands.
[#38508]
- Fixed tsh/WebAuthn.dll panic on Windows Server 2019. #38490
- Fixes an issue that prevented the Web UI from properly
displaying the hostname of servers in leaf clusters. #38469
- Added ssh_service.enhanced_recording.root_path configuration
option to change the cgroup slice path used by the agent.
[#38394]
- Fixed a bug that could cause expired SSH servers from
appearing in the Web UI until the Proxy is restarted. #38310
- Desktops can now be configured to use the same screen
resolution for all sessions. #38307
- The maximum duration for an access request is now 14 days,
the okta-requester role has been added which takes advantage
of this. #38224
- Added TLS routing native WebSocket connection upgrade
support. #38108
- Fixed a bug allowing the operator to delete resource it does
not own. #37750
* Sun Feb 25 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.0.2:
* Fixed a potential panic in the tsh status command. #38305
* Fixed SSO user locking in the setup access step of the RDS auto
discover flow in the web UI. #38283
* Optionally permit the auth server to terminate client
connections from unsupported versions. #38182
* Fixed Assist obstructing the user dropdown menu when in docked
mode. #38156
* Improved the stability of Teleport during graceful upgrades.
[#38145]
* Added the ability to view and manage Machine ID bots from the
UI. #38122
* Fixed a bug that prevented desktop clipboard sharing from
working when large amounts of text are placed on the clipboard.
[#38120]
* Added option to validate hardware key serial numbers with
hardware key support. #38068
* Removed access tokens from URL parameters, preventing them from
being leaked to intermediary systems that may log them in
plaintext. #38032
* Forced agents to terminate Auth connections if joining fails.
[#38005]
* Added a tsh sessions ls command to list active sessions. #37969
* Improved error handling when idle desktop connections are
terminated. #37955
* Updated Go to 1.21.7. #37846
* Discover flow now starts two instances of DatabaseServices when
setting up access to Amazon RDS. #37805
* Sun Feb 25 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.0.1:
* Correctly handle non-registered U2F keys. #37720
* Fixed memory leak in tbot caused by never closing reverse
tunnel address resolvers. #37718
* Fixed conditional user modifications (used by certain Teleport
subsystems such as Device Trust) on users that have previously
been locked out due to repeated recovery attempts. #37703
* Added SCIM support in Okta integration (cloud only). #3341
* Added okta integration SCIM support for web UI. #37697
* Fixed usage data submission becoming stuck sending too many
reports at once (Teleport Enterprise only). #37687
* Fixed cache init issue with access list members/reviews. #37673
* Fixed "failed to close stream" log messages. #37662
* Skip tsh AppID pre-flight check whenever possible. #37642
* Sun Feb 25 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- major update to 15.0.0:
Full changelog and breaking changes see
https://github.com/gravitational/teleport/releases/tag/v15.0.0
* Teleport 15 brings the following new major features and
improvements:
- Desktop access performance improvements
- Enhanced Device Trust support
- SSH connection resumption
- RDS auto-discovery in Access Management UI
- EKS Integration for Teleport
- MFA for Administrative Actions
- Improved SAML IdP configuration flow
- Improved provisioning for Okta
- Support for AWS KMS
- Teleport Connect improvements
- Session playback improvements
- Standalone Kubernetes Operator
- Roles v6 and v7 support for Kubernetes Operator
- Enhanced ARM64 builds
* Sun Feb 18 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 14.3.6 (14.3.5 does not exist):
* Fixed a potential panic in the tsh status command. #38304
* Fixed locking SSO user in the setup access step of the RDS auto
discover flow in the web UI. #38284
* Optionally permit the auth server to terminate client
connections from unsupported versions. #38186
* Removed access tokens from URL parameters, preventing them from
being leaked to intermediary systems that may log them in
plaintext. #38070
* Added option to validate hardware key serial numbers with
hardware key support. #38069
* Forced agents to terminate Auth connections if joining fails.
[#38004]
* Added a tsh sessions ls command to list active sessions. #37970
* Improved error handling when idle desktop connections are
terminated. #37956
* Updated Go to 1.21.7. #37848
* Discover flow now starts two instances of DatabaseServices when
setting up access to Amazon RDS. #37804
* Fixed incorrect resizing of CLI apps in Teleport Connect on
Windows. #37799
* Fixed handling of non-registered U2F keys. #37722
* Fixed memory leak in tbot caused by never closing reverse
tunnel address resolvers. #37719
* Fixed app redirection loop on browser's incognito mode and 3rd
party cookie block. #37692
* Sat Feb 03 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 14.3.4:
* Skip tsh AppID pre-flight check whenever possible. #37643
* Update OpenSSL to 3.0.13. #37552
* tsh FIDO2 backend re-written for improved responsiveness and
reliability. #37538
* Do not add alphabetically first Kube cluster's name to a user
certificate on login. #37501
* Allow to replicate proxy pods when using an ingress in the
teleport-cluster Helm chart. #37480
* Fix an issue tsh uses wrong default username for auto-user
provisioning enabled databases in remote clusters #37418
* Prevent backend throttling caused by a large number of app
sessions. #37391
* Emit audit events when SFTP or SCP commands are blocked. #37385
* Fix goroutine leak on PostgreSQL access. #37342
* Fixed incompatibility between leaf clusters and ProxyJump.
[#37319]
* Fixed a potential crash when setting up the Connect My Computer
role in Teleport Connect. #37314
* Fixed CA key generation when two auth servers share a single
YubiHSM2. #37296
* Add support for cancelling CockroachDB requests. #37282
* Fix Terraform provider creating AccessLists with next audit
date set to Epoch. #37262
* Fix an issue selecting MySQL database is not reflected in the
audit logs. #37257
* The login screen will no longer be rendered for authenticated
users. #37230
* Fixed missing proxy address in GCP and Azure VM auto-discovery.
[#37215]
* Teleport namespace label prefixes are now sorted toward the end
of the labels list in the web UI. #37191
* Adds tbot proxy kube to support connecting to Kubernetes
clusters using Machine ID when the Proxy is behind a L7 LB.
[#37157]
* Fix a bug that was breaking web UI if automatic upgrades are
misconfigured. #37130
* Fix an issue AWS Redshift auto-provisioned user not deleted in
drop mode. #37036
* Fix an issue database auto-user provisioning fails to connect a
second session on MariaDB older than 10.7. #37028
* Improved styling of the login form in Connect and Web UI.
[#37003]
* Ensure that moderated sessions do not get stuck in the event of
an unexpected drop in the moderator's connection. #36917
* The web terminal now properly displays underscores on Linux.
[#36890]
* Fix tsh panic on Windows if WebAuthn.dll is missing. #36868
* Increased timeout when waiting for response from Jira API and
webhook to reconcile. #36818
* Ensure connect_to_node_attempts_total is always incremented
when dialing hosts. #36739
* Fixed a potential crash in Teleport Connect after downgrading
the app from v15+. #36730
* Prevent a goroutine leak caused by app sessions not cleaning up
resources properly. #36668
* Added tctl idp saml test-attribute-mapping command to test SAML
IdP attribute mapping. #36662
* Fixed an issue where valid SAML entity descriptors could be
rejected. #36485
* Updated SAML IdP UI to display entity ID, SSO URL and X.509
certificate. #3322
* Updated access request creation dialog to pre-select suggested
reviewers. #3325
* Mon Jan 15 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 14.3.3:
* Fixed routing to nodes by their public addresses. #36624
* Enhanced Kubernetes app discovery functionality to provide the
ability to disable specific Service imports and configure the
TLS Skip Verify option using an annotation. #36611
* Added client remote IP address to some administrative audit
events. #36567
* Mon Jan 15 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 14.3.2:
* Fixed routing to nodes by their public address. #36591
* Verify MFA device locks during user authentication. #36589
* Fixed tctl get access_list and support creating Access Lists
without a next audit date. #36572
* Mon Jan 15 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 14.3.1:
* Added support to select database roles from tsh. #36528
* Fixed goroutine leak per ssh session. #36511
* Fixed user invites preventing listing tokens. #36492
* Updated Go to v1.21.6. #36478
* Fixed refresh_identity = true preventing Access Plugins
connecting to Teleport using TLS routing with a L7 LB. #36469
* Added --callback flag to tsh login. #36468
* Added auto-enrolling capabilities to RDS discover flow in the
web UI. #36434
* Fixed an issue where bad cache state could cause spurious
access denied errors during app access. #36432
* Resources named . and .. are no longer allowed. Please review
the resources in your Teleport instance and rename any
resources with these names before upgrading. #36404
* Ensured that the login time is populated for app sessions.
[#36373]
* Fixed incorrect report of user's IP address in Kubernetes Audit
Logs. #36346
* Access lists and associated resources are now cached, which
should significantly reduce the impact of access list
calculation. #36331
* Added new certificate extensions and usage reporting flags to
explicitly identify Machine ID bots and their cluster activity.
[#36313]
* Fixed potential panic after backend watcher failure. #36301
* Prevent deleted users from using account reset links created
prior to the user being deleted. #36271
* Make Unified Resources page in Web UI responsive. #36265
* Added "Database Roles" column to tsh db ls -v. #36246
* Safeguard against the disruption of cluster access caused by
incorrect Kubernetes APIService configurations. #36227
* Support running a version server in the proxy for automatic
agent upgrades. #36220
* The user login state generator now uses the cache, which should
reduce the number of calls to the backend. #36196
* Added the --insecure-no-resolve-image flag to the
teleport-kube-agent-updater to disable image tag resolution if
it cannot pull the image. #36097
* Added future assume time to access requests. #35726
* Sun Jan 07 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 14.3.0:
This release of Teleport contains multiple security fixes,
improvements and bug fixes.
* Security fixes
- Teleport Proxy now restricts SFTP for normal users as
described under Advisory
https://github.com/gravitational/teleport/security/advisories/GHSA-c9v7-wmwj-vf6x
- Fixed an issue that would allow for SSRF via Teleport's
reverse tunnel subsystem. Documented under the advisory
- https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36
- On macOS, Teleport filters the environment to prevent code
execution via `DYLD_` variables. Documented under
https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4
- A fix was applied to Access Lists to prevent possible
privilege escalation of list owners. Documented under
https://github.com/gravitational/teleport/security/advisories/GHSA-76cc-p55w-63g3
* Other Fixes & Improvements
- Added the ability to promote an access request to an access
list in Teleport Connect
- Fixed an issue that would prevent websocket upgrades from
completing.
- Enhanced the audit events related to Teleport's SAML IdP
- Added support for STS session tags in the database
configuration for granular DynamoDB access.
- Added support for the IAM join method in ca-west-1.
- Improved the formatting of access list notifications in tsh.
- Fixed downgrade logic of KubernetesResources to Role v6
- Fixed potential panic during early phases of SSH service
lifetime
- Added a `tsh latency` command to monitor ssh connection
latency in realtime
- Support GitHub joining from Enterprise accounts with
`include_enterprise_slug` enabled.
- Added vpc-id as a label to auto-discovered RDS databases
- Improved teleport agent performance when handling a large
number of TCP forwarding requests.
- Bump golang.org/x/crypto to v0.17.0, which addresses the
Terrapin vulnerability (CVE-2023-48795)
- Include the lock expiration time in `lock.create` audit
events
- Add custom attribute mapping to the
`saml_idp_service_provider` spec.
- Fixed PIV not being available on Windows tsh binaries
- Restored direct dial SSH server compatibility with certain
SSH tools such as `ssh-keyscan` (#35647)
- Prevent users from deleting their last passwordless device
- the `teleport-kube-agent` chart now supports passing extra
arguments to the updater.
- New access lists with an unspecified NextAuditDate now pick
a new date instead of being rejected
- Changed the minimal supported macOS version of Teleport
Connect to 10.15 (Catalina)
- Add non-AD desktops to Enroll New Resource
- Fixed a bug in `teleport-kube-agent` chart when using both
`appResources` and the `discovery` role.
- Fixed session upload audit events sometimes containing an
incorrect URL for the session recording.
- Prevent tsh from re-authenticating if the MFA ceremony fails
during `tsh ssh`
- Prevent attempts to join a nonexistent SSH session from
hanging forever
- Improved Windows hosts registration with a new
`static_hosts` configuration field
- Fixed the sorting of name and description columns for user
groups when creating an access request
* Fri Dec 15 2023 Johannes Kastl <kastl@b1-systems.de>
- update to 14.2.3:
* Prevent Cloud tenants from being a leaf cluster. #35687
* Added "Show All Labels" button in the unified resources list
view. #35666
* Added auto approval flow to servicenow plugin. #35658
* Added guided SAML entity descriptor creation when entity
descriptor XML is not yet available. #35657
* Added a connection test when enrolling a new Connect My
Computer resource in Web UI. #35649
* Fixed regression of Kubernetes Server Address when Teleport
runs in multiplex mode. #35633
* When using the Slack plugin, users will now be notified
directly of access requests and their approvals or denials.
[#35577]
* Fixed bug where configuration errors with an individual SSO
connector impacted other connectors. #35576
* Fixed client IP propagation from the Proxy to the Auth during
IdP initiated SSO. #35545
* Sat Dec 09 2023 Johannes Kastl <kastl@b1-systems.de>
- update to 14.2.2:
* Prevent panic when dialing a deleted Application Server. #35525
* Fixed regression issue with arm32 binaries in 14.2.1 having
higher glibc requirements. #35539
* Fixed GCP VM auto-discovery not using instances' internal IP
address. #35521
* Calculate latency of Web SSH sessions and report it to users.
[#35516]
* Fix bot's unable to view or approve access requests issue.
[#35512]
* Fix querying of large audit events with Athena backend. #35483
* Fix panic on potential nil value when requesting
/webapi/presetroles. #35463
* Add insecure-drop host user creation mode. #35403
* IAM permissions for rds:DescribeDBProxyTargets are no longer
required for RDS Proxy discovery. #35389
* Update Go to 1.21.5. #35371
* Desktop connections default to RDP port 3389 if not otherwise
specified. #35343
* Add cluster_auth_preferences to the shortcuts for
cluster_auth_preference. #35329
* Make the podSecurityPolicy configurable in the
teleport-kube-agent chart. #35320
* Prevent EKS fetcher not having correct IAM permissions from
stopping whole Discovery service start up. #35319
* Add database automatic user provisioning support for
self-hosted MongoDB. #35317
* Improve the resilience of tbot to misconfiguration of auth
connectors when generating a Kubernetes output. #35309
* Fix crash when writing kubeconfig with tctl auth sign --tar.
[#34874]
* Fri Dec 01 2023 Johannes Kastl <kastl@b1-systems.de>
- update to 14.2.1:
* Fixed issue that could cause app and desktop session recording
events to be written to the audit log. #35183
* Fixed a possible panic when downgrading Teleport roles to older
versions. #35236
* Fixed a regression issue where tsh db connect to Redis 7 fails
with an error on REDIS_REPLY_STATUS. #35162
* Allow Teleport to complete abandoned uploads faster in HA
deployments. #35102
* Fixed error when installing a v13 node with the default
installer from a v14 cluster. #35058
* Fixed issue with the absence of membership expiry circumventing
membership requirements check. #35057
* Added read verb to suggested role spec when enrolling new
resources. #35053
* Added more new "Enroll Integration" tiles for Machine ID
guides. #35050
* Fixed default installer yum error on RHEL and Amazon Linux.
[#35021]
* External Audit Storage enables Cloud customers to store Audit
Logs and Session Recordings in their own AWS account. #35008
* Fixed IP propagation for nodes/bots joining the cluster and add
LoginIP to bot certificates. #34958
* Fixed an issue tsh db connect <mongodb> does not give reason on
connection errors. #34910
* Updated distroless images to use Debian 12. #34878
* Added new email-based UI for inviting new local users on
Teleport Cloud clusters. #34869
* Fix an issue "Allowed Users" in "tsh db ls" shows wrong user
for databases with Automatic User Provisioning enabled. #34850
* Fixed issue with application access requests and web UI large
file downloads timing out after 30 seconds. #34849
* Added default database support for PostgreSQL auto-user
provisioning. #34840
* Machine ID: handle kernel version check failing more
gracefully. #34828
* Tue Nov 21 2023 Johannes Kastl <kastl@b1-systems.de>
- update to 14.2.0:
* New Features
- Advanced Okta Integration (Enterprise Edition only)
Teleport will be able to automatically create SSO connector
and sync users when configuring Okta integration.
- Connect my Computer support in Web UI
The Teleport web UI will provide a guided flow for joining
your computer to the Teleport cluster using Teleport Connect.
- Dynamic credential reloading for plugins
Teleport plugins will support dynamic credential reloading,
allowing them to take advantage of short-lived (and
frequently rotated) credentials generated by Machine ID.
* Fixes and Improvements
- Access list review reminders will now be sent via Slack
[#34663]
- Improve the error message when attempting to enroll a
hardware key that cannot support passwordless #34589
- Allow selecting multiple resource filters in the search bar
in Connect #34543
- Added a guided flow for joining your computer to the Teleport
cluster using Teleport Connect; find it in the Web UI under
Enroll New Resource -> Connect My Computer (available only
for local users, with prerequisites) #33688
* Fri Nov 17 2023 kastl@b1-systems.de
- Update to version 14.1.5:
* Increased the maximum width of the console tabs in the web UI.
[#34648]
* Fixed accessing dedicated Proxy Kubernetes port when TLS
routing is enabled. #34645
* Fixed tsh --piv-slot custom PIV slot setting for Hardware Key
Support. #34592
* Disabled AWS IMDSv1 fallback and enforced use of FIPS endpoints
in FIPS mode. #34433
* Fixed incorrect permissions when opening X11 listener. #34617
* Prevented .tsh/environment values from overriding prior set
values. #34626
* Changed access lists to respect user locking. #34620
* Fixed access requests to respect explicit deny rules. #34600
* Added Teleport Access Graph integration. #34569
* Fixed cleanup of unused GCP KMS keys. #34468
* Added list view option to the unified resources page. #34466
* Fixed duplicate entries in resources view when updating
nodename #34236 #34453
* Allow configuring cluster_networking_config and
cluster_auth_preference via --bootstrap. #34445
* Fixed tsh logout with broken key directory. #34435
* Added binary formatted parameters as base64 encoded strings to
PostgreSQL Statement Bind audit log events. #34432
* Reduced CPU & memory usage, and logging in the operator, by
reusing connections to Teleport. #34425
* Updated the code signing certificate for Windows artifacts.
[#34377]
* Added IAM Authentication support for Amazon MemoryDB Access.
[#34348]
* Split large desktop recordings into multiple files during
export. #34319
* Allow setting server labels from tctl. #34137
* Thu Nov 16 2023 kastl@b1-systems.de
- Update to version 14.1.3:
* Security Fixes
- [Medium] Arbitrary code execution with LD_PRELOAD and SFTP
Teleport implements SFTP using a subcommand. Prior to this
release it was possible to inject environment variables into
the execution of this subcommand, via shell init scripts or
via the SSH environment request.
This is addressed by preventing LD_PRELOAD and other
dangerous environment variables from being forwarded during
re-exec.
* [Medium] Outbound SSH from Proxy can lead to IP spoofing
If the Teleport auth or proxy services are configured to
accept PROXY protocol headers, a malicious actor can use this
to spoof their IP address.
This is addressed by requiring that the first bytes of any
SSH connection are the SSH protocol prefix, denying a
malicious actor the opportunity to send their own proxy
headers.
* Other Fixes & Improvements
- Fixed issue where tbot would select the wrong address for
Kubernetes Access when in ports separate mode #34283
- Added post-review state of Access Request in audit log
description #34213
- Updated Operator Reconciliation to skip Teleport Operator on
status updates #34194
- Updated Kube Agent Auto-Discovery to install the Teleport
version provided by Automatic Upgrades #34157
- Updated Server Auto-Discovery installer script to use bash
instead of sh #34144
- When a promotable Access Request targets a resource that
belongs to an Access List, owners of that list will now
automatically be added as reviewers. #34131
- Added Database Automatic User Provisioning support for
Redshift #34126
- Added teleport_auth_type config parameter to the AWS
Terraform examples #34124
- Fixed issue where an auto-provisioned PostgreSQL user may
keep old roles indefinitely #34121
- Fixed incorrectly set file mode for Windows TPM files #34113
- Added dynamic credential reloading for access plugins #34079
- Fixed Azure Identity federated Application ID #33960
- Fixed issue where Kubernetes Audit Events reported incorrect
information in the exec audit #33950
- Added support for formatting hostname as host:port to tsh
puttyconfig #33883
- Added support for --set-context-name to tsh proxy kube
- Fixed various Access List bookkeeping issues #33834
- Fixed issue where tsh aws ecs execute-command would always
fail #33833
- Updated UI to automatically redirect to login page on missing
session cookie #33806
- Added Dynamic Discovery matching for Databases #33693
- Fixed formatting errors on empty result sets in tsh #33633
- Added Database Automatic User Provisioning support for
MariaDB #34256
- Fixed issue where MySQL auto-user deletion fails on usernames
with quotes #34304
* Thu Nov 09 2023 kastl@b1-systems.de
- Update to version 14.1.2:
* Release 14.1.2 (#34327)
* docs: add team scope to automatic updates (#34343)
* Document workload ID for AKS for the helm guide (#34323)
* [v14] event fanout rework (#33841)
* [v14] Add first step of guided flow for Connect My Computer in
Discover (#34335)
* chore: Bump golangci-lint to v1.55.2 (#34313) (#34336)
* [v14] Return server's `subKind` from tshd (#34297)
* Fix an issue MySQL auto-user deletion fails on usernames that
requite quotes (#34258) (#34304)
* [v14] Added Database Automatic User Provisioning support for
MariaDB (#34256)
* [v14] Add Connect My Computer tile to Discover (#34287)
* [v14] Filter dangerous environment variables before reexec
(#34274)
* [v14] chore: Bump Go to v1.21.4 (#34308)
* [v14] Fix an issue auto-provisioned PostgreSQL user may keep
old roles indefinitely (#34121)
* [v14] Fix Machine ID selection of Kubernetes Access
address/port (#34283)
* Update e (#34295)
* [v14] Link to version-specific docs pages from the support page
(#34261)
* [v14] Tidy up pointer/value receivers in tbot (#34269)
* Replace getPlatform implementation (#34193)
* Add missing private key policy field to
UserCertificateIssuedEvent.Anonymize. (#34264)
* [v14] docs: update Server SSH getting started to SSH video
(#34248)
* use upgradeEnrollAlertID in error logs (#34219)
* [v14] Database Automatic User Provisioning support for Redshift
(#34126)
* Dynamic Discovery Matchers for Databases (#33693)
* Remove nodeCount from Web server and UI (#34216)
* fix step number (#34225)
* [v14] Special case the subsystems handled by `teleport exec`
(#34142)
* [v14] include state of access request after review in audit log
description (#34213)
* Update e reference (#34210)
* Web: Ease AWS integration with Discover Flow (#33777) (#34189)
* Cherrypick 3b23d9d (#34206)
* Fix Teleport update reconciliation on `status` updates (#34063)
(#34194)
* Fix links in the Predicate Language guide (#34160)
* Consolidate context usage for client src/dst addresses into
authz package (#34168)
* [v14] Add Access List owners to suggested reviewers. (#34131)
* docs: add join token in MySQL CloudSQL config (#34155)
* Discover Kube Agent: use automatic upgrades version (#34145)
(#34157)
* [v14] Installer Scripts: use bash instead of sh (#34144)
* [v14] [docs] troubleshooting for AWS Access SSM sessions
(#34118)
* chore: Bump golangci-lint to v1.55.1 (#34048) (#34127)
* fix: Use octal mode for Windows TPM files (#34113)
* [v14] terraform: Add/restore support for TELEPORT_AUTH_TYPE
(#34124)
* [v14] Show alert about insufficient permissions in Connect My
Computer setup tab (#34064)
* [v14] Access Plugins: Support dynamic credential reloading
(#34079)
* Clean up logging of watcher kinds (#33957)
* Improve error messaging when instance is newer than auth
(#34083)
* [v14] Prevent SSO Redirects to other origins (#34077)
* AWS OIDC IdP Configure script: remove region (#34061)
* Fix agentless leaf node authorization (#33993) (#34053)
* Fix potential SEO issues (#33948)
* chore: Bump OpenSSL to 3.0.12 (#34066)
* [v14] Connect My Computer: Implement in-app flow after deep
link click (#34062)
* [v14] Improve styling of the shared `UnifiedResources`
component (#34059)
* Fix non-interactive kube benchmark (#33560)
* [v14] Update permissions required in Slack access request docs
(#34047)
* Fix Azure Identity federated Application ID (#33960)
* [v14] DiscoveryConfig: fix `CheckAndSetDefaults` for matchers
(#34024)
* [v14] docker `v24.0.7+incompatible` update (#34043)
* [v14] Fix discrepancies with dynamo events retention period
(#34007)
* Fix table alignment in `tctl tokens ls` examples (#34001)
* Change deep links to include port number (#34027)
* [v14] Make unified resources data fetching mechanism more
flexible (#33976)
* Unify auth server receiver names (#33994)
* [v14] update-SSO-troubleshooting docs (#33897)
* Automatically forward some spans from tsh to Cloud (#33329)
(#33991)
* [v14] Ignore shared aws config not found error (#33933)
* [v14] Remove "Preview" designation (#33986)
* [v14] Explain template variables wherever they appear (#33977)
* [v14] Limit gRPC Active streams (#33985)
* Bump github.com/crewjam/saml from
0.4.14-0.20230420111643-34930b26d33b to 0.4.14 (#33500)
(#33989)
* Ensure upload streams use the correct context (#33978)
* Clarify Opsgenie prerequisites (#33970)
* [v14] Use the correct error when inspecting Kubernetes session
(#33950)
* Fix git installation path on CentOS 7 docker image (#33132)
* [v14] handle empty lists for yaml and json formatted lists in
tctl (#33633)
* [v14] docs: Add Docker to the PagerDuty access request plugin
(#33829)
* [v14] Await peristed state restoration before concluding UI
initialization (#33914)
* Return predicate failed message in unified resource requests
(#33902)
* [v14] Update Oracle DB docs and messaging (#33926)
* Add a missing trace.Wrap to first time joining errors (#33894)
* Fix an issue `tsh aws ecs execute-command` fails (#33833)
* [v14] Add suggested reviewers as assingee to servicenow
incidents (#33845)
* [v14] Require SSH prefix in `router.DialHost` connections
(#33729)
* Fix flaky test by avoiding session recording test cleanup race
condition. (#33906)
* [v14] tsh: Add support for host:port combinations to tsh
puttyconfig (#33883)
* Enforce body size limits for http responses (#33768) (#33859)
* [v14] Update docs with database user auto provisioning modes
(#33901)
* Add missing redirect (#33889)
* [v14] Improve UX for headless kube proxy by giving user more
time when reissuing expired certificates (#33855)
* [v14] Web: Redirect to login upon missing session cookie
(#33806)
* [v14] Fix Assume Roles switch back, don't delete role if access
list is using it. (#33834)
* [v14] Refactor unified resources view (#33874)
* [v14] Send deep link clicks to frontend app in Connect (#33878)
* [v14] Add hosted plugin docs (#33881)
* [v14] Parse deep links sent to Connect (#33740)
* Disambiguate directory sharing's disabled and inactive states
(#33814)
* [auto] docs: Update version to v14.1.1 (#33848)
* Remove unused docs images (#33268)
* Fix title conflict (#33261)
* [v14] Update manual AD configuration for desktop access
(#33837)
* Tue Oct 24 2023 kastl@b1-systems.de
- Update to version 14.1.1:
* Release 14.1.1 (#33843)
* [v14] Align titles in the introduction to topic sections,
modify Desktop Access reference (#33826)
* fix order (#33775)
* [v14] Add headless mode to 'tsh proxy kube' (#33783)
* Fix the top bar going outside the window (#33821)
* docs: update local windows getting started to include all
scopes (#33818)
* Fix d3-color@3.1.0 breaking tests (#33813)
* [v14] docs: reword tctl instructions (#33812)
* Check if resource exists before making sort keys to delete
(#33766)
* [v14] [docs] Automatic user provisioning for MySQL (#33745)
* Manually fire OpInit in NodeJoinWait test (#33692)
* docs: fix YAML syntax for Grafana header rewrite (#33780)
* Machine ID Docs Refactor (#31259) (#33714)
* docs: Update service type for ACM deployments in Enterprise
(#33774)
* Update Jest to v29 and use custom env to expose TextEncoder &
TextDecoder (#33741)
* Always use lowercase when pinning resources (#33765)
* [v14] snowflake/http: Limit Decompressed Request to 10MB
(#33764)
* Add MySQL auto-user deletion (#33520) (#33710)
* remove preview from directory sharing button (#33757)
* [v14] Add an Access Request configuration guide (#33756)
* Pin d3-color version to ^3.1.0 (#33760)
* Remove "Preview" from Resource Access Request page (#33664)
* test(db): simplify active connections tests setup (#32923)
(#33686)
* Upgrade Vite + Vite dependencies (#33566)
* Minor docs typo fix (#33589)
* Bump rustix from 0.36.5 to 0.36.16 (#33707)
* Extend rsync command timeout in tests. (#33673)
* Clean up a few log entries (#33644)
* Update Node.js to 18.18.2 (#33521) (#33624)
* [v14] include url and saml connector name in entity descriptor
url errors (#33667)
* Extend test timeouts. (#33617)
* bump docs to 13.4.3 (#33700)
* [docs] add missing database matchers for discovery config
reference (#33694)
* docs: mention support for multiple AD domains (#33332)
* [auto] docs: Update version to v14.1.0 (#33680)
* [v14] DiscoveryConfig: WebAPI CRUD (#33380)
* [v14] Configure Connect to intercept deep link clicks (#33684)
* Update synchronization period in Okta docs. (#33638)
* [v14] Add the ability to run a specific tool to Assist.
(#33640)
* Remove access list from unified watcher (#33685)
* Add PostgreSQL auto-user deletion (#32792) (#33570)
* [v14] Add docs for Connect My Computer (#33149)
* Tue Oct 24 2023 kastl@b1-systems.de
- Update to version 14.1.0:
Security fixes
* Updated golang.org/x/net dependency. #33420
- swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation
Attack: CVE-2023-44487
* Updated google.golang.org/grpc to v1.57.1. #33487
- swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation
Attack: CVE-2023-44487
* Updated OpenTelemetry dependency. #33523 #33550
- OpenTelemetry-Go Contrib vulnerable to denial of service in
otelhttp due to unbound cardinality metrics: CVE-2023-45142
* Updated babel/core to 7.3.2. #33441
- Arbitrary code execution when compiling specifically crafted
malicious code: CVE-2023-45133
Changelog:
* Release 14.1.0 (#33507)
* Add private key policy to user login and certificate posthog
events. (#33615)
* [v14] allow https:// in proxy parameter in tsh (#33646)
* docs: include all db protocols in faq and config (#33641)
* [v14] docs: Reorganize and revise moderated sessions (#33545)
* Add Docker to Slack access request plugin (#33393)
* Select examples `api` dependency update (#33595) (#33601)
* [v14] Update hardware key support docs (#33650)
* Expand access list review audit entry. (#33573)
* add security group picker to deployservice step (#33453)
* Add Docker to MSFT teams plugin (#33387)
* Add Docker to Mattermost plugin (#33390)
* Deflake TestChaosUpload (#33610)
* [v14] Update e (#33605)
* docs: update okta service setup (#33464)
* Update e (#33602)
* Update generate-eventschema (#33598)
* Fix a couple of typos and reword scenario descriptions (#33397)
* [v14] Fix issue with ServiceNow incidents not including link to
access request (#33593)
* [v14] docs: Add timing for automatic agent updates to the cloud
FAQ (#33400)
* Fix hardware key support for sso web login (#33433) (#33548)
* Add Hardware Key login audit event fields (#33254) (#33549)
* [v14] Add Access Monitoring Ping Auth Response Feature flag
(#33585)
* Add nav title & packages for Access Monitoring (#33580)
* [v14] Update e (#33530)
* [v14] Fix assist audit query prompt (#33581)
* [v14] Security Reports (#33459)
* Propagate resource revision to/from the backend (#32040)
(#33214)
* [v14] Show Connect My Computer CTA only if versions are
compatible (#33563)
* Gracefully handle web socket closure by clients (#33480)
(#33529)
* [v14] Machine ID: Improve warning/error message when secure
symlinks are not available (#33562)
* [v14] Allow Bots to submit access request reviews (#33509)
* [v14] Fix flaky test `TestWithRsync/with_headless_tsh` (#33557)
* Add user certificates generated prometheus metric. (#33476)
* [v14] Missed OpenTelemetry Updates (#33550)
* docs: Add WinSCP to PuTTY client instructions (#32868) (#33092)
* [v14] Prevent remote proxies from impersonating users from
different clusters (#33539)
* Notify CLI users when access lists need reviews. (#33468)
* [v14] OpenTelemetry Updates (#33523)
* [v14] Configure custom PIV slot for hardware key support -
follow up (#33353)
* [v14] AWS OIDC: Only consider Linux/UNIX when listing EC2
instances (#33515)
* Update upcoming-releases.mdx (#33525)
* Revert private key policy error handling in WebUI (#33237)
(#33482)
* [v14] Database Automatic User Provisioning support for MySQL
(#33379)
* [v14] Fix user login state gRPC client upsert. (#33451)
* Make privateKeyPolicyEnabled an optional field. (#33481)
* Update remaining `google.golang.org/grpc` to v1.57.1 (#33487)
* Make initialization of Connect synchronous (#33508)
* [v14] Update @babel/core to 7.23.2 and dedupe babel deps
(#33441)
* [v14] update e (#33493)
* Configure custom PIV slot for hardware key support (#31732)
(#33352)
* [v14] Show resources in Slack notification for access requests
(#33264)
* Extend handshake read deadline to allow signature operations
that require user input to be completed (hardware key
touch/pin). (#32921) (#33348)
* [v14] Add `pcscd` install instructions for hardware key support
(#33376)
* Add support for deploy service agent auto updates (#31982)
(#33313)
* * Use lowercase for sort keys in unified cache (#33475)
* [v14] Include 'nextAuditDate' in 'CreateAccessListReview'
method (#33485)
* fix oidc test race (#33432)
* [v14] docs: update macos app remove command to delete dir and
correct fips debug container address (#33367)
* [v14] Add a duration for starting notifications to access
lists. (#33474)
* [docs] clarify RDS/Aurora databases getting modified (#33410)
* [v14] Prevent double registration of Kubernetes GVK for older
Kube clusters (#33402)
* [v14] Web: Add notification store (#33381)
* Web: add identity management nav section (#33423)
* Add usage events for desktop access (#33455)
* Wait for nodes to be availble in disconnection tests (#33446)
* Use searchAsRoles in unified requests (#33427)
* Show Connect My Computer button in empty state in Connect
(#33440)
* Remove Connect My Computer feature flag (#32850)
* Refactor desktop audit event emission (#33316)
* [v14] Bump golang.org/x/net Backport (#33420)
* Fix an issue `tsh` fails to connect Proxy behind TLS-terminated
loadbalancer in separate port mode (#33406)
* Add resource pinning to Unified Resource cards (#32980)
(#33404)
* [v14] PIV refactors (#33349)
* [v14] Fix access list audit log formatting (#33383)
* Allow access requests to use user login state. (#33350)
* join_sessions overrides the deny rule for sessions a user is
allowed to join (#33161)
* Allow for Windows PKI operations to target a different domain
(#33275)
* [auto] docs: Update version to v14.0.3 (#33361)
* Downgrade `@teleport-access-approver` to `v6` (#33354)
* [v14] Pinned Resources backend (#33277)
* Remove access lists and members from the cache. (#33322)
* Added 10/11 Upcoming Releases Update (#33309)
* Make system roles case-insensitive in provision tokens (#33260)
* docs: include servicenow and opsgenie in plugin index (#33292)
* [v14] docs: Reduce the use of capitalized trusted clusters and
a few other fixes (#33310)
* Add Docker to email plugin (#33321)
* [v14] Add param `extraContainers` to `teleport-cluster` and
`teleport-kube-agent` (#33299)
* Tue Oct 24 2023 kastl@b1-systems.de
- skipping non-existent release 14.0.2
- Update to version 14.0.3:
* Release 14.0.3 (#33290)
* [v14] Remove check that enforces slack oauthProviders are set
(#33141)
* [v14] Report exit code of rsync processes if they fail in
TestWithRsync (#33262)
* DiscoveryConfig: init service and add resource to `tctl`
(#32399) (#33289)
* Update e (#33280)
* [v14] re-add agentless node manual installation docs (#32811)
* chore: Bump google.golang.org/grpc to v1.57.1 (#33265)
* [v14] [buddy] docs: minor typos and improvements in the
description of the Teleport Proxy Service (#33184)
* [v14] utils.RecursiveChown: Fix for Privilege Escalation due to
following symlinks (#33248)
* Reword Troubleshooting section in Connect docs (#33201)
* Add server troubleshooting to left nav (#33224)
* fix watcher setup in oidc test (#33258)
* [v14] docs: role definition update and update networking ports
info (#33223)
* [v14] docs: Caveat for token permissions not scoped to any
resource context (#33166)
* disable TestHSMDualAuthRotation (#33251)
* Backport changes to Restrict Access to Privileged Accounts
topic (#33238)
* [v14] Fix `tsh kube credentials` when root cluster roles don't
allow Kube access (#33210)
* [v14] chore: Bump Go to v1.21.3 (#33229)
* Yarn replacement version bumps (#33023)
* [v14] [docs] Attempt to clarify ElastiCache/MemoryDB auth
methods (#33215)
* [v14] docs: Add Docker to partials and update the discord
access request plugin (#33163)
* Fixes emitting wrong events for ec2 discover flow (#33185)
* Fix Kubernetes agent updater helm chart reference to bool
(#33212)
* [v14] Fix Proxy Kube listener behavior regarding PROXY protocol
usage (#33135)
* DiscoveryMatchers: move checkandset to types package (#32857)
(#32959)
* [v14] Split RDS Proxy guides per protocol (#33145)
* [v14] Header `Connection: close` causes `kubectl` to fail exec
(#33172)
* Web: Add EC2 name when listing instances in Discover flow
(#33179)
* [v14] Add support for gap prop to Button (#33196)
* Fix self-signed cert validity on macOS systems (#33156)
* fix leaf SSH sessions not getting recorded (#33102)
* [v14] OneOff Script: use ent build if cluster is Enterprise
(#33148)
* Add helper for generating request TTL options (#33041)
* Track connections to direct dial nodes across clusters (#33045)
* Add initial command to session trackers (#33112)
* [v14] docs: include info for accessing database audit activity
(#33093)
* [v14] docs: Draft of troubleshooting topics for Server Access
(#32876)
* [v14] docs: update fips docker address and internal address
listing (#33087)
* [v14] Fix --debug flag in Connect & enable devtools in debug
mode (#33137)
* [v14] Web: add link to CloudShell on EICE/EC2 Discover flow
(#33079)
* Fix some Rust lint warnings caught by Clippy 1.73.0 (#33098)
* [v14] Reliability improvements for HSM tests (#33091)
* docs: title zypper enterprise linux install tab (#33074)
* [v14] docs: Update HA Terraform reference and add starter
cluster reference (#33085)
* [v14] Update e ref. (#33066)
* [v14] Add cost optimized pagination search for athena (#33007)
* [v14] Add the Access List review backend. (#33070)
* Update cloud docs to 13.4.2 (#33071)
* [v14] AWS OIDC - EICE: improve error when EC2 does not accept
SSH connections (#33057)
* Update e ref (#32990)
* Downgrade Electron to 25.9.0 (#33058)
* Fix switch condition in Proxy listeners setup (#32966)
* Allow breaker tripped error to be configurable (#33036)
* Fix `kubectl log` commands when they refer to deployment
instead of pod (#32962)
* [v14] chore: Bump Go to v1.21.2 (#33046)
* Add in audit review recurrence presets. (#32960)
* [v14] chore: Pin golangci-lint and buf, bump buf to v1.27.0
(#33034)
* fix: improve reconnection reliability after process reloads
(#32807)
* Add sort index trees to unified resource cache (#33027)
* [v14] chore: Address crypto/elliptic package deprecations
(#32929)
* update --db-user and --db-name docs (#32888)
* Remove unused bloat bypass workflow (#32984)
* Track user connections across clusters (#32967)
* [v14] Web: Create (re-use) step navigator for general use
(#32979)
* Added 10/04 Upcoming Releases Update (#32981)
* Fix desktop listener PROXY mode setting (#32937)
* Web build: fix circular dep warnings (#32975)
* [v14] Yarn dependency upgrades (#32977)
* [v14] `removeSecure()` should close the file before removing it
on Windows (#32963)
* [v14] Special case TestOpenFileLinks on macOS (#32957)
* update cloud docs to 13.4.0 (#32951)
* Bump zod from 3.21.2 to 3.22.3 (#32954)
* Update error message on GitHub OSS (#32914)
* [v14] Connect My Computer: Improve copy and UI consistency
(#32890)
* MenuIcon: Support arbitrary icon through Icon prop (#32889)
* Update e (#32931)
* Add new methods to AccessResourcesGetter interface (#32862)
* [v14] docs: change open source/OSS references to community
edition (#32877)
* [v14] Replace Access Plane with Access Platform (#32878)
* Bump webpki from 0.22.1 to 0.22.2 (#32883) (#32907)
* [v14] docs: Add how to verify the binaries are FIPS-compliant
[#32169] (#32882)
* [v14] Pin Teleport Terraform Provider to Teleport major version
(#32898)
* [v14] Fix max_duration when session TTL is short (#32817)
* [v14] puttyconfig: Switch to string-based Validity format and
deprecate MatchHosts (#32856)
* [v14] Add the internal access list review resource. (#32861)
* [v14] docs: update tctl tsh version location in prereqs
(#32858)
* [v14] docs: remove old versions ref (#32865)
* Convert `examples/teleport-usage` to use distroless image
(#32666)
* Sort cloud label names to the back (#32691)
* Use Proxy gRPC API when creating tracing client (#32663)
* Use Proxy gRPC API during log in (#32662)
* Prevent Kube proxy from set the default Kube impersonation
headers (#32848)
* Add support for Client ID to Azure VM auto-discovery (#32800)
* Use a context with a different scope for diagnostic trace
upload (#32838)
* Update e ref (#32812)
* Add connection information to multiplexer logs so it's easier
to investigate (#32738)
* [v14] DiscoveryConfig: add service with rbac support (#32719)
* add usage events for eice discover (#32815)
* [v14] Check to make sure defaultAllowRules matches preset
roles. (#32793)
* Added 09/27 Upcoming Releases Update (#32680)
* Improve RDS MySQL IAM auth error message (#32803)
* Add promoted access list title to teleterm access request
(#32717)
* [v14] Improve Connect My Computer UI & logout experience
(#32791)
* [v14] Fix remote pool of signed certs when exec into leaf
clusters (#32768)
* [v14] Improve explanation of `TBOT_GITLAB_JWT` config in GitLab
guide (#32797)
* [v14] Fix data race in Postgres engine on connection close
(#32783)
* [auto] docs: Update version to v14.0.1 (#32621)
* [v14] Properly apply `client_idle_timeout` to database access
sessions (#32720)
* [v14] Add access request promotion state and suggestion API
changes (#32710)
* allow teleport to start when some etcd nodes are unreachable
(#32779)
* Cut CI unit test runtime in half (#32774)
* conditionally show assist popover (#32267) (#32765)
* [v14] fix: Fix panic on `tsh device enroll --current-device`
(#32756)
* add eice discover flow (#32760)
* [v14] Web: Add disabled state to RadioGroup and add new icon
(#32758)
* [v14] Add Access Review gRPC service methods and messages.
(#32549)
* bump e (#32752)
* Fix the in-product link to trusted cluster docs (#32749)
* Remove reference to use a load balancer (#32695)
* Leverage marketing params on Discover (#31648) (#32515)
* [v14] Make spacing of Connect My Computer status more
consistent (#32736)
* docs: helm updates (#32705)
* [v14] docs: update Teleport Team prereqs (#32697)
* DiscoveryConfig: add service and client (#32562)
* [v14] Web: Extract re-usable parts and add new icons (#32713)
* Connect My Computer: Agent compatibility fixes (#32477)
(#32648)
* Update e (#32722)
* [v14] Update config reference for proxy_protocol field.
(#32667)
* Fix label name mismatch (#32569)
* [v14] Fixed issue where prerelease container image tags can
overwrite production container image tags (#32701)
* [v14] docs: remove multi level claim reference (#32673)
* Drain unused SSH channels (#32676)
* Fix usage of ClusterName from config when starting Auth server
(#32682)
* [v14] Connect: Add --debug flag, don't pass --insecure flag in
dev mode by default (#32657)
* remove docs for deprecated flags (#32670)
* Fix overflow in dropdown menu (#32647)
* Move `lib/utils/prompt` to `api/utils/prompt` (#32334) (#32576)
* [v14] [docs] DB access troubleshoot sts:AssumeRole not
authorized (#32661)
* Bump graphql from 16.6.0 to 16.8.1 (#32635)
* [v14] Fix Access List Members cache and eventing. (#32649)
* [v14] fix: Let users without a useable device issue register
challenges (#32430)
* Fix enterprise version check (#32554) (#32631)
* Update the supported versions table for v14 (#32585)
* Make UUIDs used in test helpers less random (#32564)
* [v14] Update copy of Connect My Computer setup & misc
improvements (#32565)
* Simplify LockTarget.IsEmpty implementation (#32607)
* Added 09/26 Upcoming Releases Update (#32599)
* Tue Oct 24 2023 kastl@b1-systems.de
- Update to version 14.0.1:
* Release 14.0.1 (#32611)
* Fix issue Teleport Connect Kube terminal throws internal server
error (#32612)
* Fix install-linux.mdx (#32586)
* docs: oracle guide steps (#32582)
* Remove mention of reversetunnel_connected_proxies (#32572)
* [v14] docs: add faq answer for using oss or ent release for
agents (#32520)
* [v14] Remove non-file path links from partials (#32234)
* ExtendWebSession: Update roles on req.ReloadUser (#32541)
* Correct grammar error in PagerDuty integration notification
(#32537)
* Use cluster name from ServerIdentity for Auth multiplexer
(#32352)
* athena: configure limits in examples (#32543)
* [v14] Add support for Protobuf Enums into Operator CRDs
(#32557)
* Add alignSelf to Button (#32561)
* Remove Preview from Connect title bar (#32560)
* [v14] Bump UI Role version to `v7` (#32341)
* fix(regular): combine static and dynamic labels for session
metadata (#32382)
* [v14] Connect My Computer: Add progress bar to the setup screen
(#32475)
* [v14] DiscoveryConfig: add proto and gRPC methods (#32313)
* `compareSemVers` should return 0 if values are equal (#32459)
* [v14] Updated packer version to fix tag builds (#32526)
* Update getting started (#32517)
* docs: Flip Github connector examples for OSS vs Commercial
(#32507)
* Add posthog events for discovered Kubernetes Apps (#32379)
* [v14] Update reduce-blast-radius.mdx (#32397)
* Dynamically generate unifiedId (#32263)
* Fill in missing CHANGELOG info (#32416)
* [v14] docs: remove v10 references (#32491)
* [v14] docs: helm install agent updates (#32503)
* [v14] docs: Root access is insecure: draft for expanded
security admin topics (#32423)
* [v14] Update e ref. (#32496)
* [v14] Allow sudoer files to be created separately from host
user creation (#32400)
* Remove gravitational/configure dependency (#32487)
* Fix incorrect CA in Machine ID database access guide (#32465)
* Add small delay to display shimmer boxes (#32482)
* [v14] Refresh resources after Connect My Computer setup
(#32484)
* [v14] docs: remove duplicate warning (#32478)
* [v14] Secure File Removal Improvements (#32435)
* [v14] Prevent duplicate Access List owners. (#32481)
* Connect My Computer: Store agent logs (#32044) (#32458)
* pgbk: remove CREATE PUBLICATION (#32474)
* Enforce use of IMDSv2 for AMI builds (#32418)
* Fix bugs with GCP project ID + default installer (#32316)
* docs: remove guidance on version warning older then v11
(#32408)
* Move Discovery Matchers to their own files (#32368)
* Connect My Computer: Keeping compatibility promise (#31951)
(#32394)
* [v14] docs: Oracle Audit Logs (#32282)
* [v14] ci: clarify failure on `go mod tidy` (#32389)
* [v14] Provide error message if process file is unavailable due
to permissions for teleport start (#32348)
* Upgrade TypeScript to 5.2.2 (#32375)
* [v14] Connect My Computer: Remove the agent (#32369)
* [v14] Add initial ServiceNow plugin docs (#32268)
* Application access header rewrites should be a list (#32340)
* [v14] Remove unused servicenow rotation code and rotas from
recipient (#32363)
* Add interactive tonal primary colors (#32007) (#32319)
* [v14] Fix repeated ServiceAccount in `teleport-kube-agent`
chart (#32338)
* [v14] Update e (#32366)
* Add Access List usage events, emit event for userloginstate
Generator. (#32297)
* post-release: update the docs version (#32308)
* [v14] Define and add `IneligibleStatus` fields for access list
members and owners (#32278)
* Update token parameter description to be consistent (#32330)
* [v14] pgbk: docs for change_feed_conn_string and warning
against OLAP workloads (#32283)
* Fix issues in Azure VM auto-discovery docs (#32317)
* Implement waiting for Connect My Computer node to join cluster
(#32295)
* Allow including only traits when doing a JWT rewrite (#32291)
* Move Upcoming Releases to v14 (#32300)
* docs: include SLES install with zypper repo in ent install
(#32305)
* docs: update version (#32292)
* [docs] fix Postgres auto-user provisioning role group (#31967)
* [v14] Add initial servicenow plugin (#32131)
* [v14] Execute time-bound graceful shutdowns on
`SIGINT`/`SIGTERM`. (#32189)
* Fix double counting of auth server (#32270)
* Tue Oct 24 2023 kastl@b1-systems.de
- Update to version 14.0.0:
very large changelog, please check it here:
https://github.com/gravitational/teleport/releases/tag/v14.0.0
Breaking changes and deprecations
* SSH node open dial no longer supported
Teleport 14 no longer allows connecting to OpenSSH servers not
registered with the cluster. Follow the updated agentless
OpenSSH integration guide to register your OpenSSH nodes in the
cluster’s inventory.
You can set TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes
environment variable on Teleport proxy to temporarily re-enable
the open dial functionality. The environment variable will be
removed in Teleport 15.
* Proxy protocol default change
Starting from version 14, Teleport will require users to
explicitly enable or disable PROXY protocol in their
proxy_service/auth_service configuration using proxy_protocol:
on|off option.
Users who run their proxies behind L4 load balancers with PROXY
protocol enabled, should set proxy_protocol: on. Users who
don’t run Teleport behind PROXY protocol enabled load
balancers, should disable proxy_protocol: off explicitly for
security reasons.
By default, Teleport will accept the PROXY line but will
prevent connections with IP pinning enabled. IP pinning users
will need to explicitly enable/disable proxy protocol like
explained above.
See more details in our documentation.
* Legacy deb/rpm package repositories are deprecated
Teleport 14 will be the last release published to the legacy
package repositories at deb.releases.teleport.dev and
rpm.releases.teleport.dev. Starting with Teleport 15, packages
will only be published to the new repositories at
apt.releases.teleport.dev and yum.releases.teleport.dev.
All users are recommended to switch to
apt.releases.teleport.dev and yum.releases.teleport.dev
repositories as described in installation instructions.
* Cf-Access-Token header no longer included with app access requests
Starting from Teleport 14, the Cf-Access-Token header
containing the signed JWT token will no longer be included by
default with all app access requests. All requests will still
include Teleport-JWT-Assertion containing the JWT token.
See documentation for details on how to inject the JWT token
into any header using header rewriting.
* tsh db CLI commands changes
In Teleport 14 tsh db sub-commands will attempt to select a
default value for --db-user or --db-name flags if they are not
provided by the user by examining their allowed db_users and
db_names.
The flags --cert-file and --key-file for tsh proxy db command
were also removed, in favor of the --tunnel flag that opens an
authenticated local database proxy.
* MongoDB versions prior to 3.6 are no longer supported
Teleport 14 includes an update to the MongoDB driver.
Due to the MongoDB team dropping support for servers prior to
version 3.6 (which reached EOL on April 30, 2021), Teleport
also will no longer be able to support these old server
versions.
* Symlinks for ~/.tsh/environment no longer supported
In order to strengthen the security in Teleport 14, file
loading from home directories where the path includes a symlink
is no longer allowed. The most common use case for this is
loading environment variables from the ~/.tsh/environment file.
This will still work normally as long as the path includes no
symlinks.
* Deprecated audit event
Teleport 14 deprecates the trusted_cluster_token.create audit
event, replacing it with a new join_token.create event. The new
event is emitted when any join token is created, whether it be
for trusted clusters or other Teleport services.
Teleport 14 will emit both events when a trusted cluster join
token is created. Starting in Teleport 15, the
trusted_cluster_token.create event will no longer be emitted.
* Thu Oct 19 2023 kastl@b1-systems.de
- Update to version 13.4.4:
* Release 13.4.4 (#33622)
* Select examples `api` dependency update (#33595) (#33599)
* Expand access list review audit entry. (#33572)
* add security group picker to deployservice step (#33454)
* [v13] Add support for deploy service agent auto updates
(#31982) (#33311)
* Add Docker to Slack access request plugin (#33392)
* [v13] docs: Reorganize and revise moderated sessions (#33546)
* Deflake TestChaosUpload (#33611)
* [v13] Update e (#33606)
* docs: update okta service setup (#33465)
* Add Docker to MSFT teams plugin (#33386)
* Add Docker to Mattermost plugin (#33389)
* docs: Fix a couple of typos and reword scenario descriptions
(#33398)
* docs: Add agent updates follow the cluster upgrade to the FAQ
(#33401)
* Remove sending tracingContext in NewClientConn (#33584)
* [v13] OpenTelemetry Update Backport (#33551)
* Gracefully handle web socket closure by clients (#33480)
(#33532)
* Allow Bots to submit access request reviews (#33375) (#33510)
* [v13] Prevent remote proxies from impersonating users from
different clusters (#33540)
* Notify CLI users when access lists need reviews. (#33469)
* [v13] Missed v13 golang backport updates (#33527)
* Update e (#33531)
* [v13] AWS OIDC: Only consider Linux/UNIX when listing EC2
instances (#33514)
* [v13] Update e (#33526)
* fix oidc test race (#33431)
* [v13] Fix user login state gRPC client upsert. (#33450)
* [v13] Bump `google.golang.org/grpc` to v1.57.1 (#33488)
* [v13] Update @babel/core to 7.23.2 and dedupe babel deps
(#33442)
* Update e (#33494)
* [v13] Add `pcscd` install instructions for hardware key support
(#33377)
* Web: Fix passing in color to wrong field name (#33489)
* [v13] Include 'nextAuditDate' in 'CreateAccessListReview'
method (#33484)
* [v13] Add a duration for starting notifications to access
lists. (#33473)
* [v13] docs: update macos app remove command to delete dir and
correct fips debug container address (#33368)
* [docs] clarify RDS/Aurora databases getting modified (#33411)
* [v13] Web: Add notification store (#33382)
* Add usage events for desktop access (#33456)
* Web: add identity management nav section (#33409) (#33425)
* [v13] Bump for word-wrap and semver (#33452)
* Allow for Windows PKI operations to target a different domain
(#33276)
* [v13] Bump golang.org/x/net Backport (#33447)
* Remove "aurora" engine from db fetcher (#30572) (#33236)
* Refactor desktop audit event emission (#33336)
* Fix an issue `tsh` fails to connect Proxy behind TLS-terminated
loadbalancer in separate port mode (#33407)
* [v13] Fix access list audit log formatting (#33384)
* Allow access requests to use user login state. (#33351)
* join_sessions overrides the deny rule for sessions a user is
allowed to join (#33160)
* [auto] docs: Update version to v13.4.3 (#33360)
* Remove access lists and members from the cache. (#33324)
* docs: include servicenow and opsgenie in plugin index (#33293)
* Add Docker to email plugin (#33320)
* Thu Oct 12 2023 kastl@b1-systems.de
- Update to version 13.4.3:
* Release 13.4.3 (#33291)
* Add param `extraContainers` to `teleport-cluster` and
`teleport-kube-agent` (#32953) (#33300)
* Update e (#33281)
* Backport changes to Restrict Access to Privileged Accounts
topic (#33255)
* [v13] [buddy] docs: minor typos and improvements in the
description of the Teleport Proxy Service (#33183)
* Add server troubleshooting to left nav (#33222)
* [v13] utils.RecursiveChown: Fix for Privilege Escalation due to
following symlinks (#33247)
* Reword Troubleshooting section in Connect docs (#33202)
* fix watcher setup in oidc test (#33259)
* [v13] docs: Add Docker to partials and update the discord
access request plugin (#33168)
* [v13] docs: role definition update and update networking info
(#33225)
* Disable golangci-lint action cache (#30780) (#33240)
* [v13] chore: Bump Go to v1.20.10 (#33230)
* Fixes emitting wrong events for ec2 discover flow (#33186)
* [v13] [docs] Attempt to clarify ElastiCache/MemoryDB auth
methods (#33216)
* [v13] docs: Caveat for token permissions not scoped to any
resource context (#33165)
* [v13] Fix `tsh kube credentials` when root cluster roles don't
allow Kube access (#33211)
* Fix Kubernetes agent updater helm chart reference to bool
(#33213)
* Yarn replacement version bumps (#32982) (#33024)
* Fix --debug flag in Connect & enable devtools in debug mode
(#33204)
* [v13] Split RDS Proxy guides per protocol (#33146)
* Web: Add EC2 name when listing instances in Discover flow
(#33178)
* [v13] Add support for gap prop to Button (#33199)
* [v13] fix leaf SSH sessions not getting recorded (#33104)
* [v13] OneOff Script: use ent build if cluster is Enterprise
(#33147)
* Fix self-signed cert validity on macOS systems (#33157)
* Add initial command to session trackers (#32947) (#33113)
* [v13] docs: update fips docker address and internal listing
(#33088)
* [v13] docs: include info for accessing database audit activity
(#33094)
* [v13] Web: add link to CloudShell on EICE/EC2 Discover flow
(#33078)
* Fix some Rust lint warnings caught by Clippy 1.73.0 (#33097)
* Update e (#33105)
* Add promoted access list title to teleterm access request
(#32718)
* docs: title zypper enterprise linux install tab (#33075)
* Add the Access List review backend. (#33069)
* [v13] Add cost optimized pagination search for athena (#33006)
* Update cloud docs to 13.4.2 (#33072)
* [v13] Access request promotion (#33029)
* [v13] Update e ref. (#33067)
* Downgrade Electron to 25.9.0 (#33059)
* Allow breaker tripped error to be configurable (#32869)
(#33037)
* [v13] chore: Bump Go to v1.20.9 (#33047)
* Correct typo in Makefile. (#33052)
* [v13] chore: Move golangci-lint and buf to GHA, bump versions
(#33038)
* Add in audit review recurrence presets. (#32961)
* [v13] Track user connections across clusters (#32996)
* Web: Create (re-use) step navigator for general use (#32939)
(#32985)
* Web: fix passing in color into wrong field (#32992)
* Web build: fix circular dep warnings (#32976)
* [v13] `removeSecure()` should close the file before removing it
on Windows (#32964)
* update cloud docs to 13.4.0 (#32950)
* Bump zod from 3.21.2 to 3.22.3 (#32955)
* Update error message on GitHub OSS (#32915)
* Update e (#32935)
* [v13] Fix: Add access list field to web usercontext ACL
(#32917)
* [v13] docs: Draft of troubleshooting topics for Server Access
(#32875)
* [v13] Replace Access Plane with Access Platform (#32879)
* Change Open source and OSS to Teleport Community Edition
(#32884)
* Bump webpki from 0.22.1 to 0.22.2 (#32883) (#32906)
* MenuIcon: Support arbitrary icon through Icon prop (#32891)
* Pin Teleport Terraform Provider to Teleport major version
(#32897)
* re-add agentless node manual installation docs (#32813)
* Add the internal access list review resource. (#32864)
* [v13] docs: update tctl tsh version location in prereqs
(#32859)
* [v13] docs: remove old versions ref (#32866)
* Cut CI unit test runtime in half (#32851)
* Use Proxy gRPC API when creating tracing client (#32664)
* [v13] [docs] DB access troubleshoot sts:AssumeRole not
authorized (#32660)
* Use a context with a different scope for diagnostic trace
upload (#32837)
* Add connection information to multiplexer logs so it's easier
to investigate (#32739)
* add usage events for eice discover (#32617) (#32816)
* [v13] Check to make sure defaultAllowRules matches preset
roles. (#32794)
* Improve RDS MySQL IAM auth error message (#32802)
* [v13] Improve explanation of `TBOT_GITLAB_JWT` config in GitLab
guide (#32796)
* [v13] Update Okta SDK to v2.20.0 (#32782)
* add eice discover flow (#32202) (#32766)
* [auto] docs: Update version to v13.4.1 (#32606)
* allow teleport to start when some etcd nodes are unreachable
(#32778)
* conditionally show assist popover (#32267) (#32764)
* [v13] fix: Fix panic on `tsh device enroll --current-device`
(#32757)
* Web: Add disabled state to RadioGroup and add new icon (#32762)
* move aws region selector to shared and add types and endpoints
(#32096) (#32754)
* [v13] fix: Let users without a useable device issue register
challenges (#32668)
* bump e-ref (#32759)
* Fix the in-product link to trusted cluster docs (#32750)
* [v13] Leverage marketing params on Discover (#31648) (#32514)
* Web: Extract re-usable parts and add new icons (#32529)
(#32716)
* Remove reference to use a load balancer (#32693)
* [v13] Add Access Review gRPC service methods and messages.
(#32548)
* docs: helm updates (#32732)
* docs: update Teleport Team prereqs (#32700)
* Properly apply `client_idle_timeout` to database access
sessions (#32485) (#32725)
* Add textTransform override for resource launch buttons (#32686)
* Add alignSelf to Button (#32641)
* Update e (#32723)
* Fix label name mismatch (#32570)
* [v13] Fixed issue where prerelease container image tags can
overwrite production container image tags (#32703)
* [v13] docs: remove multi level claim reference (#32674)
* Fix usage of ClusterName from config when starting Auth server
(#32683)
* Drain unused SSH channels (#32677)
* [v13] Connect: Add --debug flag, don't pass --insecure flag in
dev mode by default (#32656)
* Fix overflow in dropdown menu (#32646)
* Add PROXY header getter to the grpc proxy client (#32178)
* Move `lib/utils/prompt` to `api/utils/prompt` (#32334) (#32577)
* [v13] Fix `TestEC2Hostname` (#32665)
* Bump graphql from 16.6.0 to 16.8.1 (#32636)
* Fix enterprise version check (#32554) (#32633)
* Fix Access List Members cache and eventing. (#32651)
* Update the supported versions table for v14 (#32584)
* Simplify LockTarget.IsEmpty implementation (#32608)
* Fix install-linux.mdx (#32587)
- skip non-existent release 13.4.2
* Wed Sep 27 2023 kastl@b1-systems.de
- Update to version 13.4.1:
* Release 13.4.1 (#32594)
* [v13] Remove unused FIPS infrastructure (#32539)
* Remove mention of reversetunnel_connected_proxies (#32573)
* [v13] docs: add faq answer for using oss or ent release for
agents (#32521)
* Add gRPC error interceptors to API client. (#31009)
* Correct grammar error in PagerDuty integration notification
(#32538)
* [v13] Add support for Protobuf Enums into Operator CRDs
(#32556)
* fix(regular): combine static and dynamic labels for session
metadata (#32383)
* Allow sudoer files to be created without host users (#32404)
* `compareSemVers` should return 0 if values are equal (#32315)
(#32462)
* [v13] Updated packer version to fix tag builds (#32527)
* docs: helm install agent updates (#32508)
* docs: Flip Github connector examples for OSS vs Commercial
(#32506)
* [v13] Update reduce-blast-radius.mdx (#32396)
* [v13] docs: Root access is insecure: draft for expanded
security admin topics (#32424)
* [v13] docs: remove v10 references (#32492)
* [v13] Update e ref. (#32497)
* Remove gravitational/configure dependency (#32488)
* Secure File Removal Improvements (#32260) (#32437)
* [v13] docs: remove duplicate warning (#32479)
* [v13] Prevent duplicate Access List owners. (#32480)
* Fix incorrect CA in Machine ID database access guide (#32466)
* [v13] Improve AWS CLI Access performance by caching AWS session
credentials (#32414)
* Fix data race when calling Uploader's `Close` and `Serve`
simultaneously (#30360) (#32395)
* Enforce use of IMDSv2 for AMI builds (#32419)
* Support AWS EC2 IMDSv2 for installer and inventory metadata
(#31134)
* docs: remove guidance on version warning older than v11
(#32410)
* [v13] Use the instance role for the upload completer (#32346)
* [v13] Provide error message if process file is unavailable due
to permissions for teleport start (#32349)
* [v13] ci: clarify failure on `go mod tidy` (#32390)
* Upgrade TypeScript to 5.2.2 (#32376)
* Application access header rewrites should be a list (#32339)
* Add interactive tonal primary colors (#32007) (#32320)
* [v13] Fix repeated ServiceAccount in `teleport-kube-agent`
chart (#32337)
* [v13] update e (#32367)
* Add Access List usage events, emit event for userloginstate
Generator. (#32298)
* Make access list membership check fn public (#31355) (#32362)
* [v13] Define and add `IneligibleStatus` fields for access list
members and owners (#31857) (#32279)
* Bump UI Role version to `v6` (#32335)
* Update token parameter description to be consistent (#32331)
* pgbk: docs for change_feed_conn_string and warning against OLAP
workloads (#32079) (#32284)
* Allow including only traits when doing a JWT rewrite (#32290)
* docs: include SLES install with zypper repo in ent install
(#32306)
* [docs] fix Postgres auto-user provisioning role group (#31968)
* Fix double counting of auth server (#32269)
* [auto] docs: Update version to v13.4.0 (#32276)
* Thu Sep 21 2023 kastl@b1-systems.de
- Update to version 13.4.0:
* Release 13.4.0 (#32179)
* [v13] Revise desktop access-Active Directory script-driven
(#32156)
* Leave access intact if access list has not been reviewed by
review date. (#32261)
* Fix the userloginstate generator if the user has no traits.
(#32258)
* [v13] Omit WithError for "proxy already claimed" (#32242)
* Fix variable in Azure AD docs (#32247)
* [v13] convert protobuf's zero time into go's zero time (#32127)
* Add access list to default allow editor preset role (#32253)
* Add systemd instructions to the Jamf Pro guide (#32244)
* docs: include postgresql in ha docs (#32239)
* Prevent zombie sessions being left behind for web sessions
(#32200)
* Fix incorrcect use of apostrophe in discover UI (#32149)
* Stop implicitly loading global tsh config on Windows (#32223)
* Validate SAMLIdPServiceProviders ACS endpoints (#32220)
* Verify expected token properties in WithProvisionTokenAuth.
(#32215)
* Manually create the users HOME rather than letting useradd do
it (#32210)
* [v13] pgbk: specify the schema name in wal2json's add-tables
(#32198)
* Respect MongoDB max message size (#31963) (#32144)
* chore: Bump OpenSSL to 3.0.11 (#32160)
* [v13] AWS OIDC: command to configure IAM for listing databases
(#31980)
* Update e (#32177)
* [v13] docs: Trusted cluster root certificates for access to
leaf clusters security issue (#32152)
* [v13] docs: rewrite trusted clusters overview, how-to, and
related topics (#32154)
* [v13] support discovered name match in tbot outputs (#32111)
* Web: Fix user signup flow and auto focus login form transition
issues (#31510) (#31965)
* Add btmp support for user accounting (#32054)
* Add error to Attempt in useAsync (#32118)
* helm: fix deletion hook serviceAccount in the agent chart
(#31877)
* Update helm-deployments.mdx (#32041)
* [v13] Fix Kubernetes selected cluster (#32087)
* [v13] tsh kube ls ux (#32084)
* [v13] handle discovery renaming when listing resource in `tctl`
text … (#32083)
* [v13] Deflake `TestListKube` (#32082)
* Updated OS package repo docs (#31541) (#32103)
* Fix issues in GCP auto-discovery docs (#31826) (#31976)
* docs: mention how to register a Windows desktop with tctl
(#31986)
* fix awsoidc tests (#32003)
* Prevent trusted clusters in Cloud (#31874)
* [v13] Apply various small BPF refactors (#31995)
* Remove unused bot_token.create event (#31973)
* Upgrade node-abi to 3.47.0 (#31960)
* Fix focus background in passwordless user prompt in Connect
(#31934)
* correct tsh recording command description (#31949)
* Make LogWriter's not implemented error message more obvious
(#31930)
* [v13] pgbk: add change_feed_conn_string option (#31938)
* [v13] WebAPI: Include new DB RDS fields (vpc and subnet)
(#31817)
* [v13] Fix directory sharing for non-ascii directory names
(#31924)
* Fix typo in HSM docs (#31910)
* Ignore Vagrant folder (#31908)
* [v13] Fix JSON marshalling for Audit struct (#31329)
* [v13] Add AccessList with member upserting functionality
(#31608)
* Web: Add new supported aws region (il-central-1) to selector
(#31840)
* Update Electron to 26.2.1 (#31802) (#31860)
* [v13] document OIDC connector 'max_age' field (#31887)
* Extend EC2 joining for `Okta`, `Discovery` and `MDM` services
(#31894)
* [v13] AWS OIDC - List RDS: add Subnet and VPC for aurora
clusters (#31879)
* [v13] Update e ref. (#31884)
* return an error when attempting to join a session of an OpenSSH
node (#31844)
* Add access list audit events. (#31443) (#31872)
* [v13] Use builtin auth checker for upsert app server. (#31782)
* [v13] Validate unknown AWS regions from discovery matchers
(#31830)
* Expose aggregating.ClearAlert() for use by e (#31848)
* athena: modify time range when query with keyset (#31864)
* [v13] AWS OIDC: Set up integration with a single command
(#31790)
* Wait for headless watcher to initialize in tests instead of
using a retry mechanism. (#30060) (#31851)
* [v13] docs: Rough draft of troubleshooting for apps (#31823)
* Update config.json (#31820)
* Update upcoming-releases.mdx (#31807)
* add device enroll and license limit event to prehog (#31779)
* Increase timeout on usage event check (#31785)
* [v13] Bump github.com/jackc/pgx/v5 to a real release (#31795)
* [v13] AWS OIDC - List SecurityGroups: add Inbound and Outbound
Rules (#31624)
* Validate desktop names (#31766)
* fix: device trust enroll current device command (#31757)
* Switch from `mozilla.org/pkcs7` to `digitorus/pkcs7` (#30704)
(#30717)
* Remove internal access list object members field in spec.
(#31665)
* Make the WebAuthn error message a bit more explicit (#31632)
* [v13] Kubernetes External Joining: `static_jwks` implementation
(#30225) (#31703)
* Increase lock release timeout in RunWhileLocked (#31742)
* [v13] [buddy] docs: Machine ID with ansible, use
CanonicalDomain (#31734)
* [v13] pgbk: derive ID from revision (#31692)
* [v13] integrations/operator: Add pprof support (#31707)
* [v13] differentiate discovered resource names (#30456)
* Increase timeout on usage event assertions (#31726)
* [v13] [Docs] Update documentation for max duration feature in
access requests (#31680)
* Improve logging for the upload completer (#31571)
* [v13] Docs: Update terraform docs to 13.3.8 release (#31696)
* Deflake TestTeleportProcessAuthVersionCheck (#31710)
* Use the regions in teleport config instead of ENV for bootstrap
(#31701)
* Update the auto-discovery and discovery installers to support
SUSE (#31428)
* [v13] Upgrade Node.js to v18 (#31626)
* Fix incorrect autofill in safari (#31611)
* React to version updates faster (#31651)
* [v13] Update e ref. (#31639)
* Remove members from access list spec. (#31635)
* Make `TestIntegrations/ReconcileLabels` a unit test (#31124)
(#31594)
* Make internal changelog links relative (#31305)
* [v13] Edit the app access DynamoDB guide (#30781)
* [v13] helm: Optionally add publicAddr to cert-manager
certificate requests (#31603)
* Adds default Github API urls to SSO connector. (#31480)
* post-release: specify base branch for docs PR (#31499) (#31575)
* Make sure Teleport sessions use the user login state. (#31363)
(#31614)
* [v13] Deflake `TestIntegrations/Discovery` (#31595)
* fix terminal resizing (#31586)
* Fix typo in teleport-kube-agent Chart Reference (#31536)
* docs: minor updates to aws opensearch and azure sql server
guides (#31531)
* [v13] Ensures the canvas stays at a fixed size (#31524)
* Perform rate limiting on all user-initiated LLM calls in assist
(#31438) (#31567)
* Fix not being able to search for locks in table (#31581)
* docs: update docker image versions (#31562)
* [v13] Bump cloud version (#31551)
* remove margin on OIDC/SAML connectors (#31503)
* [v13] update ToolTipNoPermBadge component (#31488)
* Edit Server Access intro guide architecture info (#31493)
* [v13] Azure HA Teleport deployment guide (#31501)
* [v13] chore: Bump Go to v1.20.8 (#31506)
* [auto] docs: Update version to v13.3.8 (#31473)
* [v13] Update download links on support page (#31492)
* AWS OIDC - DeployService: add optional Security Groups (#31268)
* [v13] pgbk: partial backports #31358 #31426 (#31449)
* [v13] docs: use branch link instead of master (#31467)
* docs: include sudo for example commands (#31463)
* docs: Fix typo in JSON (#31452)
* [v13] docs: include ent cloud version for faq question on sso
(#31455)
* Wed Sep 06 2023 kastl@b1-systems.de
- Update to version 13.3.8:
* Release 13.3.8 (#31442)
* Added 08/31 Update (#31301)
* desktop discovery: unmap IPv6 addresses (#31434)
* fix: Skip known bad asset tags on Windows (#31412)
* [v13] Update device trust docs (#31328)
* MySQL: avoid tiny writes to improve performance in read-heavy
scenarios (#31402)
* Periodically refresh Azure cloud credentials (#31164)
* Periodically refresh Azure cloud credentials (#31164)
* AWS OIDC - List EC2: add instance id as label (#31436)
* Update product change log link (#31424)
* Fix webauthnwin c types size (#31420)
* Preserve query params in cross-cluster app redirect. (#31379)
* [v13] AWS OIDC: List Security Groups (#31272)
* Update e (#31384)
* Remove note about canceled requests not being supported
(#31318)
* [v13] docs: describe dedicated account dashboard for ent
(#31336)
* Fix plugin screen not wrapping tiles (#31365)
* AWS OIDC EICE: fix connection set up (#31209) (#31362)
* Web: return user traits with getUser request (#31331)
* [v13] skip motd in UI if request initiated from tsh headless
auth (#31205)
* Recommend writing the client secret to a file (#30954)
* bump eref (#31308)
* [v13] docs: add prompt field definition for OIDC auth connector
(#31294)
* [v13] docs: update db getting started and mongodb atlas
(#31299)
* [docs] update TLS routing curl test with --no-alpn (#31239)
* [v13] [buddy] Add an optional PodMonitor to the
teleport-kube-agent chart (#31247)
* [v13] docs: update labels documentation (#31110)
* Fixed typo in error message for terminal params (#31288)
* Clarified default cryptographic primitives (#31263)
* Add known STS endpoint for il-central-1 (#31282)
* use active db cert principals when available (#31250)
* Fix the access list lockName in the backend service. (#31290)
* docs: use variables for proxy addresses in Kube access (#31241)
* post-release: pass GITHUB_TOKEN for gh CLI use (#31225)
(#31280)
* UsageEvents: add OpenSSH EC2 Instance Connect Endpoint Nodes
(#31266)
* AWS OIDC - List RDS: add VPC ID (#30971) (#31274)
* Move the `tsh` config file guidance (#30953)
* [v13] Refactor IsOwner/IsMember and use AccessListMember
object. (#31234)
* Allow configurable Okta service synchronization duration.
(#31251)
* [v13] Ensure access list data integrity. (#31233)
* docs: update version (#31221)
* [v13] AWS OIDC: Create EC2 Instance Connect Endpoint (#31198)
* Fix ui trace forwarding (#31223)
* [v13] tctl acl command uses separate member calls. (#31212)
* [v13] Remove dead KNNRetriever class (#31189)
* [v13] Fix flaky tests (#31163)
* Fix flaky tsh export test (#31167)
* [v13] Don't set additional groups on darwin (#31152)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 13.3.7:
* Release 13.3.7 (#31172)
* Allow Azure/IAM join over reverse tunnel (#31000)
* [v13] wait for disconnect in tests (#31160)
* docs: include sudo for db configure create examples (#31049)
* docs: mention that the GitHub connector requires team slugs,
not display names (#31154)
* Use Amazon EICE to connect into EC2 instances (#30632) (#31021)
* add custom theme and logos (#30823) (#31149)
* Fix Oracle Windows Path Separator (#31129)
* fix unbackported breakpoints (#31151)
* Get accessInfo based on user on access request drop (#31136)
* Update headless modal to show both Reject and Cancel (#31135)
* Use 127.0.0.1:3080 as Vite default proxy target (#31148)
* add feature hiding license flag (#30083) (#30936)
* Respect `[HTTP(S)|NO]_PROXY` envs when dialing directly to Kube
via SPDY (#30624) (#31133)
* [v13] Dynamic identity file reloading support for API Client
(#31076)
* add OSS CTA for auth connectors (#30713) (#31083)
* docs: update version (#31064)
* docs: update cloud version (#31079)
* ci: Use "post-release" environment in update-docs post-release
workflow (#30937)
* Fix flaky test TestDatabaseRootLeafIdleTimeout (#31100)
* [v13] AWS OIDC: Add StateMessage and DashboardLink to List EICE
(#30949)
* [v13] oss CTAs for support, access reqs & moderated sessions
(#31030)
* docs: add page on revoking access (#30682)
* [v13] Fix leaking connection monitor instances. Expand comment
with a warning. (#31042)
* Web: Add calendar icon, export select style, and add type to
validation rule (#30817) (#31036)
* Add access list members to the cache. (#30837) (#30919)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 13.3.6:
* Release 13.3.6 (#31031)
* Ensure that DNS errors in desktop discovery fail fast (#31032)
* [v13] docs: include example service account JSON in the Google
workspace guide (#30807)
* Remove exported webauthn test functions. (#31008)
* Improve proxy address sourcing for VM auto-discovery (#31001)
* Fetch metadata for heartbeat in background (#30999)
* Additional safety with `X-Forwarded-Host` handling (#30980)
(#31027)
* bump e (#31012)
* Fix flaky TestResizeTerminal (#30983)
* [v13] Reduce memory leakage in API client caused by `otelgrpc`
interceptors (#30991)
* [v13] AWS OIDC: Configure IAM for EC2 Instance Connect Endpoint
(#30948)
* Added PostgreSQL enablement to documentation (#31006)
* [v13] Use the most recent user object for the bot generation
label. (#30996)
* Issue certficate for desktop connection before actual
connection (#30963)
* [v13] helm: Use cert-manager secret or tls.existingSecretName
for ingress when enabled (#30984)
* docs: update version (#30959)
* Flesh out the Application Access intro (#30958)
* Add package manager Enterprise install steps (#30777)
* Add secure credentials for API client tests (#30518) (#30870)
* docs: update agent joining when to use (#30961)
* [v13] Remove ScopedBlocks from the docs (#30805)
* [v13] Metrics: expose install method counter (#30683)
* Add `DeleteClusterMaintenanceConfig` for terraform (#30667)
* reduce alert log spam (#30849) (#30904)
* Fix access list enterprise tests. (#30931)
* Expose AuthorizeContextWithVerbs. (#30917)
* [v13] Changes to Discord plugin for running in hosted mode.
(#30826)
* [v13] Include consistent installation info (including Helm)
across Access Request plugin docs (#30449)
* Set cloud version to v13.3.4 (#30926)
* Update eks helm guide for AWS PCA (#30633)
* [v13] Include file option description in token, session-id
parameters (#30928)
* Emit event for auto-discovered VMs (#29285) (#30923)
* [v13] Add in the next audit date to access lists. (#30912)
* List EC2 instances: add subnet id field (#30692) (#30897)
* [v13] Add preset device trust roles (#30908)
* [v13] Machine ID: Support for JSON log formatting (#30763)
* [v13] Add FeatureRecommendationEvent to Prehog (#30875)
* add option to force re-authentication for OIDC connectors
(#30877)
* crdgen: handle OIDCConnectorSpecV3.MaxAge as a special case
(#30879)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 13.3.5:
* Release 13.3.5 (#30832)
* [v13] Update access duration logic and tests for dry run
requests (#30885)
* [v13] Update the docs UI reference (#30857)
* docs: remove default designation in cloud proxies (#30868)
* Update e ref (#30848)
* Respect `[HTTP(S)|NO]_PROXY` envs when dialing directly to Kube
(#30583) (#30615)
* [v13] [buddy] 🐛 issue #30400 fixing missing billing_mode param
in teleport-cluster helm chart fo dynamodb autoscaling (#30841)
* [v13] Web: Remove all cap and bolding for LabelInput used with
inputs (#30845)
* AWS OIDC - DeployService: use debug log level for service
(#30606)
* fix (#30824)
* feat(helm/teleport-kube-agent): custom annotations in the
Secret (#30838)
* [v13] Embedded Assist SSH (#30811)
* ci: Pass secrets from post-release to update-ami-ids (#30754)
* Update e (#30814)
* Add in access list member backend and gRPC methods. (#30800)
* Add required title to access list resource (#30782)
* [v13] docs: updates to cloud api docs (#30801)
* Add a link to Teleport Labs in the landing page (#30482)
* fix typo in s3 completemultipartupload metric (#30710)
* Added Week of 08/17 Update (#30625)
* [v13] AWS OIDC: List EC2 Instance Connect Endpoints (#30752)
* Drop etcd from buildbox (#30700) (#30765)
* Generate user login state from access lists and integrate into
certificates. (#29364) (#30628)
* Add `--current-device` capabilities to `tsh` (#30636) (#30702)
* [v13] Enable limited Access Requests feature for the Team plan
(#29866) (#30570)
* [v13] Fixed an issue with `tsh aws ssm start-session` (#30668)
* Ensure the correct stderr is used for ssh sessions (#30684)
* [v13] Split up the CLI reference (#30371)
* [v13] docs: include openssh instrs for jetbrains setup (#30470)
* Correct DynamoDB table config instructions (#30675)
* Web: Add access_list rule to usercontext and access list
related icons (#30564) (#30658)
* Drop gcloud SDK from buildbox (#30640) (#30696)
* Drop custom gRPC chain functions (#30685)
* docs: update gitlab and azuread sso docs (#30680)
* [v13] Review Requests: prevent reviews after request is
resolved (#30690)
* Update docs version automatically (#30670)
* [v13] Add initial servicenow client (#30611)
* Deflake `TestNodeWatcher` tests (#30676)
* [v13] Add initial rough opsgenie docs (#30609)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 13.3.4:
* Release 13.3.4 (#30666)
* Remove exported Webauthn functions (#30420) (#30650)
* [v13] Fix node equality check in embedding processor (#30325)
(#30608)
* Begin separating access list members from access list
resources. (#30627)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 13.3.3:
* Teleport Release 13.3.3 (#30614)
* Add Teleport agent pod readiness checks to docs (#30362)
* Discovery service panics on GKE clusters without labels
(#30643) (#30647)
* Isolate MFA prompt into a new package (#30379) (#30599)
* Deflake discovery tests (#30474) (#30641)
* Make TestWebClientClosesIdleConnections more stable (#30637)
* [v13] Add user login state to the cache. (#30219)
* Add Teleport Connect to Headless docs. (#30594)
* [v13] Add `teleport_proxy_db_active_connections_total` gauge.
(#30604)
* Build version checker - multiple fixes (#30580) (#30595)
* [v13] bump e ref (#30613)
* [v13] [docs] TLS routing FAQs (#30610)
* events emitter: improve logging on failed emits (#30185)
* [v13] small change to tsh error messages (#30575)
* bump e (#30592)
* [v13] Add Teleport Connect to Headless docs (#30476)
* [v13] fix forwarding a SSH agent in a Cygwin environment
(#30582)
* [v13] fix `tsh db connect` and `tsh proxy db` with logged in
certs (#30563)
* update tsh db env/config ux (#30571)
* [v13] Partially backport: add metrics for database service
(#28150, #30121). (#30429)
* Work around go-ldap's lack of errors.Is support (#30560)
* update onboarding UI styles (#29917) (#30558)
* [v13] Re-add ServerInfo reconciler with better backend
performance (#30495)
* [v13] discover personalization (#30557)
* docs: correct double quotes in tctl devices add example
(#30559)
* Discover RDS: remove aurora engine (#30548)
* OneOff: add success message (#30540)
* [v13] Remove temporary type aliases from `lib/auth/webauthn`
(#30551)
* Teleport Connect headless approval - Skip Confirmation (#29875)
(#30475)
* [v13] Database Service to validate URL of database resources
from Discovery Service (#30462)
* Semver version validation (#30538)
* pam: free conversation buffer on error (#30521)
* [v13] [Docs] Teleport Team getting started, Fix comparison
pointer to Teleport Enterprise/Enterprise Cloud (#30430)
* [v13] docs: hsm minor corrections (#30506)
* [v13] Update e ref. (#30502)
* [v13] Remove `lib/auth/webauthn` dependency from `webauthncli`
(#30498)
* Fix PIV support for tsh proxy kube and Teleport connect
(#30205) (#30477)
* docs: update faq for proxy recording mode support (#30491)
* Refactor AWS db mocks (#30086) (#30461)
* Redirect directly to Okta apps from proxy. (#30489)
* chore: Bump golangci-lint to v1.54.1 (#30435) (#30483)
* [v13] Update 11 eol date (#30467)
* Fix SAML certificate decoding when data is padded (#30450)
* Improve LDAP desktop discovery (#30383)
* fix: Explicitly mention OTPs on tsh/Windows logins (#30444)
* integrations/access: Make the plugins exit when the connection
breaks instead of retrying infinetly and hanging (#30039)
(#30431)
* [v13] Fixed "user is not managed" error when accessing
ElastiCache and MemoryDB (#30353)
* [v13] Adjust indentation in Assist YAML conf reference (#29195)
(#30375)
* [v13] Adds Discord settings to API types. (#30316)
* [v13] chore: Bump Buf to v1.26.1 (#30329)
* Error if users attempt to do `tsh login --headless` (#30298)
(#30307)
* Mention Discord and ServiceNow integrations on previews page
(#30373)
* [v13] Document `jwt_claims` app rewrite option (#30366)
* Version ID check on Amazon Linux2023/rhel installs (#30310)
* Set network restrictions static fields upon update (#30324)
* AgentMetadataEvent: add AWS OIDC Deploy Service install method
(#30328)
* [v13] Add device authentication event to prehog (#30303)
* Fix AccessDenied not recognized for MemoryDB/RSSL API calls
(#30286)
* [v13] EC2 Instance Connect Endpoint: List EC2 Instances
(#30258)
* [v13] Add option to configure JWT claim rewriting (#30280)
* Added 08/10 Upcoming Releases Update (#30283)
* changelog: Update distroless debug image name (#30305)
* Fix resources being deleted from Firestore on update (#30287)
* Fix desktop access connecting to direct dial nodes (#30275)
* chore: Bump gci to v0.11.0 (#30228) (#30261)
* chore: Bump golangci-lint to v1.54.0 (#30222) (#30265)
* [v13] Adjust max session duration in web sessions (#30153)
* Fix matcher AssumeRoleARN not appied to
DiscoveryResourceChecker (#30260)
* docs: update version (#30257)
* [v13] Add a quick note about AWS and FIPS (#30240)
* Support auditing chunked SQL Server packets (#29228) (#30243)
* integrations/access: fix infinite retry on already resolved
requests (#30231)
* Add in the access list tctl command. (#30238)
* chore: Bump golang.org/x/net to v0.14.0 (#30234)
* [v13] docs: use a consistent intro in the DB guides (#30204)
* Promote EKS and AKS discovery to GA (#30209)
* [v13] refactor label string formatting (#30223)
* [v13] Allow host users to be created with a specific UID or GID
(#30178)
* Add in paginated access list endpoint. (#30132)
* [v13] Use distinct prompts during Windows WebAuthn registration
(#30215)
* [v13] [Docs] Fix the table of contents and edit content
(#30067)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 13.3.2:
* Release 13.3.2 (#30192)
* Revert "Add discovery-side label reconciler" (#30198)
* [v13] integrations/operator: Fix a bug that caused
ProvisionToken.spec.github.allow rules to be ignored (#30179)
* Add the `hcl` label to Terraform snippets (#30147)
* EC2 Instance Connect Endpoint: HTTP endpoint to create Nodes
(#29370) (#30189)
* Backported OS repo publishing changes to v13 (#30154)
* [v13] Tests: run `lib/integration` and `lib/auth/integration`
(#30173)
* fix: Save device keys on os.UserCacheDir (#30177)
* [v13] Add initial auto approval flow for opsgenie plugin
(#30161)
* [v13] Improve "tsh kube login" message for proxy behind l7 lb
(#30174)
* docs: update version (#30162)
* AWS configurator support for OpenSearch (#30085)
* Refactor database `DiscoveryResourceChecker` (#30056)
* Add support for templating to kube's `--set-context-override`
(#30157)
* [v13] dronegen: Build Teleport Connect for amd64 push build
(#30021)
* [v13] Bumps `e` version to include hosted Jira integration
(#30117)
* [Docs] Add the max-duration role option to documentation
(#30148)
* [v13] [buddy] Allow setting storage class name for auth
component (#30145)
* Add imagePullSecrets to predeploy tests (#30142)
* Ensure Helm deployment guides match the sidebar (#30007)
* Use test server context to ensure headless watcher is closed
once the test completes. (#30138)
* Add docs for the new Slack helm chart values (#30130)
* List supported URI schemas in the audit error messages (#30080)
* Stablize backend test suite (#30074)
* [v13] Changes to the Jira plugin required to run as a hosted
integration (#30040)
* [v13] Add GCP auto-discovery docs (#30052)
* update e-ref (#30069)
* Backport #29757 to branch/v13 (#30015)
* [v13] docs: document browser env var for tsh (#30057)
* [v13] Improve backend `testKeepAlive` (#30053)
* [v13] Stop piping child process output into logger only after
close (#30025)
* chore: Bump Buf to v1.25.1 (#30046)
* bump e (#30045)
* [v13] Fix authorization rules to the Assistant and
UserPreferences service (#29961)
* add oss support for existing user onboard survey (#29535)
(#29983)
* [v13] Add Kubernetes Access FAQ and Troubleshooting docs
(#29857)
* Drop subtests from `addOneOfEachMFADevice` helper (#30036)
* [v13] Tighten discovery service permissions (#29994)
* Fri Aug 04 2023 kastl@b1-systems.de
- Update to version 13.3.1:
* Release 13.3.1 (#30016)
* Update e (#30012)
* [v13] [Mattermost] Lax requiring recipients and set raw
recipients on cfg init (#30009)
* Fix `tool.tsh.common.TestKube/list_kube` flaky test (#29998)
* Added Prometheus metric for created access requests (#29761)
(#29991)
* Fix rough edges with usage script (#29982)
* Add Prometheus metrics to Kubernetes Access (#29363) (#29970)
* pgbk: ensure TOASTed values in the change feed (#29975)
* [v13] WebDiscover: Enable auto deploy and skip IAM policy
screen on condition (#29978)
* [v13] WebDiscover: Partially implement auto deploy database
server view (#28629)
* Hardware Key Support docs - additional troubleshooting info
(#29147) (#29956)
* Use enum to describe `IAMPolicyStatus` instead of a bool
(#29721) (#29951)
* [v13] ci: Fix post-release calling update-ami-ids (#29886)
* [v13] Add Kubernetes/Helm instructions to the RDS guide
(#29920)
* terraform-agent-pool: Fix token provisioning and add expiry
(#29943)
* fix: Bump libcrypto version in pkgconfig files (#29947)
* [v13] Add Headless Polling to Teleport Connect (#28975)
* [v13] docs: add client tools download section (#29891)
* propagate tctl verbose flag (#29870)
* docs: update version (#29884)
* [v13] Postgres and Azure Blob Storage backend docs (#29912)
* Add support for deleting proxy resources to tctl (#29903)
* chore: Bump openssl to 3.0.10 (#29876) (#29908)
* [v13] chore: Bump Go to 1.20.7 (#29904)
* web: Ignore .swc directory when computing web SHA (#29897)
* Postgres: reduce logging level for individual messages.
(#29847)
* [v13] Add docs on how to impersonate Kubernetes ServiceAccounts
(#29868)
* lib/teleterm TestStart: Increase timeout, improve error
handling (#29852)
* Wed Aug 02 2023 kastl@b1-systems.de
- Update to version 13.3.0:
* Release 13.3.0 (#29796)
* ALPN upgrade with custom X-Teleport-Upgrade header (#29683)
(#29829)
* [v13] Link to example Login Rules from Login Rules guide
(#29802)
* [v13] Vendors Discord plugin source into Teleport (#29841)
* refactor(services): skip ad validation for rds proxy mssql
(#29233)
* fix race condition where a headless watcher subscriber would
overwrite a more recent update. (#29617) (#29838)
* [v13] Explain how to start new services on an agent (#29653)
* docs: include gke in Kube Discovery config list (#29758)
* [v13] fix tsh db connect with active mysql cert (#29826)
* [v13] Fix tsh db login exact db name (#29825)
* bump e ref (#29821)
* [v13] docs: simplify Terraform sections and convert to steps.
(#29714)
* Update e (#29817)
* add backwards compatibility for listing apps (#29816)
* display survey for existing users (#29378) (#29713)
* assist: add classification code and emit even on execution
(#28492) (#29811)
* [v13] Long living approval (#29754)
* assist: Refactor token counting (#29753)
* Fix data race in TestAuth_RegisterUsingToken (#29756)
* [v13] update e ref (#29747)
* [v13][tctl] Adds option to write tarred `tctl auth sign` output
to stdout (#29666)
* docs: document strings.split for Login Rules (#29748)
* use correct session recording mode in session start and end
events (#29584) (#29689)
* docs: update version (#29723)
* helm: add azure support (#29734)
* [v13] Add shield alert icon (#29570)
* Bump Helm version in the buildbox (#29739)
* docs: Content fixes regarding SOC 2 (#29740)
* [v13] Fix Kubernetes Legacy Proxy heartbeats (#29738)
* Add GCP VM auto-discovery (#28562) (#29612)
* Hold Auth init lock for the duration of initialization (#29706)
* update e ref (#29719)
* [v13] docs: include mfa session option for ssh access control
(#29602)
* [v13] Postgres backend and Azure session storage backport
(#29705)
* Fix `create_host_user_mode` role reference (#29707)
* [v13] [Docs] Test and edit How to contribute to documentation
topic (#29642)
* bump docs to 13.2.3 (#29691)
* Update SQL Server guides to mention `sqlcmd` as default CLI
(#29543) (#29644)
* Added 07/27 Upcoming Releases Update (#29696)
* chore: Bump Buf to v1.25.0 (#29701)
* Fix MachineID not working behind L7 LB (#29692) (#29700)
* fix: Drop custom OS checking in device authn (#29629)
* Attempt to deflake TestLockInForce (#29681)
* Thu Jul 27 2023 kastl@b1-systems.de
- Update to version 13.2.5:
* Release 13.2.5 (#29668)
* [docs] Fixes ACM helm example (#29573)
* Thu Jul 27 2023 kastl@b1-systems.de
- Update to version 13.2.4:
* Release 13.2.4 (#29663)
* [v13] Add support for Amazon Linux 2023 to installer script and
Discover UI (#29654)
* fix (#29577)
* Clarify auto upgrades docs (#29211) (#29507)
* [v13] Add device owner and trusted device IDs to protos
(#29639)
* [v13] Allow creating a admin `ClusterRoleBinding` (#29559)
* Update Operator CRDs and add a Lint check to prevent drifts
(#29554)
* Fix NPD when the table status has an unspecified billing mode
(#29634)
* Update e (#29637)
* [v13] Port and refactor Mattermost from teleport-plugins
(#28989) (#29549)
* Remove upgrade suggestion alerts (#29631)
* Speed up Auth initialization (#29257) (#29571)
* Add CLI options for OpenSearch autodiscovery config. (#28147)
* [v13] feat: Login Rule support for email.local and
regexp.replace (#29611)
* [v13] Vendors in `jira` access plugin source (#29548)
* Athena: Support maxUniqueDaysInSingleBatch (#29604)
* Switch to upstream x/crypto (#28929) (#29601)
* Add --silent flag to teleport node configure command (#29587)
* feat(tctl): make `--type` parameter required for `auth crl`
command (#29591)
* [v13] etcd client pool (#29586)
* [v13] Describe using dynamic resources for DB Service HA
(#29542)
* [v13] update tsh db resource selection (#29163)
* [v13] Changes to ordered and unordered lists for lint warnings
(#29265)
* [v13] Docs: Update OIDC SSO Guide (#29408)
* [v13] Displays warning when SSO is used and username specified
(#29504)
* docs: update chart v12 migration to remove footgun (#29564)
* Defer setting up enhanced recording until after PAM has
completed (#29578)
* [v13] Document DynamoDB backend billing_mode option (#29359)
* adds public web addresses to self-signed cert (#29568)
* Add api ver to path in opsgenie client (#29553)
* docs: version update (#29492)
* Fix GCP joining for Machine ID in v13 (#29563)
* [v13] Athena: accept events without timestamp (#29383)
* athena: support dynamo keyset for migration (#29452)
* Display friendlier errors when an invalid login is provided
(#29273) (#29473)
* feat: support resource requests via tctl
* [v13] Docs: Jamf Pro (#29534)
* bump e on v13 (#29537)
* docs: minor updates for setting up TLS on Windows Server 2012R2
(#29327)
* Fix a panic in the S3 uploader (#29470)
* [v13] Introduce the `UpdateAndSwapUser` function (#29477)
* web: clean up auth connector page (#29404)
* [v13] Add billing_mode option to the DynamoDB backend so
pay_per_request or provisioned billing can be configured
(#29351)
* [v13] Change how we cache the keys in backend.Reporter (#29330)
* [v13] `GenerateToken` should call `CreateToken` not
`UpsertToken` (#29391)
* Remove dependency of etcd from tctl (#29377) (#29394)
* EC2 Instance Connect Endpoint: add aws metadata to Nodes
(#29316) (#29407)
* [v13] add onboarding survey (#29397)
* Update e (#29400)
* Filter out cluster ID in Connect logs (#29387)
* [v13] Use the examples directory for example plugin code
(#29152)
* Remove gateways on logout (#29388)
* [v13] fix database dynamic labels (#29373)
* tctl: fix error reporting when server is down (#29322)
* Add Connect ads to tsh login and tsh proxy db (#29302)
* [v13] Moves tsh login browser parameter as env var (#29287)
* add saml apps to webui apps list (#28041) (#29371)
* Add in user login state. (#29365)
* Add GCP instances client (#28561) (#29333)
* Add discovery-side label reconciler (#27476) (#29334)
* [v13] tctl users add: Point towards `users update` on
AlreadyExists err (#29343)
* Make prettier a dev dep of root package.json (#29355)
* Thu Jul 20 2023 kastl@b1-systems.de
- Update to version 13.2.3:
* Release 13.2.3 (#29308)
* v13: dronegen: Switch linux-based push builds to GitHub
(#29297)
* [v13] Fix nil user group entries. (#29326)
* [v13] update discovery labels (#29269)
* Remove access list gRPC service from OSS, introduce
owner/member checks. (#29289)
* [v13] ALPN handshake test to account "unadvertised ALPN" error
(#29312)
* Upsert ServerInfos from discovery service (#27475) (#29277)
* [v13] Restores default API endpoint for PagerDuty plugin
(#29295)
* [v13] Record os_build_supplemental in the DeviceProfile
(#29263)
* v13: [ci] Change macOS GHA runner to `macos-latest-xl-arm64`
(#29282)
* [v13] Docs: clarify the value of 'host' key where needed
(#28800)
* [v13] Add an audit event for creating provisioning tokens
(#29105)
* Fix proxy protocol support for Kube access flow (#29268)
(#29274)
* AWS DBs Heartbeat: return IAM status (#28952) (#29196)
* Add the AccessList to the cache. (#29270)
* update config reference docs (#29236)
* [v13] Introduce AccessList gRPC service and calls. (#29255)
* [v13] Add ServerInfo and label API (#29237)
* docs: update github sso instructions for self-hosted to use new
parameters (#29258)
* Clean up access list protos, add in conversion functions tests.
(#29254)
* Access list backend service and marshal/unmarshal. (#29253)
* [v13] Introduce Access List internal object. (#29252)
* Fix reference to azure identity in GCP app (#29209)
* Introduce the Access List object. (#29251)
* add semicolon (#29154)
* docs: update version (#29217)
* Define the GetDevicesUsage RPC (#29089) (#29227)
* Fix certbot installation in AMI (#29103)
* upgrader monitoring and alerts (#28951) (#29206)
* [v13] Document --port and --login in `tsh config` (#29199)
* [v13] Allow custom enroll token expiration time (#29213)
* [v13] provide warning on tsh sso login with Teleport user
specified (#29221)
* [v13] Fix lint warning, make these unordered lists (#29160)
* Support non-gogo objects for auth service events. (#29207)
* Add ServerInfo type (#25281) (#29162)
* [v13] Clarify API GetDatabases vs GetDatabaseServers (#29136)
* [v13] Add assist fields to configuration reference (#29110)
* Mon Jul 17 2023 kastl@b1-systems.de
- Update to version 13.2.2:
* Release 13.2.2 (#29161)
* [v13] Allow login and port to be specified when using `tsh
config` to generate openssh configs (#29113)
* fix mutualtls textarea (#29091)
* Reduce embedding period to 20 minutes (#29153)
* Edit forScopes configurations and edit guides (#28742)
* [v13] assist: support recording non-interactive forwarded
sessions (#29137)
* [v13] Docs: Refresh Azure AD SSO Guide (#29138)
* upload completer: suppress stack trace for access denied errors
(#29078)
* [v13] tsh recordings export session-id desc update (#29128)
* [v13] [docs] add proxy_service.trust_x_forwarded_for option
(#29117)
* [v13] [doc] database labels reference (#29118)
* [v13] Allow relative file URIs to `sqlite` (#29130)
* [v13] v13.2.2 Assist backports (#29125)
* Extend DatabaseSessionStart posthog event (#28931) (#29106)
* [v13] resolveNetworkAddress: Listen for `close` instead of
`exit`; Fix FailedApp theme (#29108)
* [v13] [Assist] UI tweaks (#29067)
* docs: version update (#29096)
* Remove session condition from Firestore events query (#29114)
* [v13] Allow configuring number of parallel execution workers
(#29061)
* chore: Bump Buf to v1.24.0 (#29120)
* tsh play error handling (#29077)
* Minor clarifications in the Azure AD guide (#28802)
* [v13] helm: Add ingress support (#29084)
* [v13] Encode URI for `sqlite` properly (#29099)
* DeployService IAM Configure: unescape arguments (#29044)
* Log the value of EventsBufferSize instead of the pointer
address (#29082)
* Added 07/13 Upcoming Releases Update (#29064)
* [v13] chore: Bump Go to 1.20.6 (#29073)
* [v13] fix: suppress search events (#29063)
* [v13] update database and kube name validation (#29035)
* [v13] Add more details about specifying a CA pin (#28886)
* [v13] assist: fix flaky assist test (#29051)
* Correct the clock passed to `dynamicCredsConfig` (#29058)
* Document backend_write_requests_total (#28980)
* [v13] DeployService: use teleport-ent image for ent clusters
(#29045)
* docs: proxy peering out of preview (#29037)
* Add usage-based feature values for Device Trust (#28919)
(#28964)
* [v13] Add an option to bootstrap database service to `teleport
discovery boostrap` (#29002)
* [v13] [Assist] Only parse messages from Assist as markdown
(#28911)
* [v13] Deduplicate resources for `tsh request search` when
`replicas>1` (#28889)
* [v13] Update `e` ref to enable PagerDuty plugin (#28986)
* [v13] Add `ProxyGroup` support to reverse tunnels (#28930)
* Docs: Update/Refresh OneLogin SSO guide (#28444) (#28768)
* Add test that verifies sessions are unaffected by Auth restarts
(#29000)
* Thu Jul 13 2023 kastl@b1-systems.de
- Update to version 13.2.1:
* Release 13.2.1. (#29021)
* [v13] Dont allow cloud tenants to update certain cluster networking config fields (#28992)
* Ignore SIGQUIT in exec sessions. (#29020)
* fix operator crashing on first startup (#29013)
* Fix Azure join for identities across resource groups (#28961)
* remove alert maximums (#28967) (#28983)
* [v13] Mention agentless in the OpenSSH guide for better SEO
(#28923)
* Set lower temperature to ChatGPT calls (#28959)
* Install Script: don't enable Automatic Upgrades for non-systemd
systems. (#28987)
* tctl alerts ack: Make --reason optional (#28955)
* Fix listing servers when creating a new lock via webui (#28963)
* desktop access: clean up error handling (#28974)
* [v13] [Docs] Add missing 'resources' config field to
application service docs (#28971)
* [v13] include endpoint_url parameter for tctl sso configure
github (#28968)
* [v13] docs: openssh updates (#28726)
* docs: update version (#28933)
* supports newline and whitespace in motd: (#28937)
* feat(dbcmd): add `sqlcmd` support (#28944)
* Remove preview from several features (#28924) (#28928)
* Fix ssh env var parsing by checking after cf.AuthConnector is
guaranteed to be set. (#28922)
* Update tough-cookie and @grpc/grpc-js (#28914)
* [v13] add Athena URL parameter to configure AWS region (#28912)
* tctl alert ls: Always show alert ID (#28906)
* [v13] Backports PagerDuty hosted plugin (#28883)
* chore: Bump Buf to v1.23.1 (#28894)
* [v13] docs: Add clarification on event types in enhanced
recording mode (#28893)
* [v13] DeployService: auto upsert IAM Join Token (#28799)
* DeployService: use correct version when auto-upgrades are
enabled (#28874)
* Machine ID: Add guides to the Enroll Integration page (#28646)
(#28888)
* Add IDToken attributes to GCP join audit event (#28673)
(#28882)
* docs: use -o file instead of sudo tee (#28771)
* teleport-connect.mdx: Fix typo (you with -> you wish) (#28875)
* rework instance hbs to be more scalable and to track upgraders
(#27895) (#28847)
* Support specifying `assume_role_arn` for Kube cluster matchers
(#28282) (#28832)
* Minor wording change (#28778)
* Add redirects introduced by docs reorganization (#28822)
* Update keep_alive comments auth-service.yaml (#28820)
* typo correction (#28827)
* [v13] Fix theme not loading on first login & overflowing
command result summary (#28770)
* docs: bump cloud to 13.2.0 (#28788)
* removed cloud warning (#28815)
* Fix `tsh kube credentials` lock when no-login is required
(#28811)
* Edit playbook user in the Ansible guide (#28791)
* Use more restrictive S3 object permissions (#28765)
* Change signup links to mention Teleport Team (#28680)
* Fix Okta docs that mentioned "Application Service" (#28792)
* [v13] Fixed CPIO digest mismatch on RHEL 8 (#28794)
* Added 07/03 Upcoming Releases Update (#28796)
* Increased the gh-trigger-workflow polling period (#28783)
* [v13] update attributes to roles (#28695)
* [v13] document create_host_users_mode (#28639)
* Add t.Parallel() to several tsh tests (#28613)
* [v13] Update assist docs (#28732)
* [v13] Firestore backend improvements (#28737)
* [v13] Machine ID: GCP Delegated Joining support (#28762)
* add docs for idp-initiated sso for grafana (#28645)
* Document Jamf `exit_on_sync` toggle (#28394) (#28415)
* Support GCP joining when `google` claim is not present (#28759)
* Document Jamf service and auto-enroll (#28167) (#28393)
* [v13] Docs: Update GitLab SSO docs (#28693)
* specify enterprise in commercial prereq cloud tab... (#28524)
* [v13] Connect: Add docs for theme (#28407)
* docs: edits to the headless webauthn guide (#28733)
* docs: correct docker installation table (#28652)
* [v13] User groups in access requests will expand list of
applications. (#28603)
* Thu Jul 06 2023 kastl@b1-systems.de
- Update to version 13.2.0:
* Release 13.2.0 (#28696)
* Fix Machine ID guide index and adjust FAQ (#28700)
* Rename `database_labels` to `db_labels` (#28687)
* update eref (#28699)
* Update agentless mode description (#28682)
* Update `e` reference (#28684)
* improve startup with empty db or discovery config (#28622)
* `tsh db connect` should prefer mongosh (#28668)
* Script to configure IAM for the DeployService (#28436) (#28643)
* [v13] lib/teleterm: Remove misleading error log after
LocalAgent.GetKey (#28664)
* [v13] Move database validation to gRPC methods (#28638)
* Teleport Proxy Behind ALB support for IP Pinning (#26623)
(#28466)
* Add option to allow for host users not to be deleted (#28432)
* [v13] Update e ref. (#28615)
* [v13] Add custom component prop type for react-select (#28617)
* [v13] Web: Improve no access message and remove hard coded
color (#28550)
* [v13] Backport Assist related changes (#28480)
* Improve copy on the integrations page (#28611)
* [v13] Web related tweaks for access request user groups
(#28545)
* backport jamf default checks to branch/v13 (#28558)
* Update `e` (#28605)
* AWS OIDC - DeployService: configure IAM (#28088) (#28597)
* dynamodbbk: don't delete non-expired items on Get (#28600)
* [v13] Add light & dark themes to YAML editor (#28517)
* Change copy "Go To Dashboard" for "Go To Cluster" on new
account screen (#28434) (#28520)
* athena audit logs - add migration script (#28182)
* Disable disk-based logger for web tests (#28557)
* [v13] integrations/operator: Try to delete bot role (#28543)
* [v13] fix: Use correct sync defaults and validation (#28553)
* Fix header levels in the authorization docs page (#28495)
* Fix the username on self-hosted DB doc pages (#28521)
* clarify source of user cert TTL (#28534)
* remove sentence fragment and link (#28483)
* Added 06/29 Upcoming Releases Update (#28478)
* update device trust guide (#28365) (#28523)
* Add unauthenticated rate limiter constants (#28538)
* Promote IAC docs for agents and dynamic resources (#28526)
* docs: replace "Golang" with "Go" (#28171)
* [v13] Docs: Document that root clusters can't populate OS users
from leaves. (#28531)
* [v13] Discover: Add deployed method field to deploy service
event (#28507)
* [v13] Web terminal themes (light & dark) (#28408)
* Add omitempty to new ResourceMatcherAWS block for best
backwards compat (#28419)
* Emit default role `editor` changes (#28209) (#28481)
* docs: fix upcoming release descriptions (#28504)
* adding name to docker run command (#28502)
* [v13] Add security notes to the session recording guide
(#28462)
* Describe subject flags in Event Handler guides (#28431)
* [v13] Fix moderated session presence checking (#28456)
* Remove most t.Log() from tests (#28471)
* [v13] Docs: Update Google Workspace SSO Guide (#28475)
* docs: bump cloud to 13.1.5 (#28404) (#28450)
* Update tsh scp command description to match ssh node commands
(#28467)
* Replace xitongsys/parquet-go with segment-io lib (#28472)
* use teleport.sh instead of dashboard.goteleport.com for license
retrieval (#28426)
* [v13] Drain database connections on graceful shutdown (#28369)
* [v13] Expand Docker installation instructions (#28447)
* Machine ID: Add support for BotJoin analytics event (#28293)
(#28425)
* Clarify the disablesse S3 backend setting (#28401)
* copy edits (#28423)
* Hide wait subcommands (#28416)
* athena audit logs - use sqs attribute as oldest metric (#28274)
* chore: Bump Buf to v1.22.0 (#28381)
* [v13] k8s operator supports Okta import rules. (#28377)
* [v13] Machine ID: Add usage event for bot creation (#28366)
* Update `e` (#28406)
* [v13] Connect: Light theme (#28277)
* Teleport One Off Script (#27852) (#28347)
* [v13] Remove absolute goteleport.com/docs links (#28395)
* [v13] Add a note on the `admin` database permission requirement
for MongoDB (#28362)
* docs: update version (#28389)
* [v13] Add username to headless authentication backend key
(#28380)
* [v13] docs: backports (#28331)
* update installation video (#28370)
* Add opsgenie static credentials check and test (#27655)
(#28326)
* [v13] Restore resource requests guide with an admonition.
(#28348)
* Wed Jun 28 2023 kastl@b1-systems.de
- Update to version 13.1.5:
* Release 13.1.5 (#28364)
* [v13] Clarify permissions for Okta API tokens. (#28294)
* [v13] Fix TestSQSMessagesCollectorErrorsOnReceive flakiness
(#28184)
* [v13] Allow setting max_session_ttl from clusterauth
preferences (#28130)
* Tue Jun 27 2023 kastl@b1-systems.de
- Update to version 13.1.4:
* Release 13.1.4 (#28327)
* Fix audit log report of `kubernetes_users` and
`kubernetes_groups` (#28323)
* Docs: Update recommended role (#28278)
* Reduce debug log spam for TeleportReady events (#28319)
* Use the long-form --config flag in shell example (#28299)
* Pass teleport-reversetunnelv2 for auth connections (#28316)
* Returned Vars to the code output (#28225)
* only apply stripe csp for team/usage users (#28198) (#28308)
* docs: include desktops for cloud faq reverse tunnel (#28305)
* Respect client idle timeout setting (#28202)
* Don't add keys to agent during headless login. (#28236)
* [v13] Preserve applications original URL's query (#28218)
* Converts the default Content-Security-Policy representation to
a map (#27182) (#28307)
* [v13] Add associated applications and user groups to UI
objects. (#28303)
* Move "Device Trust" to a top-level docs item (#28108) (#28199)
* Improve the upload completer logs (#28211)
* [v13] Use supplied tarball when building AMIs (#28128)
* [v13] docs: default https ports for tsh login (#28288)
* Always collect `deny` arm of `kubernetes_resources` (#28285)
* Support `assume_role_arn` for database dynamic resources
(#28039) (#28210)
* [v13] Windows Device Trust documentation (#28050)
* Mon Jun 26 2023 kastl@b1-systems.de
- Update to version 13.1.3:
* Release 13.1.3 (#28243)
* [v13] bump e-ref (#28241)
* log why the TeleportReady event is not being emitted (#28239)
* Warn about clamshell-related touch ID unavailability (#28214)
* Added 06/22 Upcoming Releases (#28155)
* [v13] Edit the server access Getting Started guide (#28172)
* [v13] InstallScripts: pin teleport version using ServerVersion
(#28149) (#28208)
* [v13] update helm docs (#28068)
* [v13] Specify how host user creation invokes `useradd` (#28194)
* Bump 'e' ref (#28206)
* docs: fix kubernetes guide (#28164)
* docs: remove note about supporting any platform supporting Go
(#28178)
* [v13] Update teleport cloud faq.mdx (#28174)
* [v13] Add Opsgenie plugin (#28098)
* [v13] permission-warning.mdx: Advise NOT TO give access,editor
to users (#28132)
* [v13] docs: update macos tsh install instructions (#28135)
* [v13] Use the one-liner in install-linux.mdx (#27907)
* docs: Fix syntax error (#28142)
* bump docs to 13.1.1 (#28153)
* feat: add support for label expressions to k8s operator
(#28156)
* Correct the backend_requests metric help text (#28107)
* [v13] feat: adds motd to the ui (#27922)
* [branch/v13] Bumped `e` ref (#28144)
* Remove deprecated/unused device trust protos (#27975) (#28075)
* [v13] Integrate AMI buids into drone (#27354) (#28127)
* Thu Jun 22 2023 kastl@b1-systems.de
- Update to version 13.1.2:
* Release 13.1.2 (#28124)
* [v13] update message on empty tsh ls results (#28120)
* Add skip-confirm flag for headless approval. (#27823) (#27864)
* bump e (#28101)
* Fix invalid command example. (#28018)
* AWS OIDC Integration: Deploy DB Service in a single click
(#27035) (#28051)
* fix: Ignore staticcheck false positive on darwin (#28042)
* Update ssh-approval-slack.mdx (#28081)
* Add reviewer and requester roles. (#28076)
* [v13] Okta service docs only show in enterprise and cloud.
(#28069)
* [v13] Docs: Update Okta SSO Guide (#27950)
* docs: mention required scope for GitHub app (#27910)
* Provide client login IP when SSO initiated in a browser.
(#27896)
* [v13] Update e ref. (#28060)
* Add mapping between user groups and applications. (#27962)
* [v13] Add a delete confirmation step to SyncInventory (#27961)
* Add HasPluginType to plugins interface. (#28052)
* update eref (#28044)
* [v13] Fix `Assist` import so it does not break storybook
(#28047)
* [v13] Connect: Fix overlapping placeholder and keyboard
shortcut in the search bar (#28048)
* Reorder resource filters in the search bar (#28034)
* [v13] Update Electron to 25.1 and TypeScript to 5.1 (#28027)
* [v13] Fix `tsh` relogin on not found errors (#27974)
* add saml wizard to ui (#27949)
* [v13] Update e ref. (#28036)
* docs: include tsh install in connect your client tsh page
(#27971)
* [v13] Gracefully handle errors in Assist frontend (#27669)
(#27935)
* OpenSearch AWS autodiscovery (#27537) (#27942)
* [v13] helm: Use local auth server address in auth pod to
prevent extra connections (#27980)
* [v13] Vendors the `pagerduty` plugin source into `teleport`
(#27612)
* [v13] helm: add hostAliases support (#27880)
* [v13] docs: update cloud downloads (#27963)
* Make Teleport config instructions easier to follow (#27968)
* Add a diagram to the Linux Server guide (#27808)
* Temporarily ignore Device Trust deprecation warnings (#27969)
* Ensure SSH_SESSION_WEBPROXY_ADDR is set for all sessions
(#27865)
* Add more accurate info to cloud download page re: `tbot`
(#27946)
* [v13] Device Trust: `tsh` privilege elevation for TPM
enrollment (#27959)
* [v13] Fixes the "Run as different user" window freezing
(#27874)
* design updates for team gated features (#27756) (#27897)
* [v13] Make use of keepAliveInterval in terminal handler
(#27914)
* [v13] CHANGELOG spelling fixes (#27955)
* [v13] Add Machine ID tip when `tctl auth sign` is used (#27928)
* chore: Bump golangci-lint to v1.53.3 (#27898) (#27911)
* [v13] MongoDB Atlas IAM authentication docs (#27493)
* Added 06/15 Upcoming Releases Update (#27901)
* docs: update version (#27917)
* [v13] Docs: Update ADFS SSO guide (#27891)
* [v13] Pass context through `UpsertAuthServer` (#27887)
* [v13] [Assist] New UI & rewrite (#27791)
* [v13] docs: document label expressions (#27878)
* [v13] Update e ref. (#27883)
* [v13] Add the notion of friendly names to access request
details. (#27803)
* [v13] docs: Fix more installation commands on Windows (#27877)
* [v13] chore: Bump Buf and Go versions (#27860)
* [v13] Omit empty fields from DeviceCredential resources
(#27869)
* Fix `TestDiagnoseSSHConnection` flakiness (#27762) (#27849)
* [v13] fix: Observe accurate `backend_read_seconds` duration
(#27857)
* [v13] Update Locking docs to refer `server-id` (#27845)
* Wed Jun 14 2023 kastl@b1-systems.de
- Update to version 13.1.1:
* [v13] Fix an issue ALPN handshake test does not respect
"HTTPS_PROXY" (#27810)
* Set default limit for ListResourcesRequest (#27839)
* [v13] Trim yum release version in install-linux.mdx (#27777)
* Move Cloud Matchers to proto (#27162) (#27530)
* [v13] bump e (#27818)
* [v13] Add Proto types for storing TPM Platform Attestation in
Collected Data (#27757)
* bump e (#27806)
* [v13] Delete proxy heartbeats on graceful shutdown (#27786)
* [v13] Fix an issue kube local proxy requirement is wrong in
separate port mode (#27732)
* Fix: time.Since should not be used directly after a defer
statement (#27795)
* Default to SymlinksTrySecure rather than SymlinksSecure
(#27784)
* [v13] bump e-ref (#27736)
* app access: fix broken docs link in error message (#27766)
* Don't use WithError() when logging "Missing session cookie"
(#27768)
* [v13] Docs: document labels for trusted clusters (#27738)
* [v13] Fix flaky test
`TestHeadlessAuthenticationWatcher_WaitForUpdate` (#27765)
* [v13] MongoDB Protocol Hardening (#27741)
* docs: Fix curl commands on Windows (#27759)
* remove confusing variable delineation (#27746)
* [v13] docs: update desktop session recording reference (#27749)
* [v13] Change Campaign to utm_campaign (#27706)
* Implement in-memory vector DB (#27587)
* Add UI `node` lock to use `server_id` instead (#27621)
* Fix Teleport Connect assume roles (#27723)
* [v13] Abort reverse tunnel connections early if the proxy is
already claimed (#27699)
* Add scaling warning re: DynamoDB (#27600)
* [v13] helm: Add conditional RBAC/ServiceAccount to
`teleport-kube-agent` post-delete hook (#27637)
* [v13] docs: update navigation instructions for sso audit log
troubleshooting (#27675)
* add styles to tooltip for team pages (#27417) (#27642)
* Set UID/GID for ARC runner builds (#27638) (#27689)
* Fix TestAuthorizeWithLocksForLocalUser flakiness (#27687)
* usagereporter: add context check in RunSubmitter (#27678)
* [v13] feat: label expressions (#27641)
* Bump vite from 4.2.0 to 4.2.3 (#27670)
* Fix redirects (#27593)
* add new CTA event property (#27216) (#27643)
* [v13] export etcd event processing metrics (#27220)
* Added 06/08 Upcoming Releases Update (#27631)
* [v13] Update description of Roles UI (#27539)
* Update e (#27640)
* [v13] Bump cloud version to v13.1.0 (#27633)
* [Docs] Assist built-in role access (#27602)
* [Docs] Assist - remove MFA section (#27603)
* [v13] Web: Plugin tweaks and new plugin icons #27427 (#27576)
* [v13] feat: label expression protobuf types (#26977)
* fix: record applied login rules in github login event (#27607)
* [v13] Add deprecation note to PAM user creation guide (#27626)
* [v13] update agentless docs to use 'teleport join openssh'
(#27624)
* [v13] Update docker images (#27502)
* [v13] docs: provide information on local user locks from login
attempts (#27609)
* Update `github.com/gravitational/predicate` to `v1.3.1`
(#27483)
* [v13] Docs: Trusted Clusters - Mention the correct expiration
time as per tctl command (Buddy PR) (#27498)
* [v13] use proxy port in openssh config (#27545)
* [v13] Proxy Templates overwrite CLI cluster value (#27581)
* docs: add headless auth as faq question (#27584)
* docs: adds configuration and helm chart to app access getting
started (#27529)
* [v13] Fix not being able to "login" with auth type set to sso
but no connectors set yet (#27589)
* Primarily changes "match: '^.*\.dev\.example\.com$'" to "match:
'^.*\.dev\.example\.com'" so that users aren't mistakenly
guided towards eliminating the implicit ":3389" from their
regex matches (#27516)
* Fix the default `teleport-kube-agent` upgrade server (#27572)
* Only fallback to SSH_TELEPORT_ env variables for proxy, user,
and cluster name when used with headless. (#27507)
* Support authenticating with AWS IAM role for MongoDB Atlas
(#26439) (#27494)
* Bump e (#27501)
* [v13] Implement leaf app access: `tsh app login --cluster=leaf`
(#27197)
* [v13] Backport hardened AMI resources (#27454)
* [v13] include changelog for docs tests (#27479)
* [v13] Docs: GCP join method (#27487)
* Fix SEO issues (#27242)
* [v13] Document all installer script template vars (#27482)
* Create api handler specifically for FormData (#27408)
* [v13] Docs: improve Postgres in GCP (#27471)
* Propagate proxy public addr in Web UI ssh session. (#27058)
(#27420)
* [v13] Document new Okta import rule regexes. (#27453)
* [v13] docs: add enterprise value for kube agent reference
(#27472)
* docs: update version (#27473)
* Extend host lock enforcement to other built in roles besides
`Node` (#27018) (#27442)
* Build change for when go caching should be used (#27209)
(#27284)
* chore: Bump golangci-lint to v1.53.2 (#27456)
* [v13] WebDiscover: Check for RDS length before setting a limit
for listing DBs (#27415)
* Jamf config for PluginSpecV1 (#26374) (#27459)
* [v13] loadtesting automation improvements (#27438)
* Add prometheus endpoint to tbot (#27432)
* [v13] Add docs for database auto user provisioning (#27289)
* Mon Jun 12 2023 kastl@b1-systems.de
- Update to version 13.1.0:
* Release 13.1.0 (#27418)
* [v13] [Assist] Do not parse event data is there is none
(#27435)
* [v13] Update e (#27430)
* [v13] Add Assist to the access role (#27424)
* [v13] Adds info on exporting requirements for impersonated
certs (#27403)
* chore: Bump Buf to v1.20.0 (#27400)
* [v13] Add IAM auth info to ElastiCache guide (#27306)
* Move and update Proxy Template docs. (#27350)
* specify supported architectures (#27279)
* [v13] docs: Formatting/grammar fixes for TLS routing (#27391)
* [v13] Update e ref. (#27388)
* tncon: Remove unused return variables (#27386)
* Add plugin static credentials getter. (#27301)
* Minor updates to Server Access Getting Started (#27253)
* [v13] WebPublicAddr includes user specified port. (#27376)
* [v13] Web: Emit integration events (aws oidc) and touch ups
(#27172)
* [v13] cache parsed role template expressions (#27326)
* add circle icon helper (#27185) (#27286)
* [v13] Update e ref (#27375)
* Reply with a user-friendly message on verification errors
(#27270)
* [v13] Assist docs (#27260)
* [v13] docs: update enrollment steps for active dir (#27357)
* Add endpoints to export AuditEvents as unstructured data
(#27290)
* [v13] Docs: Update GitHub SSO (#27273)
* Add kube credentials lockfile to prevent possibility of
excessive login attempts (#27366)
* [v13] Use the proper check for the SAML IdP session. (#27314)
* Get fresh cluster features to `config.js` (#26785) (#27362)
* [v13] Assist bug fixes (#27356)
* [v13] Get locks in tctl get all (#27294)
* [v13] flaky test detector: override skipped tests (#27274)
* Only wait for headless authentication watcher initialization in
tests. (#27298)
* [v13] Assist backport (#27243)
* Replace global testing variables for device trust with
pluggable ceremony interface. (#27239)
* [v13] Web: Fix local storage clearing (#27296)
* Disable GHA cache (#27305) (#27315)
* [v13] Pin golangci-lint to `v1.53.1` and upgrade `depguard`
config to `v2` (#27293)
* Speedup OpenSSL build (#27056) (#27261)
* tctl: allow creating desktops from YAML file (#27250)
* Fix TeleportClient.ConnectToProxy logic error with closed
context. (#27140)
* Dont load ForwardedPorts from profile, only recieve them from
the cli (#27208)
* backport device trust and okta provider docs (#27218)
* Ignore ENOENT error on group check (#27231)
* Add support for automatic database users for Postgres (#26555)
* [v13] lib/kube/proxy/server.go: Fix potential mutex deadlock on
error (#27237)
* docs: mention locking as an alternative to CA rotation for
revoking access (#27248)
* docs: add troubleshooting step for standard RDP security
(#27245)
* [v13] Fix headless server access requests (#27241)
* tncon.c: Switch all size variables to size_t (#27234)
* update access controls table (#27226)
* Add static credentials reference to plugin credentials.
(#27225)
* [v13] docs: update fluentd output and correct docs link
(#27202)
* Add elasticache:Connect AWS permission to auto-IAM (#27188)
* Updated Cloud SQL guides with more info about 'Allow only SSL
connections' option (#27224)
* docs: update version (#27219)
* Add information about the cert-format flag (#27167)
* Update cloud version to 12.4.5 (#27214)
* return an error if a moderated session is created for an
agentless node (#25721)
* [v13] Add docs for shell completion (#27093)
* add section for username_claim (#27006)
* [v13] helm: Switch custom deployment guide to standalone rather
than scratch (#27177)
* Thu Jun 01 2023 kastl@b1-systems.de
- Update to version 13.0.4:
* Introduce the Plugin Static Credentials object. (#27121)
(#27163)
* Added 05/25 Upcoming Releases Update (#26910)
* [v13] Update Terraform reference docs to 13.0.3 (#27034)
* Correct grammar in role removal error message (#27142)
* [v13] feat: label expression parser (#26970)
* [v13] docs: correction and note on direct mode for desktop
(#27149)
* TLS Routing behind ALB: tsh kube subcommands UX (#26305)
(#27155)
* [v13] helm: Tidy standalone cluster setup docs (#27154)
* [v13] `buf breaking` CI action (#26833)
* Fetch ClusterAlerts a single time during login (#27110)
* [v13] docs: remove duplicative k8s access guide (#27128)
* [v13] Update title for proxy peering architecture (#27041)
* Refactor test globals out of lib/devicetrust/enroll (#27133)
* Switch to recommending identity file in terraform guide
(#27068)
* [v13] Add `tsh kubectl` support for tracer exporter (#27130)
* [v13] docs: Update GSLB docs for changes missed from master
(#27132)
* chore: Bump OpenSSL to 3.0.9 (#27123)
* changes ldapDialTimeout from 5 to 15 seconds (#27045)
* Okta Import Rules use Teleport style regexes. (#27126)
* Fix `TestKube/Join` data race (#26619) (#27124)
* [v13] Refresh port descriptions (#26936)
* [v13] Support ElastiCache Redis IAM auth (#26990)
* Fix "unnecessary conversion" in lib/devicetrust/native (#27077)
* [v13] Automatically perform `tsh app login`. (#26820)
* docs: offer alternative aws methods for joining for aws db
guides (#26939)
* docs: update kube access for enterprise setting and agent
updates (#26941)
* [v13] Windows TPM Device Authentication (#27085)
* Close clients when done. (#27104)
* [v13] Expand Go docs for label prefixes (#27102)
* Update `e` (#27087)
* [v13] Update `kingpin` & allow autocompletion (#26238) (#26999)
* Device Trust: TPM Enrollment support EKCerts (#27070) (#27082)
* Remove initCommand from DocumentPtySession (#27003)
* Search user groups by description. (#27021)
* [v13] update lib/utils/parse to leverage lib/utils/typical
(#26967)
* use uri path for config dump (#26992)
* [v13] feat: library for building predicate parsers (#26915)
* [v13] Update kube operator with more details and
troubleshooting (#27050)
* Update CHANGELOG.md to include Helm image change (#26822)
(#27000)
* operator: allow operator to edit tokens (#27001)
* Docs: replace static mermaid images with rendered charts
(#23458) (#26094)
* Clean up LDAP error handling (#26984)
* docs: mention missing delete permission for GCS buckets
(#26735)
* Yarn updates for `terser` and `minimatch` (#26919) (#27025)
* Make tctl command descriptions consistent (#26937)
* Use root client for headless authentication. (#26878)
* [v13] remove warning on unpopulated ssh proxy address (#27015)
* [v13] update ui and config to refer to service as Teleport
Service (#27011)
* [v13] AWS Route 53 GSLB Multi-Region Proxy Peering High
Availability Deployment Guide (#26743)
* Add a guide to reviewing docs PRs (#26913)
* Use WIRE_JSON in buf breaking (#26793)
* docs: update version (#26988)
* fix console node list scroll and close session join dialog
(#26622) (#26906)
* [v13] athena audit logs - use otel traces in querier (#26900)
* [v13] Remove useProfileLogin from makeClient in tsh (#26975)
* [v13] athena audit logs - add metrics (#26920)
* [v13] helm: Fail to install if `clusterName` contains a colon
(#26973)
* Add a watcher for agentless EC2 nodes (#26888)
* [v13] Add MDM and TPM fields to device resources (#26838)
* Add integration enroll usage event (#26880) (#26930)
* Fix bug where the system agent is not forwarded in combination
with (#26929)
* Add diagrams to Access Request plugin guides (#26924)
* Update dependencies for `build.assets/tooling` (#26907)
(#26918)
* fix GitHub connector API endpoint URL path getting ignored when
making HTTP requests (#26863)
* [v13] Collect MDM data from macOS (#26897)
* [v13] integrations/operator: Use a dedicated scheme in tests
(#26883)
* Backport #26366 to branch/v13 (#26738)
* [v13] Web: Add back buttons and remove exit buttons (discover &
integrations) (#26727)
* [v13] skip rdpclient build in integration tests (#26526)
* [v13] Spawn gateway CLI client directly (#26751)
* bump cloud to 12.4.3 (#26899)
* correct discovery bootstrap command description (#26894)
* [v13] Add a codegen-focused buildbox (#26739)
* [v13] Proxy Templates update: cluster switching and tsh ssh
parity (#26852)
* app access: improve error logging (#26869)
* [v13] docs: include Enterprise in tctl version for ent, cloud
prereq (#26847)
* Bump github.com/docker/distribution (#26107) (#26855)
* Thu May 25 2023 kastl@b1-systems.de
- Update to version 13.0.3:
* Release 13.0.3 (#26846)
* add rbac for cluster alerts (#26423) (#26789)
* docs: correct faq answer on editions (#26842)
* [v13] use stable/cloud repo for cloud tenants (#26841)
* [v13] Add a few convenience toggles to genproto.sh (#26672)
* include db in tsh play and consistent description ends (#26816)
* add polyfill for randomuuid (#26611)
* athena audit logs - always pass utc to query (#26821)
* [v13] docs: update to machine-id file list and edits (#26800)
* Remove 'preview' from tcp app access guides (#26813)
* [v13] [docs] add image for moderated file transfer (#26808)
* Introduce group and app name Okta import rule regexes. (#26799)
* fix TestALPNProxyHTTPProxyBasicAuthDial flakiness (#26713)
* docs: add missing server_name to LDAP config (#26692)
* athena audit logs - sent checksum on s3 write (#26748)
* Amazon RDS converter: extract Subnets (#26621) (#26675)
* [v13] Don't unmount `cgroup2` when restarting (#26728)
* docs: update agent updates (#26731)
* Windows TPM enrollment support (#25801) (#26736)
* Fix link to CA Pinning information (#26690)
* [v13] Add mermaid diagram to the HA guide (#26697)
* docs: remove old starting from message (#26717)
* Describe `tsh ls` support for multiple labels (#26539)
* add upgrader to inventory hello (#26454) (#26479)
* Define the "jamf_service" configuration (#26478) (#26700)
* [v13] operator: ProvisionToken support (#26618)
* Fix port forwarding when using a label based target (#26701)
* [v13] Refresh Kubernetes Access Getting Started diagram (#26536)
* [v13] Edit the docs UI reference (#26533)
* [v13] refactor tsh db (#26651)
* Remove intel label from macOS (#26698)
* [v13] Make the Linux Server guide less SSH-centric (#26631)
* [v13] Adds an admonition about Teleport not currently
supporting Azure AD (#26556)
* [v13] Docs: Patch Register Cluster page (#26686)
* [V13] Add certificate rotation to `teleport join openssh`
oneshot command (#26674)
* [v13] docs: Add Msft SQL Server client examples and link in sql
server guide (#26558)
* docs: update reference to Teleport systemd (#26680)
* chore: Bump Buf to v1.19.0 (#26645)
* [v13] athena audit logs - pass teleport user as top level field
(#26661)
* Extend `kubectl auth can-i` support for `kubernetes_resources`
RBAC rules (#26584)
* Update e ref (#26664)
* [v13] auditlog - pass context and rework search params (#26587)
* expose firehose emulator host env in tests (#26592)
* [v13] Update SyncInventory RPC documentation (#26629)
* [v13] Add Teleport Team docs (#26639)
* [v13] Docs: mark Okta application access as preview (#26627)
* suggest machine id in plugins partial (#26624)
* [v13] docs: remove starting from messages older then 10.0
(#26553)
* [v13] changes openssh addr validation to allow hosts (#26549)
* [docs] Amazon Athena guide for Application Access (#25329)
(#26505)
* [v13] Desktop access improvements (#26413)
* Add RoleInstance to
TestLocalServiceRolesHavePermissionsForUploaderService (#26597)
* Update backends.mdx to remove incorrect comment (#26600)
* Bump golangci-lint to v1.52.2 (#26593)
* Add in Okta plugin type. (#26458)
* [v13] Do not run the uploader with the MDM role (#26514)
* Show dev-related tools only in dev mode (#26495)
* update db and app service role permissions (#26519)
* [v13] WebDiscover: Revert deleting the app wizard (#26457)
* bump-e-ref (#26545)
* add AWS cross-account db access guide (#26468)
* docs: update version (#26509)
* Update `gravitational/protobuf` fork tag (#26373) (#26488)
* Add the JamfSpecV1 proto (#26391) (#26448)
* [v13] Add in extra Okta audit event fields. (#26370)
* Install Script: add Darwin ARM64 support (#26504)
* Update AMI usage instructions (#26453)
* [v13] Docs: Adjust curl examples (#26472)
* athena audit logs - integration tests (#26494)
* [v13] add assume_role_arn and external_id docs reference
(#26030)
* bypass lint and os-compatibility for md and mdx files (#26480)
* [v13] Add and map the MDM system role (#26471)
* Install Node Script: respect version variable (#26322)
* [v13] add list of applied login rules to user login event
(#26474)
* bump eref (#26465)
* bump docs for cloud to 12.4.2 (#26466)
* Thu May 18 2023 kastl@b1-systems.de
- Update to version 13.0.2:
* Release 13.0.2 (#26469)
* [v13] docs: include DynamoDB streams as required in storage
backend (#26381)
* changelog spellfixes (#26431)
* [v13] Web: Provide accurate actionable steps with duplicate db
name error (#26399)
* fix tsh db connect to active cassandra db (#26378)
* [v13] Add in plugin bearer token credentials. (#26436)
* [v13] docs: fix curl usage (#26411)
* athena audit logs - run on single auth (#26443)
* [v13] athena audit logs - delete from sqs (#26424)
* athena audit logs - parquet writer (#26240)
* Wed May 17 2023 kastl@b1-systems.de
- Update to version 13.0.1:
* Release 13.0.1 (#26418)
* bump eref (#26406)
* [v13] Change TestDeleteMFADeviceSync to do per-delete
assertions (#26390)
* Update version in tsh.app Info.plist (#26314)
* Remove the Adopters page (#26362)
* remove opened var when set to false (#26367)
* Update e ref (#26389)
* check for empty name part in role arn (#26376)
* Refresh the teleport-cluster Helm guide (#26172)
* update video banner (#26384)
* [v13] Web: Integrations touchups (#26152)
* Add params to CTA redirect URL (#26086) (#26340)
* [v13] fix azure db user auth check (#26317)
* [v13] Proto and Go module changes for Windows TPM support
(#26325) (#26348)
* Update config.json (#26258)
* bump e-ref (#26355)
* [v13] docs: add mongo port in high availability and k8s
operator doc (#26357)
* [v13] docs: enroll auto updates fixes (#26352)
* Remove our replacement for Logrus (#26241) (#26304)
* [v13] Update `electron` and `electron-builder` (#26327)
* [v13] Replace GetConnectCommandNoAbsPath with os.exec.Cmd.Args
(#26328)
* [v13] Disable "Open new terminal" if there's no active
workspace (#26333)
* athena audit logs - query rate limiter (#26221)
* Fix twoClustersTunnel flakiness (#26254)
* [v13] TLS Routing behind ALB: `tsh kube join` (#26283)
* Update e ref (#26306)
* Decrease test timeout (#26267)
* Allow aws svg icon to take on the themes main color (#26039)
* Revert usage of grpc error interceptors in `lib/client`
(#26271)
* [v13] docs: Make Amazon Linux name usage consistent (#26192)
* Make PAM user creation script copy/pasteable (#26275)
* [v13] docs: expand admonition for additional DB types (#26260)
* [v13] docs: add tip on Kubernetes resources (#26278)
* [v13] - Backport docker distribution update #26108 and #26109
(#26249)
* [docs] Include File Transfers in moderated sessions docs
(#26032) (#26265)
* Restore Kubernetes Integration tests (#26186)
* [v13] Populate the time locked status value when local user
locked (#26255)
* [v13] Add GCP Join Method (#26165)
* athena audit logs - support athena engine v2 (#26222)
* [v13] docs: reword dynamic guides language to more active
(#26227)
* athena audit logs - sqs receive (#26220)
* Get rid of update on unmounted component in ResultList (#26230)
* [v13] Remove privileged APIs from window after app
initialization (#26213)
* [v13] only show windows domain in audit log ui if applicable
(#26078)
* athena audit logs - query (#24740)
* [v13] Add pprof diagnostics endpoints to `tbot` (#26117)
* docs: Fix link to standalone Windows auth service (#26179)
* Fix Helm chart Join token secret creation (#26055) (#26175)
* [v13] Fix panic when using proxy peering (#26174)
* [v13] Clarify Auth Service backend permissions (#26076)
* Update e ref (#26163)
* docs: fix invalid characters in kubernetes service example in
discovery troubleshooting (#26157)
* Modify error messages for customer portal to Teleport account
(#26139)
* TLS Routing behind ALB: access request Kube Pod search (#26128)
* Set Cloud version to 12.3.3 (#26036)
* [v13] Search bar: Take cluster filter into account when listing
offline clusters (#26127)
* Backport Assist UI (#26145)
* Move the favicon so Teleport serves the static file (#26144)
* [v13] Fix GoRoutine leak in `authclient.Connect` (#26125)
* [v13] docs: update plugin and docker version (#26113)
* [v13] provides info on Oracle Wallet location when using Oracle
Orapki generation (#26133)
* [v13] Fixes a SharedDirectoryAnnounce incompatibility (#26090)
* Return a better message on "lacks registered credentials"
errors (#26103)
* docs: add note about curl on Windows (#26088)
* [v13] Moderation Session docs update (#26082)
* [v13] Use os.UserHomeDir where possible (#25999)
* bump e-ref (#26101)
* [v13] [docs] TLS routing behind l7 load balancer preview
(#26077)
* [v13] usagereporter: split the `ssh_port` session start into
`ssh_port_v2`, `k8s_port` (#26062)
* push the feature check to ctx.init (#26007) (#26071)
* Use the correct value for DeviceAuthenticateEvent (#26068)
* [v13] Show resource search errors in search bar when fetching a
preview (#26073)
* create e-imports package (#25992) (#26044)
* [v13] docs: clarify host labeling for Windows desktops (#25524)
* Clean up staticConfig mocks (#26059)
* [v13] Document how to open a local terminal in Teleport Connect
(#26061)
* docs: AWS OpenSearch (#26051)
* Improve AWS OIDC Integration extensibility (#26050)
* [v13] tctl: improve alert ack flows (#26040)
* docs: Update MySQL Server Version (#26052)
* [v13] Add in Okta audit events. (#26000)
* Add docker cli to buildbox (#25975)
* gh-trigger-workflow: Retry transient server errors (#25972)
* [v13] Change Helm reference `--set` formatting (#25509)
* [v13] Okta assignment targets/statuses are human readable in
the CLI. (#26023)
* [v13] fix: truncate YubiHSM2 key IDs (#25816)
* [v13] Note that the SAML IdP now supports HSM. (#26005)
* [v13] fix: use errors.Is for all EOF comparisons (#26017)
* Install Scripts: add updater package (#25971)
* Provide client address information in transport request
(#25993)
* Add events to cta clicks (#25325) (#25986)
* [v13] TLS Routing behind ALB Connect support for SSH and
Database access. (#25899)
* [v13] Allow adding 'locked' features to menu items and routes
(#25952)
* [v13] Upgrade TypeScript to 5.0.4 (#25983)
* [v13] Introduce inventory service counts. (#25944)
* Remove test case which uses local profile. (#25969)
* [v13] add redirect to windows user creation instructions to
host user creation doc (#25965)
* build: Scope RUST_VERSION var to single target (#25962)
* [v13] warn about v13 repos not containing v14 Teleport (#25954)
* [v13] don't delete unit schedule file (#25943)
* Bump Buf to 1.18.0 (#25888)
* Update the supported versions table (#25902)
* helm: warn about teleportVersionOverride and scratch risks
(#25601) (#25914)
* [v13] docs: instruct users to use `apt`/`yum`/`dnf` instead of
`dpkg`/`rpm` (#25937)
* [v13] backport team plan CSP and RBAC (#25928)
* [v13] Okta documentation. (#25940)
* [v13] Team plan CTAs (#25073) (#25701)
* Add t_source to be standard (#25720)
* [v13] Add the debug command `tsh fido2 attobj` (#25923)
* Makefile: cache `go env` values (#25894)
* docs: document the updater (#24628) (#25913)
* [v13] check for correct kube and ssh listen address in starting
message (#25907)
* provide starting message for tar ball install (#25904)
* Add IsUsageBased to features and send it to web UI (#25465)
(#25860)
* [v13] Remove code related to the command bar from Connect
(#25898)
* Simplify the Getting Started experience (#25519)
* [v13] Make TS a dev dep of root package.json, fix design dev
deps (#25875)
* [v13] Fix flaky resolveNetworkAddress test (#25874)
* [v13] enable acl in single aws terraform s3 (#25854)
* Add ability to enable trace logging level (#25833)
* Remove `not a valid Unix login` logging (#25838)
* Fix application resource headers rewrite spec (#25863)
* Add ability to enable trace logging level (#25833)
* Remove `not a valid Unix login` logging (#25838)
* Fix application resource headers rewrite spec (#25863)
* Update docs version vars for v13 (#25352)
* Thu May 11 2023 kastl@b1-systems.de
- Update to version 13.0.0:
changelog to big, please find it here:
https://github.com/gravitational/teleport/releases/tag/v13.0.0
- BuildRequire go1.20
(github.com/gravitational/teleport/lib/events/athena
* Tue May 09 2023 kastl@b1-systems.de
- Update to version 12.3.3:
* Release 12.3.3 (#25835))
* Fix access to leaf resources (#25694) (#25862)
* fix auditlog error (#25843)
* [v12] Include teleport-windows-auth in OSS releases (#25846)
* make some chatty dynamodb logs trace (#25821)
* Update e ref (#25831)
* Correct SAML IdP session read permission. (#25798)
* Fix Web UI error message when host is offline (#25661)
* [v12] Update e ref. (#25812)
* [v12] Add `SetFeatures` method to modules (#25653)
* add agent config scaling section (#25796)
* Update change log to include desktop access fix in 12.3.2
(#25793)
* [v12] docs: document "and" logic for labels (#25750)
* [v12] Log troubleshooting information when InvalidInstanceID
errors are found during EC2 discovery (#25641)
* [v12] docs: provide instructions on getting enterprise file
from new license Teleport Account (#25753)
* [v12] WebDiscover: Enroll RDS Databases and Hookup RDS flow
(#25604)
* Try to fix TestAgentPoolConnectionCount (#24616) (#25695)
* Support additional expected instance roles. (#25742)
* [v12] Use the GHA base container for Lint (Docs) (#25716)
* update eref (#25733)
* [v12] Add client compatibility to installation guide (#25685)
* [v12] Improve API client connection failure feedback (#25563)
* [v12] Refresh the HA guide (#25670)
* [v12] docs: fix claims to roles description in access controls
reference (#25633)
* Ensure useDocumentGateway creates the gateway only on mount
(#25626)
* [v12] docs: update cloud proxy service architecture language
(#25724)
* [v12] docs: move docs links from absolute to relative (#25736)
* [v12] use "google.golang.org/protobuf" to clone protobuf
messages (#25714)
* refactor theme in v12 (#25650)
* Add UserGroups to RequestableResourceKinds. (#25708)
* Don't report usage for KubeServiceV2 keepalives (#25656)
* docs: mention Machine ID where tctl auth sign is used (#25610)
* [v12] Update e-ref and icomoon library (#25665)
* backport missing deps (#25662)
* Update role-templates.mdx (#25628)
* Reuse auth connection for Okta client (#25622) (#25646)
* [v12] WebDiscover: Enroll aws integrations (#25594)
* Fri May 05 2023 kastl@b1-systems.de
- Update to version 12.3.2:
* Release 12.3.2 (#25647)
* Update e-ref (#25636)
* docs: correct gcp install headers (#25426)
* Define a new DeviceEvent proto with the usual embeds (#25353)
(#25555)
* Use new device event layout in Web UI (#25355) (#25558)
* [v12] Add specific message for network errors on app launch
(Web UI) (#25606)
* [v12] Add missing user groups entry to getEmptyResource state.
(#25612)
* Do not change proto user on make grpc (#24847)
* Update metrics docs (#25591)
* Make ProtoPostgres support PROXY protocol (#25529)
* [v12] Support UI methods for user groups, label match user
groups in API. (#25578)
* [v12] docs: update version (#25577)
* [v12] docs: update CloudHSM docs (#25570)
* Web:Discover Refactor resource selector screen (#23018)
(#25556)
* [v12] Team plan CTAs (#25073) (#25572)
* [v12] Add integrations access rule to user context (#25516)
* Disallow OktaAssignment deletion from tctl. (#25463)
* [v12] New Usage Events (#25493)
* add billing to navigation (#25192) (#25487)
* [v12] banner dependencies (#25194)
* [v12] Document HA for Access Request plugins (#25551)
* Capitalize Teleport in command/args (#25545)
* Remove Origin from cloud converters (#24977) (#25459)
* Updates distroless Dockerfile to handle fips realeases (#25451)
* Wed May 03 2023 kastl@b1-systems.de
- Update to version 12.3.1:
* Release 12.3.1 (amended) (#25517)
* [v12] darwin: Use notarytool to notarize instead of altool
(#25455)
* [v12] chore: Bump Go to 1.20.4 (#25506)
* Release 12.3.1 (#25502)
* Allow unknown fields when unmarshaling types.MFADevice (#25445)
* Fix backwards compatability of GenerateUserSingleUseCerts
(#25486)
* [v12] Update e ref. (#25474)
* Return friendly errors when sessions are prevented due to a
lock (#25482)
* docs: automatic user creation for windows desktops (#25364)
* Add missing Connection header for ALPN connection upgrade
(#25346) (#25411)
* [v12] WebAPI: thumbprint endpoint (#25338)
* Tue May 02 2023 kastl@b1-systems.de
- Update to version 12.3.0:
* Release 12.3.0 (#25443)
* [v12] Bump e-ref (#25440)
* [v12] docs: update YubiHSM2 docs (#25359)
* Fix issuing credentials for non SSH protocols (#25430)
* docs: remove dynamic database resource in example aws dynamodb
(#25340)
* webapi cleanup (#24363) (#25368)
* [v12] docs: update docker guide to allow for server access and
show troubleshooting (#25345)
* [v12] Windows user creation (#24780) (#25348)
* [branch/v12] Add building Windows Authentication Package to
Drone (#23811) (#25311)
* terraform: enable ACLs in the certs bucket (#25335)
* Define distinct types for all device events (#25320)
* docs: update onelogin screenshot (#25331)
* Sun Apr 30 2023 kastl@b1-systems.de
- Update to version 12.2.5:
* Release 12.2.5 (#25326)
* Integrations: AWS OIDC - ListDatabases action (#24877)
* Record and verify WebAuthn RPIDs (#25238) (#25289)
* [v12] Fuzz TDP protocol, fix two issues. (#25308)
* Add option to override kube context on `tsh kube login`
(#25253)
* Fix `TestAuthSignKubeconfig` test (#25269)
* Update Electron to 22.3.6 (#25184)
* Fix cluster alerts timeout (#25300)
* Properly handle SAML IdP enable/disable. (#25309)
* Addresses #23554 (#25296)
* Do not try to verify PROXY signature for non-Teleport TLVs
(#25302)
* Bump gh-trigger-workflow timeout to 2h30m (#25174)
* [v12] Clean up Drone slack notifcations (#25217)
* Use the correct emitter in auth.TLSServer (#25272)
* Fix `underlying reader not a terminal` issues (#25102) (#25242)
* [v12] docs: Login Rule k8s operator docs (#25158)
* [v12] Show <1m for remaining tsh status valid time for last
minute (#25225)
* Move db cert renewal message to debug log (#25222)
* docs: add information on viewing status and logs for systemd
service (#25199)
* * Save ssh_service.public_addr values to Server.PublicAddrs
instead of discarding them (#25223)
* Add new field to license spec (#23194) (#25197)
* fix: avoid inadvertent deletion of active HSM keys (#25208)
* [v12] Update headless tsh command descriptions (#25148)
* [v12] Update e ref. (#25205)
* Connect: Fix logout sequence (#24978) (#25182)
* Avoid prompting users for mfa when using `tsh ssh --headless`
(#24701) (#25187)
* [v12] Simplify Okta assignment statuses. (#25189)
* Improve performance of MFA ceremony (#24804)
* Headless Login explicit username (#24689) (#25112)
* Alphabetize the GUI Client page (#25120)
* [v12] Document relative link paths in partials (#25117)
* [v12] docs: append cluster name for example ansible hosts list
(#25124)
* [v12] Order sudoers file lines by role name (#24792)
* [web] Add storeUser to console context (#24159) (#24809)
* Add login hooks. (#24828) (#25105)
* Join Script: fix tarball folder for ent builds (#25076)
* fix github url formatting (#25089) (#25098)
* Add key attestation to generate user certs to catch non-login
flows. (#24867) (#24956)
* add comment specifying kubernetes user (#24916)
* docs: Add warning about TLS multiplexing to Kubernetes IAM
joining (#24820)
* OktaAssignment and UserGroup in auth cache. (#25067)
* docs: fix spelling and remove misspelled word from spellcheck
skip (#25030)
* Add in group labels for role conditions. (#25080)
* Log informative messages for device authn failures (#24912)
* [v12] docs: Change `listen_addr` to `web_listen_addr` in custom
Helm deployment guide (#24974)
* docs: fix directory instruction for docs contributing (#24994)
* docs: Adds common Teleport configure,start and helm charts for
non-iam db access guides (#25001)
* Pass the auth.Server itself to inventory.NewController (#25007)
* [v12] local proxy not required for mysql separate port (#24827)
* replace 'machine' with 'host' or 'workstation' (#24986)
* clarify tctl command location and secret destination (#24982)
* Make tsh check SSH_ user, proxy, and cluster env variables if
not already set. (#24470)
* [v12] docs: update version (#24957)
* [v12] Proxy Client (#24734)
* docs: make adopters table markdown for cleaner look (#24951)
* Fix example API client imports (#24375)
* docs: remove unneeded sudo for removing user data dirs (#24919)
* [v12] Makes the `Per Role` per session mfa example accurate
(#24927)
* [v12] docs: remove duplicate content in oracle guide (#24907)
* docs: bump cloud to 12.2.3 (#24769) (#24843)
* [v12] docs: provide warning on Amazon Linux 2023 installations
(#24853)
* Update e ref (#24894)
* Use apt.releases to fetch pub key (#24875)
* [v12] Update crewjam/saml dependency. (#24898)
* [v12] Edit Homebrew installation instructions (#24824)
* Remove unnecessary sudo from Connect uninstall docs (#24888)
* Update Cloud FAQ doc to remove latency note (#24891)
* refactor how 'tsh scp' destinations are parsed (#24861)
* [v12] docs: provider faq answer for configurable maintenance
times for cloud (#24855)
* Thu Apr 20 2023 kastl@b1-systems.de
- Update to version 12.2.4:
* Release 12.2.4 (#24844)
* [v12] docs: document error with older SSM agent version
(#24833)
* OS packaging and auto updates backport - v12 (#24781)
* [v12] SFTP fixes (#24831)
* [v12] Checks proxy server and token set for join openssh
(#24745)
* [v12] Fix `TestHeadlessAuthenticationWatcher` flakiness
(#24705)
* [v12] docs: make consistent access request plugins helm
configuration and instructions (#24760)
* Add docs subsection about joining services (#24756)
* Update embedded video (#24699)
* [web] Add isModeratedSession flag to web ssh session (#24238)
(#24806)
* [v12] Backport Mac build GitHub Actions support (#24432)
* Backport --raw version flag (#24772)
* Acquire user certs from root cluster during web file transfers
(#24768)
* Fix memory leak on Kubernetes port-forwarding (#24763)
* [v12] Use CompareAndSwap for OktaAssignments instead of lock.
(#24748)
* Tweak protogen to not change protos from cloud (#24688)
(#24739)
* Tweak messaging to anticipate a new linter (#24411)
* docs: Login Rules Terraform docs (#24674)
* [v12] reduce cache retry load (#23025) (#24719)
* Change port-forwarding completion logs to debug (#24658)
* [v12] Make audit log details dialog larger. (#24722)
* stop handling SIGINT, SIGTERM in tctl (#24681)
* Add Okta assignment update statuses to Okta access point.
(#24735)
* [v12] docs: remove ignored user parameter in tsh login example
(#24624)
* [v12] Check Okta action transitions during update, allow failed
- > pending. (#24685)
* Prevent multiple discovery agents to race against each other
(#24214) (#24716)
* Document `discovery_group` parameter (#24713)
* Add cleanup time and last transition time to OktaAssignment.
(#24725)
* Add in a Okta assignments copy method. (#24694)
* refresh vscode guide (#24697)
* helm: fix `teleport-kube-agent` telemetry (#24471) (#24680)
* allow redundant security release alert suppression (#24692)
* [v12] Tag output from teleport configure as ERROR or WARNING if
applies (#24676)
* [v12] Introduce an OktaAssignmentsGetter and use it in the
watcher. (#24584)
* Ensure that proxy services join by dialing auth (#24668)
* docs: update audit results faq for cloud (#24633)
* Pull kube proxy address from proxy ping endpoint (#24516)
* docs version (#24622)
* [v12] docs: kubernetes joining guide + reference (#24545)
* [v12] docs: update k8s gke discovery to use zone variable
consistently (#24613)
* [v12] Hosted plugins frontend / user-facing parts (#24597)
* Make the OpenSSH guide more prominent (#24568)
* Edit the SSH Key Extensions guide prereqs (#24537)
* Add top-level redirects to intro pages (#24565)
* Add architectural clarity to the AD guide (#24569)
* [v12] Renders user auth types in User List in expected
capitalization (#24604)
* [v12] docs: simplify tokens generation examples (#24497)
* [v12] Update relcli to fix publishing of release notes (#24438)
(#24529)
* [v12] Fix authenticated conn metrics for http reporter (#24570)
* only call 'user.Current' when we really need to (#24573)
* update aws configurator (#24362) (#24494)
* Fri Apr 14 2023 kastl@b1-systems.de
- Update to version 12.2.3:
* Release 12.2.3 (#24546)
* Machine ID: Add ability to request RouteToCluster in generated
certs (#23838) (#24544)
* Update e reference (#24550)
* [v12] spelling fixes and ignore adds (#24539)
* Added 03/13 Upcoming Releases Update (#24547)
* Document alert acknowledgement (#24489)
* Add info to the Directory Sharing guide (#24487)
* Update e ref. (#24542)
* Fix IP pinning for SSO login (#24541)
* [v12] docs: include Amazon Linux in BPF-supported distributions
(#24480)
* Allow the Okta role to read the cluster name. (#24540)
* Integrations: web API and tctl (#24145) (#24458)
* [v12] Ensure the Okta service can connect through the reverse
tunnel. (#24524)
* Update FAQ for on-prem data collection (#24512)
* Support app servers on different types of tunnels. (#23749)
(#24525)
* Attempt ssh connections with and without mfa at the same time
(#24371)
* Fix relaxed moderator joining for Kube Access (#23674) (#23993)
* [v12] Hosted plugin manager prerequisites (#23922) (#24390)
* Add check for nil auth.local in ping response. (#24490)
* Docs: adjust Active Directory (manual) guide (#24071) (#24462)
* Docs: Standardize prerequisite partial use. (#23394) (#24452)
* Create a partial for Event Handler role/user (#24469)
* Thu Apr 13 2023 kastl@b1-systems.de
- Update to version 12.2.2:
* Release 12.2.2 (#24478)
* docs: bump cloud to 12.2.1 (#24475)
* Unlock keychain in drone (#24474)
* [v12] Add CA, Role, Lock AuthPreference RO persmissions to
RoleOkta. (#24397)
* Add caveat re: the audit event list (#24406)
* helm: support setting proxyListenerMode to emptystring (#24426)
* Clarify that "local" is not an auth connector (#24455)
* [v12] Integration: add service to server and client (#24133)
(#24439)
* [v12] Return enroll_status unspecified for empty status
(#24435)
* [v12] docs: correct rds proxy policy example (#24423)
* Restore MajorVersion template var for Installers (#24388)
(#24434)
* [v12] usagereporter: enable on-prem user activity reporting
(#24433)
* reduce log spam when AWS Aurora engine name is not recognized
(#24413)
* [v12] Distroless doc updates (#24036)
* * Fix Hardware Key support docs when scoped for Open Source.
(#24408)
* * Add --mlock flag with auto, off, best_effort, and strict
options. (#24236) (#24410)
* Add new `reporting` license flag (#21928) (#24396)
* Fix log output in aggregating.Reporter (#24391)
* Move docs builds down in GitHub Actions (#24385)
* Remove unnecessary query string (#24289)
* [v12] Updates access plane to access platform and operator def
(#24389)
* Expose CopyAndConfigureTLS. (#24384)
* [v12] Fields in WebAuthn comments (#24354)
* chore: Bump Buf from 1.16.0 to 1.17.0 (#24351)
* * Fix headless authentication watcher race condition on wait
condition (#24361)
* Add longer meta descriptions to high-traffic pages (#24334)
* Update e reference. (#24341)
* [v12] Support spellchecking in docs content (#24304)
* Allow Okta role to heartbeat app servers. (#24329)
* Constrict app.FindPublicAddr client. (#24331)
* docs: correct header in changelog (#24308)
* [v12] Update to Teleport Access Platform name in teleport,tctl
(#24300)
* purge extra newlines (#24283)
* fix protocol name for elasticsearch guide (#24280)
* [v12] Fixes to metrics docs (#24290)
* add Datadog to audit events index (#24274)
* Make react-router-dom and @types versions consistent (#24201)
(#24272)
* docs: use teleport systemd include for start mongodb (#24258)
* [v12] Fix package names for v1 protos, misc proto changes
(#24183) (#24263)
* Connect: Do not include staging feedback address in prod CSP
(#24189)
* Add missing continue and handle error in the test echo SSH
server (#24243)
* Added 04/03 Upcoming Releases Update (#24215)
* [v12] Bump cloud docs to 12.1.5 (#24204)
* Include correct identity in post-renewal log message (#24246)
* docs: use teleport systemd include for start (#24248)
* update Makefile to use cargo sparse protocol in all cargo
commands (#23856) (#24225)
* GHA: Update path filters to include workflow files and Makefile
(#24252)
* Lowercase "Teleport Service" (#24219)
* [v12] Disable `build-macos` and `build-windows` on PR (#24233)
* bump teleport version in docs (#24205)
* usagereporter: on-prem dial home (#23916) (#24196)
* Fix tctl test timeouts (#24216)
* [v12] Add configuration options for hosted plugin runtime
(#22320) (#24112)
* [v12] [docs] Add documentation page for IP pinning (#23897)
* Integrations service for CRUD operations (#23989) (#24144)
* Add local guidance for Linux Server guide users (#24140)
* [v12] Fix panic when incoming request is nil (#24199)
* Fix panic for when `/web/launch` is requested (#24132)
* Add systemctl instructions to Connecting Apps (#24137)
* Make TestTeleportProcess_reconnectToAuth less flaky (#24191)
* ClusterItem: Remove usage of colors.secondary.lighter (#24182)
* add `set -eu` to discovery installer (#24034)
* Clarify how to decide undocumented style questions (#24085)
* update eref (#24165)
* [v12] docs: update mfa docs (#24157)
* Include year in cert rotate examples docs (#24153)
* Send tunnel reconnects before waiting for sessions to drain
(#24141)
* [v12] Fix improper report of status on success (#24155)
* refactor theme (#23876)
* update eref (#24148)
* helm: Propagate securityContext and nodeSelector to Job hooks
(#24012) (#24134)
* Remove no longer used Teleport enterprise yaml example (#24150)
* Remove the Access Controls FAQ (#24081)
* fix flaky tests (#24126)
* [V12] Integration resource: proto (#24057)
* Fix TestTerminal_KillUnderlyingShell (#24125)
* [v12] Docs: Remove Details block from tctl partial. (#24072)
* docs: Oracle Database Access (#24119)
* [v12] Update gosaml2 to 0.9.1 (#24079)
* Bump Cloud SLA to 99.9% (#24093)
* Thu Apr 06 2023 kastl@b1-systems.de
- Update to version 12.2.1:
* Release 12.2.1 (#24098)
* [v12] helm: Add support for imagePullSecrets to
teleport-cluster chart (#24017)
* [v12] chore: Bump Go to 1.20.3 (#24062)
* Show the server name (instead of UUID) in errors (#23724)
(#23935)
* Thu Apr 06 2023 kastl@b1-systems.de
- Update to version 12.2.0:
* Release 12.2.0 (#24056)
* fix joining moderated sessions in ui (#24018)
* revert marshal database tls mode (#24063)
* helm: delete hook-related resource on re-apply (#24068)
* Fix listing of participant modes in UI (#24029)
* [v12] Add a guide to creating Teleport roles via the API (#24003)
* docs: correct mongodb atlas example config (#24044)
* Add Azure auto-join docs (#23944)
* Replace "Spotlight Search" with "Cross-Cluster Search" (#24049)
* Recommend Proxy Service in event-handler guides (#23937)
* Add missing `join_method` in azure joining docs (#24031)
* [v12] docs: device trust edits (#24025)
* [v12] Define an explicit device resource as DeviceV1 (#24024)
* [v12] Connect: Collect protocol origin (#24039)
* [v12] docs: update version (#24027)
* Close auth clients in tctl tests (#24014)
* docs: add description of config versions (#23936)
* [v12] Headless Login (#23360)
* [v12] tsh: Fix redundant error in PPK generation on relogin
(#23984)
* Allow getting client ip from ProxyHelloSignature for
compatibility (#23419)
* Update e reference (#24006)
* [v12] docs: include enable teleport service in systemctl start
(#23988)
* [v12] Docs: prefer `curl .../auth/export` instead of `tctl auth
export` (#23982)
* [v12] docs: Add advisory and troubleshooting on non-tls mode
for machineid kube (#23951)
* [v12] Backport IP pinning for Kube and DB access (#23418)
* Update e reference (#23994)
* [v12] GitLab Delegated Joining docs (#23981)
* Add Support for Oracle protocol (#23892)
* [v12] Metrics: add IsSSO to Discover Events (#23902)
* [v12] Add Docker Hub login to Drone's Kubernetes pipelines
(#23958)
* Mon Apr 03 2023 kastl@b1-systems.de
- Update to version 12.1.5:
* Release 12.1.5 (#23945)
* Reduce DefaultIdleTimeout to 30s (#23950)
* [v12] Update e ref. (#23939)
* Backport #22817 to branch/v12 (#23881)
* split and notate new vs existing mysql user (#23930)
* Mon Apr 03 2023 kastl@b1-systems.de
- Update to version 12.1.4:
* Release 12.1.4 (#23929)
* [v12] feat: Operator support for Login Rules (#23885)
* Backport #23405 to branch/v12 (#23883)
* [v12] Prevent unknown ssh requests from terminating sessions
(#23904)
* Allow a tsh aws to proxy any command (#19941) (#23835)
* Return exit code from SFTP subsystem (#23729)
* [v12] Allow Okta service reverse tunnel access. (#23853)
* chore: Bump Buf from 1.15.1 to 1.16.0 (#23870)
* [v12] Add gRPC service definition for Plugin resources (#21750)
(#23780)
* Added 03/30 Upcoming Releases Update (#23868)
* Expose process.OnHeartbeat. (#23852)
* Add Copy to AccessRequest. (#23638) (#23712)
* Update e ref (#23845)
* [v12] Remove `push` workflow for jobs that already run on PR
and merge (#23862)
* Machine ID FIPS support (#23563) (#23850)
* Mon Apr 03 2023 kastl@b1-systems.de
- Update to version 12.1.3:
* Release 12.1.3 (#23847)
* update makefile (#23818)
* support readable enum values in database tls mode (#23601)
(#23808)
* [v12] Fix the navigation only ever linking to the root cluster
(#23708)
* [v12] Improve fluentd exported by configuring buffer (#23841)
* [v12] docs: Add Uninstall Instructions for Teleport Connect
(#23822)
* [v12] Reduce time spent setting ssh session envs (#23834)
* docs: modify teleport binary reference to non-path specific in
ec2 discovery (#23812)
* Allow app server origin of Okta if added by Okta built in role.
(#23794)
* Add cluster flag to `tsh kube sessions` (#23825)
* ALPN handshake test improvements (#23348) (#23798)
* docs: Remove Open Source from Try out Teleport on a linux
server (#23744)
* docs: label enterprise prereq as Teleport Enterprise, not just
Teleport (#23792)
* [v12] docs: use commercial pre-req for enterprise only windows
only users (#23803)
* [v12] Use stable/cloud when Automatic Upgrades is on (#23395)
(#23752)
* Add Okta import rules, Okta assignments, and user groups to
CLI. (#23722)
* Clarify wording of Connect's Telemetry FAQ (#23413) (#23739)
* Expose SingleProcessModeResolver and GetRotation. (#23772)
* helm: Clarify port requirement for publicAddr (#23743)
* Add new status to OktaAssignment, supporting service methods.
(#23714)
* Fix multiple profile handling for kube credentials (#23716)
* [v12] Create an OktaAssignment watcher. (#23721)
* Prevent races creating web api session context (#23691)
(#23733)
* Correct linux download name of Teleport Connect (#23604)
(#23737)
* [docs] Change scrollback_length to scrollback_lines (#23725)
* reorder prehog credential events (#23254) (#23640)
* [v12] Add SFTP subsystem fails note to server access FAQ
(#23362)
* Fix H1 Issues in Docs (#23328) (#23690)
* Docs: Overhaul Okta SAML guide. (#23053) (#23673)
* Docs: fix saml role addition partial. (#23186) (#23701)
* feat(aws/config): Support configuring
auth_service.proxy_listener_mode (#23678)
* docs: Mention lack of signing with Homebrew (#23681)
* Improve performance of `ListResources` (#23534) (#23596)
* [v12] usagereporter: resource heartbeats (#23632)
* [docs] Change ui_config to ui (#23672)
* Cherry pick from v11 Backport of dependabot CVE updates
(#23580) (#23582)
* docs: configure windows service to listen on all interfaces
(#23664)
* Ignore unused-parameter on revive/golangci-lint (#23656)
(#23661)
* Bump cloud version to 12.1.2 (#23410)
* [v12] fix: close all proxy listeners (#23647)
* update github.com/pelletier/go-toml to v1.9.5 (#23658)
* docs: point to release 12.1.1 for exe download for windows
local users (#23629)
* [v12] Increase DialTimeout when testing SSH Connection
Diagnostics (#23635)
* [v12] Remove the Houston enforcer (#23633)
* Use RUNNER_TEMP to download teleport bins
* Revert resty to a version to match teleport-plugins
* Rename 'operator' pipeline file to 'integrations'
* [v12] Vendor slack plugin and supporting libraries (#23045)
* Add integrations/
* Fixed profiling documentation.
* Updated Application Access documentation.
* Added docs for Auth/Proxy LB configuration
* Updated Cloud FAQ for IP allowlists.
* Updated Cloud FAQ
* [v12] Spell fix (#23594)
* [v12] Allow for resource limits and requests for pre-deployment
jobs (#23126)
* docs: Remove note about not supporting Win Server 2022 (#23584)
* [v12] Refactor UserGroups local service to use generic service.
(#23579)
* Fix agent pool test flakiness (#23572)
* Attempt to build the docs in "Lint (Docs)" (#23530)
* [v12] Add application RW permissions to the Okta role. (#23566)
* allow users to specify separate API URL for github connectors
(#23568)
* Fix JSON reference in Azure Command (#23562)
* [v12] Fetch kubernetes git version with disabled service
account (#23559)
* Update generated protos (#23545)
* chore: Bump protoc-gen-go and protoc-gen-grpc-go (#23326)
* Refactor data dir config params for `tbot` to support memory
(#23447) (#23495)
* Add missing GetPriority function to Okta import rules. (#23501)
* minor refactor to replace localProxyOpts with
alpnproxy.LocalProxyConfigOpt (#23302) (#23468)
* [v12] support postgres cancel request (#23467)
* Add Azure join method docs (#23526)
* GHA: Cache tweaks (#23540)
* Added Teleport Usage Script (#23543)
* Validate proxy peer identity (#23506)
* Enable minimal web handler when proxy protocol is enabled
(#22753) (#23487)
* Add hardware key support guide to access control guide list.
(#23488)
* improve aws utils and database validation (#23157) (#23482)
* Plugins service no longer accepts getBackend(). (#23520)
* [v12] Spell fix IAM docs (#23521)
* docs: indicate which role options are enterprise only (#23298)
* Add Teleport 12 features to comparison matrix (#23484)
* Add proxy peering metrics to docs (#23015) (#23393)
* [v12] Spell fix API comments (#23499)
* Use GitHub camelcase for UI, examples and Messages (#23490)
* [v12] Fix ProvisionToken incompatibility with
BootstrapResources (#23474)
* Handle getBackend() or backend argument for plugins. (#23438)
* [v12] Add the Okta origin constant. (#23456)
* docs: clarify directory sharing audit events (#23295)
* add webui page with active session section (#23398)
* Include teleport-msteams start in plugin docs (#23459)
* [v12] update tsh proxy db cert and key file flags (#23466)
* [v12] Add the Okta access point for the Okta service. (#23463)
* Introduce Okta objects into the cache. (#23377)
* Add `srv.ConnectionMonitor` to unify connection monitoring
logic (#23465)
* [v12] Add EKS guide to install agents using IAM joining
(#23451)
* docs: clarify app access debug app (#23297)
* Add Okta client import for Okta service. (#23437)
* [v12] Set serviceStarted if enterprise services are enabled.
(#23402)
* [v12] Docs: Update Terraform reference (#23439)
* [v12] Filter out internal teleport defined logins (#23411)
* [v12] Fix incorrect report of active sessions (#23444)
* Do not log errors if metadata extraction fails (#23424)
* Add user group read/write access to the Okta role. (#23370)
* [v12] - Deprecate `site` param in `auth/export` HTTP endpoint
(#23309)
* [v12] Machine ID trusted cluster enhancements (#23390)
* Fix links with long redirect chains (#22503)
* Support Azure delegated joining for Machine ID (#23112)
(#23391)
* App Agent adjust connection noise logs (#23365)
* Expose process ID for enterprise services. (#23383)
* [v12] [Docs] Fix documentation for the `roles` field in the
Moderated Sessions join policy reference (#23313)
* Update e reference. (#23381)
* Disable application launch in minimal handler (#22816) (#23332)
* Fix docs mentioning connectors updates without secrets (#23344)
* Include year in tctl status dates (#23371)
* Fix tsh kube credentials fails on remove cluster for the first
time (#23252) (#23354)
* Add Headless SSO note to upcoming releases (#23339)
* [v12] Use Helm DynamoDB policy in Backends reference (#23183)
* Remove unused Expires column for tsh database list in verbose
(#23318)
* [v12] Fix DB Query always return success false in audit log
(#23274)
* App access: rewrite redirects to public app address from leaf
cluster. (#21067) (#23220)
* Fix docs link in changelog (#22452)
* Export additional functions for enterprise use. (#23245)
* Remove older-versions from docs (#23246)
* Remove extraneous subheading in DB guides page (#23208)
* Add Okta service configuration. (#23236)
* fix link for troubleshooting (#23241)
* [v12] build.assets Dockerfiles: Remove unnecessary ENV
NODE_URL, pass fsSL to curl (#23188)
* [v12] doc: add troubleshooting for RDS maximum policy size
exceeded errors (#23231)
* [v12] Access Mgmt Login Rule and IDP doc updates (#23217)
* [v12] Notification improvements (#23223)
* Fix navigation redirecting to the wrong page on category change
(#23213)
* Improve error message to label Enterprise version as FIPS for
fips error (#23214)
* [v12] Connect: Allow config customization (#23197)
* GitLab Delegated Joining (#22705) (#23191)
* adding video to k8s doc (#23171)
* Allow webauthn to be passed when issuing certs for web-based
scp (#22864) (#23195)
* fix heartbeatv2 test (#23203)
* Add anonymized device ID to tp.user.login event (#23055)
* Decouple SkipLocalAuth, UseKeyPrincipal, and static auth
methods. (#21182) (#23198)
* Establish the Okta service role. (#23173)
* [v12] Make Desktop Acess setup script idempotent (#23176)
* Updated config to include HA guide (#23155)
* [v12] tsh: Silent webauthnwin warning on app init (#23161)
* [v12] Support App access behind load balancer (#23054)
* [v12] Backport of `crypto` update (#23150)
* [v12] Bump Cloud to 12.1.1 (#23129)
* Use serverUID for web scp target (#23124) (#23152)
* Add `app_server` support to tctl get/rm commands (#23136)
* [v12] docs: Add instructions on uninstalling Teleport (#23135)
* Added 03/15 Upcoming Releases Update (#23127)
* Remove ossfuzz from CI (#23113)
* Update Rust to 1.68.0 (#23101)
* [v12] Introduce the Okta service. (#23071)
* [v12] Backport Access Request plugin guide (#23085)
* [v12] Backport #23024 and #23079 (#23080)
* Changed Upcoming Releases format. (#23020)
* Update docs version (#23083)
* add bypasses for lint go and lint docs (#23078)
* [v12] Document that GitHub username is added to internal.logins
(#23060)
* [v12] Backport #23008 and #23006 (#23021)
* Introduce Okta gRPC and client interfaces. (#22733) (#23057)
* [v12] chore: Bump Go to 1.20.2 (#22997)
* [v12] Update the docs style guide (#23001)
* Provide more context in the docs intro page (#23003)
* [v12] usagereporter: Use the batched event ingest RPC (#23027)
* Update Electron to 22.3.2 (#23048)
* Add a getter for the backend in `auth.GRPCServer`. (#23043)
* Log Connect version on startup (#23036)
* [v12] Fix uncaught exception handling in Connect's shared
process (#22986)
* [v12] Backport Distroless OCI builds (#22814)
* [v12] Fix unresponsive terminal in Connect on Windows Server
2019 (#22996)
* Fixed enterprise and fips OS packages not uploading to OS
package repositories when promoting in the context of private
git repos (#21163) (#23012)
* Tue Mar 21 2023 Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.19
* Tue Mar 14 2023 kastl@b1-systems.de
- Update to version 12.1.1:
* Release 12.1.1 (#23016)
* [v12] Hide upgrade-related alerts from dashboards (#22991)
* Hide download center when not on dashboards and prevent license
gRPC endpoint from being called (#22965) (#22980)
* Web-Discover: Add support for connection testers with
per-session MFA enabled (#22529) (#22943)
* [v12] Add docs for Connect usage reporting (#22661)
* fix leave session command (#22795)
* Fix usagereporter tests (#22968)
* [v12] Remove docs reference and video that users can
approve/deny within PagerDuty (#22939)
* [v12] Export CRL and Database CA in DER format (#22896)
* docs: include a separate page for OSS access requests (#22946)
* macOS-compatible grep (#22759)
* Use 13px font size in a `Notification` (#22870)
* [v12] Swap out select for poll (#22676) and Loop for poll
(#22746) (#22798)
* [Web] Make language on mfa verify step dialog more clear
(#20825) (#22924)
* Fix panic when AuditWriter fails on moderated sessions (#22930)
* [v12] Add per-session mfa support to connection testers
(#22918)
* update eref (#22937)
* fix select box sizing (#22686)
* Make the NodeWatcher more robust (#22910)
* Add idle connection timeouts to http clients and servers
(#22885) (#22908)
* Remove the permissions alias. (#22909)
* [v12] chore: Bump gci and golangci-lint (#22900)
* Drop local_auth/second_factor warning (#22859)
* Update e ref. (#22905)
* [v12] Connect: Provide prehog address for prod env (#22876)
* [v12] Emit new `AgentMetadataEvent` (#22879)
* chore: Bump Buf to v1.15.1 (#22856)
* Ensure that the `webclient` closes connections
(#22832) (#22893)
* [v12] Connect: Remove leftovers from resource cache removal
(#22884)
* docs: mention how to get the correct API version (#22812)
* [v12] Return Public Web Port in TLS mode for postgres when
listen addr specified. (#22889)
* Idp Docs Fixes (#22853)
* Added 03/09 Upcoming Releases Update (#22846)
* [v12] Add documentation for tsh --trace-exporter (#22837)
* Move the authorizer into its own package. (#22825)
* [v12] Interface for processing SAML IdP request signing on
auth server. (#22801)
* Do not check os groups when user exits (#22805)
* [v12] Deduplicate multiplexer detection errors over 1-minute
windows (#22802)
* Validate static labels assigned to Kubernetes service
(#22701) (#22777)
* [v12] AWS Terraform doc updates (#22786)
* Cherry-pick 6c58a9e (#22785)
* usagereporter: Allow multiple batch submissions in a row
(#22711) (#22788)
* [v12] Use the teleport-ent package on enterprise clusters in
the discovery installer (#22769)
* Add correct link in place of placeholder for Telemetry docs
(#22781)
* Docs teleport and golang version (#22765)
* [v12] Docs: Fix AWS Terraform Snippets (#22743)
* The SAML IdP CA will be handled during auth.Init. (#22721)
* [v12] Improve error messages for tsh login connectivity and ssh
port (#22763)
* [v12] Reorganize the config reference (#22271)
* [v12] chore: Bump Go to 1.19.7 (#22725)
* [v12] SAML identity provider docs. (#22625)
* NodeJoin Script: clear yum repo cache (#22585)
* Improve tctl auth export docs/help (#22681)
* Tue Mar 07 2023 kastl@b1-systems.de
- Update to version 12.1.0:
* Release 12.1.0 (#22694)
* (v12) Downgrade Go to 1.19.6 (#22691)
* Add MaxRetryPeriod for cachePolicy config to use in tests
(#22656) (#22692)
* [v12] temporarily disable TestHSMDualAuthRotation (#22682)
* [v12] Docs: Add Datadog guide. (#22677)
* Update node listing troubleshooting (#22678)
* [v12] Update access request enterprise description (#22621)
* [v12] Machine ID Agent Anonymous Analytics (#22658)
* test keyword frontmatter (#22666)
* Machine ID telemetry docs (#22541) (#22660)
* SCP - Change file attrs only when requested (#22579) (#22609)
* Fix broken Teleterm stories (#22665)
* spell fixes and discord config fix (#22617)
* Remove network I/O from database_service collection apply
(#22588)
* [v12] Add OSS repo name to github actions trigger (#22653)
* Update e (#22608)
* Refresh remote cluster connection status periodically (#22575)
* bump cloud version (#22542)
* fix typo in image (#22138) (#22552)
* Bump e ref. (#22602)
* Sat Mar 04 2023 kastl@b1-systems.de
- Update to version 12.0.5:
* Release 12.0.5 (#22599)
* Add SAML IdP service providers to default allow rules.
(#22600)
* [v12] node hb and watcher scalability improvements (#21495)
* Add in SAML IdP service provider session metadata to auth
attempts. (#22544) (#22562)
* update eref (#22596)
* [Web] Refactor serverside filtering and pagination
(#20823) (#22432)
* fix video link (#22576)
* Use `btree.BTreeG` directly in memory backend (#22409)
* [v12] Add GCP Service Account parameter to tctl users add
reference (#22543)
* [v12] Add Telnet into docker to test connectivity for cloud
getting started (#22570)
* Allow all alert severities to be acknowledged (#22582)
* add github.com/google/go-attestation/attest to e imports #2
(#22465)
* Fix compilation on ARM (#22569)
* [v12] Refresh the Access Controls menu (#22523)
* [v12] update e ref to latest branch/v12 (#22566)
* Added 03/02 Upcoming Releases Update (#22547)
* [v12] Enable BPF on ARM64 (#22550)
* Teleport 12 Videos (#22527)
* Add Azure auto-joining (#21087) (#22521)
* [v12] Unify x86/ARM64 build process (#22495)
* Fix pickDefaultAddr not respecting HTTPS_PROXY (#22492)
* Set `create_as_resource` in device-related `tctl` RPCs
(#22415) (#22518)
* Improve `tsh kube credentials` read operations (#22508)
* [v12] SAML IdP audit events. (#22510)
* [v12] `lib/usagereporter` refactor and consolidation (#22512)
* [v12] Make curl fail on server error when downloading binaries
in buildbox (#22380) (#22442)
* add known STS endpoint for ap-southeast-4 (#22486)
* [v12] Server Access RBAC Docs page (#22500)
* Okta local service. (#22434) (#22513)
* chore: Bump Buf to v1.15.0 (#22430) (#22472)
* [v12] Allow devices writes with resource-like semantics
(#22470)
* Initial Okta objects. (#22151) (#22431)
* [v12] Update to libbpf 1.0.1 (#22424)
* Automatically parse entity ID from SAML SP during CLI creation.
(#22101) (#22368)
* [v12] Add static and dynamic web ui configuration options
(#22422)
* [v12] feat: add LoginRule methods to api/client (#22426)
* [v12] Add docs steps to create machine-id data dir and systemd
enablement (#22477)
* [v12] Remove non-applicable roles from teleport start --roles
reference (#22311)
* [v12] Use developer-friendly and precise technical language in
docs (#22412)
* docs: use approved terminology for desktop access w/ local
users (#22418)
* [v12] Add CLI doc changes after new client only parameter for
tsh version (#22392)
* Export runtime traces from tsh (#22406)
* [v12] fixes #21970 - remove broken config validation check in
scratch mode (#22423)
* [v12] sshserver: Correctly handle PuTTY winadj channel requests
(#22420)
* Docs: Device Trust role and locking support (#21915) (#22416)
* [v12] update e-ref (#22381)
* Install libbpf 1.0.1 in buildboxes (#22317)
* [v12] Update to default k8s deployment docs (#22396)
* Update docs Teleport version and golang (#22384)
* Add caching to web assets (#22183)
* [v12] Connect: Remove resource cache (#22316)
* Machine ID readme example script fix (#22394)
* Add Azure join method (#22204)
* [v12] Bump versions in docker images to 12 (#22375)
* Updates to enable merge queue (#22370)
* Fix incorrect login options for Windows Desktops
(#22118) (#22333)
* [v12] Update eref (#22343)
* Add WEBASSETS_SKIP_BUILD to Makefile (#22337)
* Always include webassets_embed when building teleport (#22339)
* Add `isDashboard` to web config object (#20830) (#22329)
* [v12] [Web] Add custom element support to SearchPanel (#22325)
* Fix SAML IdP service provider CLI bug. (#22322)
* [v12] [web] Move filtering out cloud and tcp apps to the
frontend (#22324)
* Tue Feb 28 2023 kastl@b1-systems.de
- Update to version 12.0.4:
* Release 12.0.4 (#22321)
* Terminate the local shell when a session closes (#22222)
* Ignore all node_module paths when running shellcheck lint.
(#22233)
* [v12] Enable xterm links and clean up MFA modal (#22278)
* [v12] Web: Fix regression for not able to create or reset
users (#22267)
* Mark Proxy Peering as in Preview (#22209)
* [v12] helm: allow to set security contexts in
`teleport-kube-agent` (#21535)
* Format collected data in the device tctl resource nicely
(#22198) (#22258)
* Fix `disconnect_expired_cert` and `client_idle_timeout`
description (#22255)
* spell fix kubernetes resource doc (#22259)
* Tue Feb 28 2023 kastl@b1-systems.de
- Update to version 12.0.3:
* Release 12.0.3 (#22250)
* [v12] Fix Kube impersonation header overwrite when dealing
with remote clusters (#22244)
* Fix an issue Redis protocol not handling nil response
(#22200) (#22228)
* preserve explicit local auth disable
* Create a generic local backend service. (#22236)
* [v12] Adds `kubernetes_resources` references (#22217)
* User group API and cache. (#21956) (#22147)
* [v12] Provide flag to only display tsh binary version (#22167)
* [v12] Extend security context to proxy init container
wait-auth-update. (#22064)
* createPtyProcess: Return early on error (#22190)
* ClustersService: Remove internal logins when syncing root
clusters (#22187)
* [v12] Implement tctl resource commands for Device Trust
(#22157)
* Added 02/23 Upcoming Releases Update
* [v12] Add docs for Device Trust tctl commands (#22201)
* Inherit `kubernetes_resources` from roles when using access
requests to kube_cluster
* [v12] Add service for "plugin" resources (#21210) (#22185)
* [v12] Add Security-Kerberos Event Log for Desktop
Troubleshooting (#22170)
* add MFA type and Login flow to register challenge event
(#22112) (#22159)
* add bypassses for UI GHA's (#22105) (#22141)
* Add expire time to SAML session creation. (#22135)
* [v12] Add Plugin resource schema, methods (#20990) (#22177)
* [v12] Connect: Enable font configuration (#22122)
* Update e (#22156)
* Spell fix previews page (#22152)
* Add in WrapContextWithUserFromTLSConnState. (#22136)
* [v12] Bump cloud version to 11.3.4 (#22114)
* disable MFA TTL limit for local proxy tunnel (#21661)
* [v12] Document silent install of Connect on Windows (#22119)
* Clarifications in Okta SSO doc (#22036)
* [v12] Docs: update fluentd guide (#22077)
* Remove usage of lodash methods (#21567) (#22102)
* Discover: install ent image when cluster is enterprise
(#22109)
* [v12] Install deb/yum repos when using node-join script
(#22108)
* Ensure UpdateRemoteCluster updates all fields (#22024) (#22088)
* fix: improve tsh logs when skipping auto Access Request
(#22094)
* Add DatabaseService KeepAlive type (#22042) (#22087)
* SAML IdP sessions added to the API and cache. (#22098)
* Correctly handle LOCAL command of PROXY protocol v2 in
multiplexer (#22092)
* Import jest-canvas-mock in teleport tests which import xterm
paths (#22074)
* Refresh Introduction Page (#21261) (#22032)
* [v12] Add non-HA Teleport cluster to Deploy with Helm links
(#22039)
* Emit usage events for `port`, `kube.request`, `sftp`
(#21740) (#22016)
* Relay child exit code in g-build (#21898)
* [v12] [Web:Discover] Add missing checks (#22029)
* Align AWS assume-role request duration with cert expiration
(#21670) (#21994)
* Support assumed roles for "tsh proxy aws" (#20568) (#21990)
* [doc] Update app access reserved headers X-Teleport-*
(#21000) (#21993)
* [v12] Change init logger to include timestamp for debug level
(#21996)
* Add minor improvements to `lib/kube/proxy` (#21917)
* [v12] Support proxy reading of SAML IdP CA. (#22030)
* Mention --mfa-mode in the `tsh mfa add` flow (#22018) (#22034)
* [docs] add a note on `rds:DescribeDBClusters` (#22007) (#22025)
* Improve formatting for TLS cert requests (#22013)
* CI: bypass OS compatibility check for some changes
(#21989) (#22021)
* [v12] Updates to windows getting started (#22019)
* [v12] SAML IdP access checker. (#21955)
* Expose access point in web handler. (#21957)
* Include Enterprise in output of tctl version for commercial
pre-req (#22004)
* [v12] Fix Moderated session on leave pause action. (#21974)
* [v12] [Web] Fix missing --request-id= flag in UI for Kubernetes
login instructions (#21445)
* [v12] Connect: Use SSH server UUID instead of hostname for file
transfer (#21962)
* [v12] Fix uncaught errors in Desktop's Discover flow (#21756)
* Added 02/16 Upcoming Releases Update
* Add metrics to track connection ingress (#19734) (#21771)
* Switch CodeQL to scheduled (#21942)
* Refer to tsh apps subcommand (#21857)
* Adjust clientIP/pinnedIP fields according to IP pinning RFD
(#21906)
* Update Go toolchain to 1.20.1 (#21931)
* [v12] Docs/TF: Identity as b64 (#21933)
* Docs: Remove Jira Custom Field reference (#21908)
* Update role > lock and add missing word." (#21897)
* Reduce etcd requests performed by a KeepAlive (#21926)
* Update Teleport Enterprise Cloud compare description (#21922)
* [v12] Update teleterm README (#21879)
* Disable instance heartbeats by default (#21901) (#21905)
* [v12] Add docs references to `tsh request search --kind=pod`
(#21887)
* [v12] Add more info re: AWS credentials to the docs (#21776)
* [v12] Include enterprise in tctl prereqs for ent and cloud
(#21890)
* Initial user group object. (#21657)
* [v12] Add SAML query functions to auth preferences. (#21825)
* SAML IdP session objects. (#21758)
* [v12] Update troubleshooting docs (#21762)
* [v12] Change error response formatting for "/version" endpoint
(#21846)
* Update download link (#21674)
* use Enterprise over Commercial (#21370)
* Improve webpack "exclude" expressions (#21663) (#21725)
* [doc] allow either role name or full ARN for AWS IAM role
db_users (#21240) (#21837)
* helm: fix proxy and auth config referring to the same subdict
(#21768)
* Fixup teleport db configure create (#20968) (#21690)
* spell fixes (#21855)
* Bump Buf to v1.14.0 (#21842)
* Run reviewers check on (un)labeled PR events (#21814) (#21819)
* [v12] docs: login rule docs (#21829)
* Remove deprecated warning when proxy starts (#21817)
* [v12] Move CentOS 7 assets to GitHub repo (#21784)
* feat: early feedback for successful security key taps (#21780)
* set SessionExpires on new sessions (#21688) (#21733)
* [v12] Skip deleting server heartbeats during in-process restart
(#21807)
* Remove code related to restarting lib/teleterm gateways (#21533)
* AWS IAM role matching for database users (#20610) (#21251)
* Add device lock support (#21667) (#21751)
* [v12] Turn off parallelization of teleterm's integration tests
(#21737)
* [v12] Remove support for DEBUG_ASSETS_PATH (#21473)
* Remove required cluster name when using `tsh kube login --all`
(#21765)
* [v12] Moderated sessions request is not forwarded into the leaf
cluster (#21612)
* Role access requests available for all scopes (#21752)
* Update docs link to master db access rfd (#21736)
* Cache etcd lease ttl (#21496)
* Fix linter issues (#21748)
* [v12] Update Go toolchain to 1.20 (#21680)
* Add Pod resource search web API (#21595)
* Update docs version (#21744)
* [v12] Make UsageSessionStart report TCP app access separately
(#21711)
* [v12] Connect: Link to docs in `UsageData` dialog (#21730)
* Delete assets/aws/cloudformation directory (#21696)
* lib/utils/fs.go: Do not remove lockfiles on Windows
* Update SQL Server library (#21065) (#21638)
* Update database config samples (#21480) (#21543)
* Change debug commands during discover flow (#21557)
* [v12] Ask for job role on the second launch (#21640)
* Correct namespace name in k8s doc (#21589)
* Remove version warnings for EOL Teleport versions (#21665)
* Mon Feb 13 2023 kastl@b1-systems.de
- Update to version 12.0.2:
* Release 12.0.2 (#21679)
* Bump cloud version to 11.3.3 (#21672)
* Fix kube agent shutdown during upgrades (#21617)
* [v12] Updates port validation to restrict to valid port numbers 1-65535 (#21651)
* Improve listing resources across clusters (#21003) (#21577)
* [v12] Skip deleting database servers on agent shutdown during binary upgrade (#21635)
* [v12] Update JS grpc-tools to 1.12.4 (#21532)
* capture custom role creation in prehog (#21123) (#21599)
* Verify if proxy can handle application requests when creating session (#21615)
* Extract entity ID when creating SAML service provider. (#21603)
* Allow invalid namespaces in role templates (#21573)
* Remove GCB checks (#21593)
* [v12] Compare TLS and SSH principals independent of order (#21578)
* [v12] Skip device authz when issuing App or Windows certs (#21571)
* fix link in troubleshooting guide (#21581)
* [v12] Use test IP addresses for auth_proxy_test. (#21576)
* Remove unused `CheckResourceUpsertableByError` function (#21562)
* refactor db local proxy logic (#21335)
* Add field to user cert request (#21474)
* Fix k8s docs links (#21553)
* Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#21514)
* Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#21513)
* [v12] Update e-ref (#21547)
* [v12] Add SAML IdP service providers to the cache and CLI. (#21471)
* [v12] Improve error message when trying to rename resource (#21179)
* [v12] Remove Auth/Proxy instructions from DB guides (#21333)
* properly resolve conflict (#21409)
* [v12] Update okta.mdx (#21410)
* [v12] helm-docs: Separate cert-manager and ACM values for clarity in AWS guide (#21361)
* Rename protoEqual and add a big warning (#21505)
* [v12] Connect: return logged in user in `ListRootClusters` (#21467)
* Run go mod tidy in CI (#21140) (#21482)
* Align the Okta and Auth Connector configuration examples in Okta SSO guide (#21475)
* [v12] Add in file configuration for the SAML IdP. (#21486)
* improve 'tsh scp' error message when no remote path is specified (#21373)
* Add `tsh request search --kind=pod` support (#21456)
* Removes the "overflow: auto" from StyledXterm (#20868)
* fix partial links (#21470)
* Reduce CPU usage in enhanced session
* update contribute instructions to use major version (#21462)
* [v12] [Docs] update Desktop Access introduction for v12 (#21458)
* Update the version support table for v12 (#21428)
* single-source access control guides list (#21415)
* [v12] Move Connect-specific MenuLogin story out of shared package (#21386)
* Fix flaky tctl UT - allocate network listener (#21390)
* Add RBAC labels for Database Services access (#21093) (#21244)
* Enable role-based device authz for DB, k8s and SSH (#20640) (#21432)
* [v12] Bump OpenSSL and libcbor (#21425)
* [v12] Require flag for dynamic resources matching "tsh db configure create" (#21395)
* [v12] Allow role-based device verification in AccessChecker (#20846)
* Bump forked go-libfido2 (#21175)
* fix k8s docs links (#21414)
* Show enterprise installs for Cloud scope MacOS Installs (#19669) (#21368)
* Update docs version to 12 (#21418)
* [v12] Add missing license headers to files. (#21405)
* correct tsh scp docs (#21378)
* Docs: AWS RDS Proxy Guide (#21322) (#21401)
* [v12] Update security information in docs. (#21358)
* Updated Dronegen for v12 release (#21355)
* [v12] Fix the navigation not listening to the back button (#21236)
* Spelling fix and app access link fix (#21397)
* [v12] Remove deprecated `/webapi/nodes/token` endpoint (#21152)
* Add gRPC Kubernetes Service (#21359)
* Wed Feb 08 2023 kastl@b1-systems.de
- Update to version 12.0.1:
* Release 12.0.1 (#21372)
* Fix operator build (#21369)
* fix lint-breaking spacing (#21356)
* [v12] Preview Page (#21283)
* Wed Feb 08 2023 kastl@b1-systems.de
- Update to version 12.0.0:
Full changelog is available at
https://github.com/gravitational/teleport/releases/tag/v12.0.0
Teleport 12 brings the following marquee features and improvements:
- Device Trust (Preview, Enterprise only)
- Passwordless Windows access for local users (Preview, Enterprise only)
- Per-pod RBAC for Kubernetes Access (Preview)
- Azure and GCP CLI support for Application Access (Preview)
- Support for more databases in Database Access:
- AWS DynamoDB
- AWS Redshift Serverless
- AWS RDS Proxy for PostgreSQL/MySQL
- Azure SQLServer Auto Discovery
- Azure Flexible Servers
- Refactored Helm charts (Preview)
- Dropped support for SHA1 in Server Access
- Signed/notarized macOS binaries
* Azure and GCP CLI support for Application Access (Preview)
In Teleport 12 administrators can interact with Azure and GCP APIs through
Application Access using `tsh az` and `tsh gcloud` CLI commands, or using
standard `az` and `gcloud` tools through the local application proxy.
* Support for more databases in Database Access
Database Access in Teleport 12 brings a number of new integrations to AWS-hosted
databases such as DynamoDB (now with audit log support), Redshift Serverless and
RDS Proxy for PostgreSQL/MySQL.
On Azure, Database Access adds SQLServer auto-discovery and support for Azure
Flexible Server for PostgreSQL/MySQL.
* Refactored Helm charts (Preview)
The “teleport-cluster” Helm chart underwent significant refactoring in Teleport
12 to provide better scalability and UX. Proxy and Auth are now separate
deployments and the new “scratch” chart mode makes it easier to provide a custom
Teleport config.
“Custom” mode users should follow the migration guide:
https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/
* Dropped support for SHA1 in Server Access
Newer OpenSSH clients connecting to Teleport 12 clusters no longer need the
“PubAcceptedKeyTypes” workaround to include the deprecated “sha” algorithm.
* Signed/notarized macOS binaries
Users who download Teleport 12 Darwin binaries would no longer get an untrusted
software warning from macOS.
* tctl edit
tctl now supports an edit subcommand, allowing you to edit resources directly in
your preferred text editor.
* Breaking Changes
Please familiarize yourself with the following potentially disruptive changes in
Teleport 12 before upgrading.
- Helm charts
The teleport-cluster Helm chart underwent significant changes in Teleport 12. To
upgrade from an older version of the Helm chart deployed in “custom” mode, use
the following migration guide:
https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/
Additionally, PSPs are removed from the chart when installing on Kubernetes 1.23
and higher to account for the deprecation/removal of PSPs by Kubernetes.
- tctl auth export
The tctl auth export command only exports the private key when passing the
- -keys flag. Previously it would output the certificate and private key
together.
- Desktop Access
Windows Desktop sessions disable the wallpaper by default, improving
performance. To restore the previous behavior, add `show_desktop_wallpaper: true`
to your windows_desktop_service config.
* Thu Feb 02 2023 kastl@b1-systems.de
- remove non-breakable-space character from changes file
- Update to version 11.3.2:
* Release 11.3.2 (#21121)
* Update ec2-tags.mdx (#21115)
* Fix MongoDB readHeaderAndPayload BSON max size (#21113)
* [v11] Fix direct node dial from WebUI (#20928)
* Update docker-compose docs (#21045)
* Use CDN links for install node scripts (#20985) (#21057)
* [v11] Remove CentOS6 and RHEL6 as valid distros (#20986)
* Skip TestBot_Run_CARotation (#20944)
* Use `SameSiteNoneMode` for application access cookies (#21049)
* Fix data race when closing listener (#21040)
* Conditionally build the UI if there are changes. (#20489) (#21018)
* [v11] Use the webassets directory at the root of the project for the web ui. (#21016)
* remove quotes from messages in makefile (#20740)
* Open Support links in UI to new page (#20984)
* [v11] Merge backports (#20997)
* [v11] Enable building teleport with the new UI location (#20965)
* Elasticsearch: explicitly require `--db-user`. (#20695) (#20919)
* Use concurrent streams for SFTP connections (#20953)
* update docs version (#20973)
* Disable disk-based logging for TestResizeTerminal (#20871)
* Fix language for try out teleport intro (#20948)
* Use a GitHub app for the check and backport workflows (#20873) (#20958)
* [v11] Add node and yarn to the buildboxes in preparation for the webapps merge (#20952)
* Hardware Key UX fixes (#20949)
* Update Rust to 1.67.0 (#20883)
* [v11] chore: Bump Buf to v1.13.1 (#20921)
* Added 01/26 Upcoming Releases Update
* [v11] fix `tsh proxy aws --endpoint-url` (#20880)
* Temporarily ignore the web directory when linting for license headers.
* [v11] Migrate AppLauncher tests into webapps. (#1532)
* Rearrange buildbox layers for faster updates (#20838)
* Use ghcr image for doc tests (#20876)
* Update app tests for rewritten headers (#20801)
* [v11] Add support for Moderated Sessions in the Web UI (#1540)
* [v11] [Discover] Enable mysql flow (#1539)
* [v11] feat: login rule audit events (#1537)
* [v11] Connect: Add useWorkspaceLoggedInUser (#1536)
* [v11] Update eref (#1534)
* Decode URL encoded values from AppLauncher's ARN. (#1530)
* Update e ref (#1528)
* Add --quiet to eslint package.json script (#1510) (#1523)
* Update webapps.e reference to latest commit (#1522)
* Fix clipboard permissions apparent inconsistency (#1509) (#1513)
* Change the application access authentication flow (#1515)
* capture additional prehog events (#1508)
* [v11] backport #1505 (Revert "Use sessionStorage for Authentication Bearer Token) (#1506)
* Add lazy loading for desktop sessions (#1503)
* Add lazy loading for session playback (#1502)
* Update e ref (#1500)
* Make trusted cluster screen hidden based on user roles (#1484) (#1494)
* Update Electron to 22.0.0 (#1498) (#1499)
* [v11] Discover: Implement Day 1 Database Postgres Flow (#1487)
* Update sessionPath value to new endpoint (#1486) (#1492)
* [v11] [Connect] requestableRoles and suggestedReviewers on LoggedInUser (#1485)
* [v11] Make bundled tsh available outside of Connect (#1488)
* Connect: Add missing modal stories, misc modal fixes (#1479) (#1482)
* Include session id in Session Uploaded event display (#1476)
* awaits the file write and close to avoid data corruption (#1471) (#1472)
* Fix websocket close (#1463) (#1470)
* [v11] add app access dynamodb event (#1462)
* [v11] backport #1275 (Use sessionStorage for Authentication Bearer Token) (#1458)
* Adds a status code to the closing of the tdp client's websocket (#1442) (#1455)
* [v11] [Connect] Use resourcesList in review access request table (#1456)
* Add support for InstanceJoin and BotJoin audit events (#1414) (#1440)
* Update electron-builder to 24.0.0-alpha.5 (#1434) (#1438)
* Connect: Use typed URIs (#1394) (#1436)
* Fix Connect stories (#1422) (#1435)
* Connect: Implement tshd event handlers for db cert renewal (#1383) (#1416)
* Add `recoveryCodesEnabled` (#1408) (#1419)
* Add subject value to app sessions (#1413) (#1426)
* alert convention matches grpc (#1424) (#1425)
* [Connect] Async autocomplete (#1406) (#1423)
* Fix large file corruption (#1382) (#1421)
* capture events from webapps (#1344) (#1411)
* Connect: Tell fpm to not use symlinks when building the rpm package (#1407) (#1410)
* useAsync: Add support for abort signal (#1377) (#1409)
* Update xterm to 5.0.0 (#1400) (#1401)
* [v11] backport #1321 (Add checkbox component to design package) (#1393)
* Lazy load Telemetry only when needed (#1399)
* Fix alerts from not disappearing on route changes (#1395) (#1397)
* Display `verb`, `request_path` & `response_code` in `kube.request` events (#1384) (#1391)
* [v11] Use a single websocket for SSH connections (#1361) (#1392)
* Pass clusterUri rather than documentUri to retryWithRelogin (#1385) (#1386)
* [v11] [Connect] Use server side search in resource tables (Advanced Search) (#1381)
* [v11] Forward SSH agent (#1366) (#1370)
* [v11] Update to Electron 21 (#1351) (#1360)
* Fix iterating over null array for sshLogins from fetched nodes (#1356)
* [Discover] Refactor SetupAccess Screens (#1310)
* Prevent non-https protocol from opening external windows (#1343) (#1345)
* Shared Directory Audit Events (#1290) (#1348)
* Connect: Set up tshd events server for tshd-initiated communication (#1285) (#1339)
* [v11] retryWithRelogin: Enable use outside of document context (#1341)
* Show all kinds of active sessions (#1337)
* [v11] Log shared process `stdout` and `stderr` (#1046) (#1336)
* [v11] Discover: Add back button for `TestConnection` screens (#1329)
* Update ensureBaseUrl to use URL constructors only (#1328) (#1330)
* Update ensureBaseUrl conditional (#1320) (#1322)
* [v11] Handle private key policy errors and config (#1298) (#1311)
* Warn user when desktop is active (#1297) (#1312)
* Connect: Use gap instead of margins for <Label> groups (#1316) (#1317)
* [UI]: Make roles render as labels (#1299) (#1308)
* [v11] Connect: Accommodate for making gRPC server creds in shared process (#1220) (#1302)
* Change Session Recording created date to UTC timestamp (#1304) (#1305)
* Make linguist correctly classify JS protobuf files (#1300) (#1301)
* [v11] Stop `FeatureBox` from adding a scrollbar (#1295)
* Connect: Fix filtering internal logins (#1292) (#1293)
* [v11] Discover implement kube flow day 1 (#1287)
* Change Desktop page to link to Discover, fix k8s typo (#1289)
* [v11] [Connect] Conditionally render Access Request navigation menu (#1281)
* [v11] File Transfer UI fixes (#1276) (#1284)
* [v11] Assumed roles bar improvements (#1274) (#1283)
* Connect: Adjust size of sync button & search input (#1280) (#1282)
* Connect testing fixes (#1269) (#1272)
* Update support ticket url (#1259)
* Fixes clipboard sync (#1250) (#1267)
* [v11] Do not keep assumed requests in `app_state.json` (#1254) (#1255)
* CatchError and Discover related feature extensions (#1249) (#1262)
* [v11] [Connect] Add Document Access Requests (#1203) (#1252)
* [v11] Backports (#1248)
* Update e-ref (#1245)
* [v11] Add support for Cassandra audit events (#1241)
* [v11] Add file transfer to Connect (#1225) (#1244)
* [Teleport] Create Tabs Component(#1234)
* Fix copy for SCP upload audit event (#1233)
* TDP PNG2 (#1230)
* Handles connect and disconnect audits for database servers where database name is not given. (#1226)
* Create TextSelectCopyMulti that allows multi lines and adding comments (#1194)
* Add audit log changes for SSM executions (#1192)
* Add `WEBPACK_PORT` (#1215)
* Add application CRUD audit events.
* Elasticsearch audit events. (#1213)
* Update Hot Reloading to work under more conditions, add `WEBPACK_PORT` (#1210)
* Create a FeatureContext to replace passing features as a prop (#1211)
* Add caching to Webpack during development (#1207)
* Add events for create, update and delete `kube_clusters` (#1202)
* Remove `raw-loader` completely (#1206)
* [Discover] Desktop Setup Flow (#1172)
* Minor kube fixes (#1195)
* add cluster alert links to UX (#1193)
* Add type-check step to CI (#1197)
* Remove auto-refresh for Active Sessions list (#1196)
* Add kube support (#1191)
* Fix double scroll bars, make everything have min width 1250px (#1178)
* Add BannerList and Banner components to display cluster alerts on load (#1169)
* [Discover] Check permission during the flow step instead of at beginning (#1185)
* Use node server_name of addr.local in audit log display (#1089)
* Change DEB artifact name (#1183)
* [Discover] Bug fix appending index number to login trait names (#1180)
* [Discover] User menu checkmark, alert bubble, tweaks (#1173)
* Adds `is_empty` to the File System Object (#1174)
* Remove leftover Connect proto file, update shared process protos (#1162)
* [Discover] Add permissions checks and available Teleport versions (#1126)
* [Discover] Update copy and design tweaks (#1131)
* Update generated protos for Connect (#1155)
* Update GitHub connector template (#1157)
* Adds special handling for CapsLock on MacOS (#1153)
* Enforce react-testing-library eslint rules (#1150)
* Allow Webpack's HTTPS options to be set through environment variables (#1151)
* adds (preview) to Share Directory menu item (#1148)
* Add `--request-id` flag to connection instructions for Kubes and Databases (#1130)
* Turn on directory sharing by default (#1141)
* Add default value for CONNECT_TSH_BIN_PATH in dev mode (#1143)
* Change Linux artifact names (#1142)
* Add support for Connect builds with Touch ID (#1116)
* Ignore `*.story.tsx` when type checking during Webpack builds (#1140)
* [Discover] Implement onboarding (#1121)
* update e ref (#1129)
* Improve Linux support (#1098)
* Enable no-unused-vars (#1118)
* [Discover] Prompt the user on pressing the back button during Discover (#1119)
* Add functional empty states to discover UI (#1106)
* bump e-ref (#1117)
* [Discover] Refactor context and top nav user menu dropdown (#1113)
* Reorganize approach to cluster names (#1086)
* Move electron-builder to a JS file (#1111)
* [Discover] Refactor and re-use Main component styling (#1112)
* Add warning dialog for unsupported browsers for directory sharing (#1110)
* Add an event for when a session recording is accessed (#970)
* SharedDirectoryDeleteRequest and SharedDirectoryDeleteResponse (#1096)
* [Discovery] Add Finish Component and Tweaks (#1109)
* Remove building native deps from `yarn build-term` (#1058)
* Use `.ico` for Windows (#1097)
* style sidebar (#1104)
* Update app access events (#1100)
* Remove AgentConnect (#1099)
* [Discover] Test Connection Boilerplating (#1094)
* `SharedDirectoryCreateRequest` and `SharedDirectoryCreateResponse` (#1090)
* Show Connect icon in better quality (#1091)
* Add a playback speed selector for Desktop Access recordings (#1072)
* [Discover] Add resource discovery polling and static OS logins (#1088)
* [Connect] Refactor FormLogin and add passwordless capabilities (#1019)
* `SharedDirectoryMoveResponse` (#1074)
* Switch webapps automation to main repo (#1082)
* Mark app session with "AWS" (#1050)
* Refactor input focusing after transition (#1071)
* Move focus to active document (#1070)
* Dockerfile: Check yarn.lock only on CI servers (#1076)
* Use git diff to show the difference after yarn install (#1069)
* Update e reference to master (#1073)
* Add protocol interceptor (#1025)
* useDocumentGateway: Default to '' rather than '0' (#1061)
* Add SFTP audit events (#968)
* Add ability to change port for db proxy (#900)
* CI: Fail if an update to yarn.lock is needed (#1047)
* Remove the stash (#1055)
* webassets: stash and pull to stay up to date (#1054)
* Further improvements to the webassets automation (#1053)
* `SharedDirectoryMoveRequest` (#1045)
* Fix git push (#1052)
* Checkout webassets at the right branch (#1051)
* Set TCP protocol explicitly (#1048)
* Tidy up `sharedDirectoryManager` (#1010)
* `SharedDirectoryWriteResponse` (#1008)
* `SharedDirectoryWriteRequest` (#1007)
* `SharedDirectoryReadResponse` (#1005)
* `SharedDirectoryReadRequest` (#1003)
* `SharedDirectoryListResponse` (#1000)
* `SharedDirectoryListRequest` (#999)
* Add automation to update webassets on push (#868)
* `SharedDirectoryInfoResponse` (#996)
* Add resource selection scaffold (#1035)
* [discover] Create Download Script Component (#1028)
* Add dash to Windows artifact name (#1039)
* Make "Learn More" button open Connect docs (#1040)
* Allow only one instance of Connect (#1038)
* Allow users to update Upgrade Window Start (#980)
* Connect: Wait for tshd gRPC server to start (#1021)
* Fix minor Windows issues (#1027)
* Add Windows support for Connect (#971)
* Fix the plugins for Connect so React Refresh works (#1032)
* Add unsafe-eval to CSP in dev mode to make source maps work (#1031)
* Added eslint rule to enforce the order of file imports (#1030)
* Add source maps and type checking to Webpack, config improvements (#985)
* Create LoginTrait Component (#992)
* Add section to README about audit events (#1022)
* Add `c-` prefix to the OS field of the feedback form (#1009)
* Display UTC time in audit log and session recording log (#991)
* Remove pathname injection in 404 message (#1002)
* added a content-security-policy (#987)
* add database uses db configure create (#912)
* Fix bug caused by having no participants in a Kube session recording (#995)
* updated webPreferences config (#988)
* deny any permission requests until needed (#986)
* `SharedDirectoryInfoRequest` (#966)
* `SharedDirectoryAcknowledge` (#965)
* `SharedDirectoryAnnounce` (#960)
* Remove unnecessary tranformValue for gap (#984)
* Updates Babel build targets (#977)
* Apply discover perm check (#982)
* Add gap property to Flex (#981)
* Fix typo in malformed packet error (#978)
* Update caniuse-lite (#975)
* Add k8s to recordings and active sessions list (#972)
* Remove EOT fonts (#969)
* Update teleterm protobuf files (#967)
* autofill username if loggedInUser exists on cluster (#954)
* Add targetUser to DocumentGateway help text (#961)
* Discover wizard screen POC + boilerplating (#942)
* Directory sharing menu item (#952)
* [3/3] Prettify teleterm package and add prettier to CI rule (#956)
* [2/3] Prettify shared, build, and teleport packages (#955)
* [1/3] Prettify Design Package (#953)
* Adds directory sharing flag to the ACL, protected by a config variable (#951)
* Connect: Add note about resource lifecycle to readme (#950)
* wrap switchTab in a conditional (#941)
* Change page size in Connect to 15 (#943)
* Make DocumentGateway responsive (#944)
* fowards path parameter to app access authentication (#913)
* Change window title to `Teleport Connect Preview` (#939)
* Add section about --insecure to Connect's readme (#937)
* Sort connections only when the list opens and show newest on the top (#925)
* Filter out logins starting with dash (#932)
* Update "Connect with GUI" section, add universal context menu (#926)
* Add default username for Redis (#919)
* Fix menu bug (#929)
* Limit db connections to one per db server & db username (#889)
* if no tab present, do nothing when CMD+W pressed (#923)
* Add ability to change db name for db proxy (#883)
* Fall back to leaf cluster id when restoring leaf cluster terminal document (#920)
* Update eref: change language 'search' to 'resource' access req (#921)
* Show connection type in connection tracker (#906)
* Show cluster breadcrumbs (#901)
* Remove username from the `Identity` selector (#903)
* Connect `ShareFeedback` with API (#899)
* Update e-ref: prevent rendering with nonrecoverable error [access request] (#910)
* Small fixes and tweaks while going through test plan (#908)
* Refactor StepSlider Component (#884)
* changes 0.0.0.0 to 127.0.0.1 (#905)
* Add story for Identity (#902)
* Update e-ref for story fix (#897)
* Update e-ref: fix for search based request list total count bug (#894)
* Revert "setup project to run prettier (#886)" (#893)
* Mention Teleport Connect in the README (#888)
* Ensure the gateway is created only when opening the document (#890)
* setup project to run prettier (#886)
* Re-order kube resource connection instructions for clarity (#880)
* Add share feedback form (#878)
* Show node specific ssh logins options (#873)
* Add `TextArea` and `FieldTextArea` components (#870)
* Update e-ref (#881)
* Build Connect in Webapps-Build pipeline (#874)
* Restart cluster gateways on login (#879)
* Add error callback to `handleRequest()` method on devserver (#877)
* Various small fixes and touch ups (#876)
* Add `access_request.search` event to audit log (#875)
* Show recent clusters list (#865)
* Search based request related changes and Table addons (#867)
* Improve handling timeouts when resolving shell env (#862)
* Fix null role response from users fetch (#871)
* Change app name to `Teleport Connect` (#869)
* Fix logout icon (#859)
* Create agent type for resources (#828)
* type-check script: Perform type check only (#861)
* Add missing word to `PromptSsoStatus` (#854)
* SQLServer audit events (#860)
* Fix types for Logger/NullService (#864)
* Retry with relogin on errors related to expired certs (#846)
* Capture tshd logs (#853)
* Allow "Activity" tab to be hidden (#844)
* Add get-teleport-connect-dir script (#856)
* Use only dmg target for Teleport Connect (#855)
* Update eref for docs link fix (#850)
* Do not show the login dialog when user adds a cluster that is connected (#840)
* Prevent `active` label jumping in identity list (#839)
* Remove connections when logging out (#837)
* Increase scrollback size to 5k lines (#838)
* Do not include secrets in gRPC logs (#829)
* Add cloud link download to Help & Support (#820)
* Create a LabelPicker component (#823)
* yarn.lock: electron@^19 -> electron@19.0.0 (#833)
* Upgrade Electron to 19.0.0 (#830)
* Add two event codes for SSO test flow. (#717)
* Prevent `restorePersistedState()` crash when there is no persisted workspace for a cluster (#825)
* Add gRPC files generation and logging to shared process (#821)
* Update Electron & add shared process (#819)
* Add tooltips with keyboard shortcuts (#822)
* Refactor Teleport Reset/Invite Flow (#818)
* Create new SlideTab component (#817)
* Refactor Teleport Login Flow (#816)
* Create StepSlider Component (#815)
* useDocumentGateway: Remove null rootCluster checks (#814)
* useDocumentGateway: Pin shell to correct cluster (#812)
* Add Kubes initial sorting (#810)
* Add Initial Sorting for Tables (#809)
* Add Clickable Labels (#791)
* Add predicate doc link with predicate error messages (#776)
* Update e ref (#805)
* Add new icons: key, arrow forward/back (#804)
* Device name wiring and clean up FormNewCredentials (#803)
* Passwordless wiring on login and add device (#724)
* Indicate whether session.network events were allowed or blocked (#800)
* Move RecoveryCode component from enterprise (#789)
* bump webapps.e hash.
* Fix pagination bug (#798)
* Bump Teleport Connect version to 1.0.1 (#796)
* Omit title when comparing previous and current documents (#788)
* Update author and owner in package.json to be Gravitational (#792)
* update webapps.e submodule.
* Pin local shell to the specified cluster (#767)
* When updating cluster resources, remove only those that belong to this cluster (#782)
* Simplify k8s join (#750)
* Replace "Lorem ipsum" for empty states (#756)
* Hide command bar when no cluster is selected (#772)
* Prepend PATH with bundled tsh (#769)
* Change predicate example to use bracket notation (#774)
* Add configure step (#751)
* Add support for notarization (#770)
* Use new Teleconnect icon (#768)
* Teleport Connect: Add dropdown for database name (#757)
* Remove state related to a cluster when removing it (#755)
* Fix trying to read from a null token (#759)
* Fix check for the --insecure flag (#758)
* Show database username suggestions in Teleport Connect (#754)
* Change app name to `Teleport Connect` (#753)
* Add Serverside Pagination, Filtering, and Sorting (#739)
* Resolve issues on logout (#740)
* Change connections shortcut to `Command/Ctrl-P` (#747)
* Fix getting cwd in presence of lsof warnings (#745)
* Add IAM method to web ui (#690)
* Close `Identity` popover after selecting an option (#741)
* Fix not clickable notifications when displayed over xterm
* Use new colors for theme
* Bring back native scrollbar as the styled one causes content to jump when it becomes visible
* Use the mac package download link instead of the tarball.
* update webapps to support more MySQL audit events (#729)
* IdentityList: Move roles list back into conditional (#736)
* Add max-width on Identity popover (#735)
* DocumentGateway: Replace the Copy button with a Run button (#733)
* Use dropdown for the db connect button (#732)
* Fix path to packaged assets in Teleterm (#731)
* Use DB CLI commands provided by tsh daemon (#726)
* Show cluster document instead of keyboard shortcuts as an empty state
* Show leaf cluster selector only when cluster has leaves
* Adds the Servers tab as a configurable UI feature (#728)
* Save window size and position
* Create shared instance of `fileStorage` for all processes, save app state before closing
* Handle cancellation of `ClusterConnectDialog` when changing workspace, use `onCancel` instead of `onClose`
* Ask user whether to reopen previous documents
* Support Electron's main process environment in `theme/getPlatform()`
* Move App initialization to the `AppInitializer` so it has access to all contexts
* Use dark background for the window
* Resolve shell env (#718)
* Simplify the db connection tab (#720)
* Prevent crash when network or cluster is offline (#712)
* Add Redis, MariaDB and Microsoft SQL Server to DB wizard (#709)
* Improve Teleterm README (#719)
* Remove u2f components and logic (#711)
* Use teleterm/logger in runtimeSettings (#716)
* Remove global `keyDown` handler from `KeyboardArrowsNavigation` as it blocked submitting forms
* Submit modals' forms on `Enter` press
* Revert "Use x64 arch when building & packaging Teleterm"
* Fix accessing `serversSyncStatus` Map in `clustersService`
* Do not block app rendering when initializing function fails
* Use `Notifications` error in `syncRootCluster()` and `removeGateway()`
* Show errors in `ClusterResources`' tables using standard `Danger` labels
* Add `Notifications` component and service
* Use x64 arch when building & packaging Teleterm
* Update e-ref
* Update getMfaOptions to createMfaOptions
* Fix half auto-filling OTP's for input boxes meant for it (#706)
* Update to electron@13.6.9 (#703)
* Limit navigation capabilities to reduce attack surface
* Update node snapshot for new terminology.
* Modify wording of add node messaging.
* Add view documentation button to desktop view.
* Fix Active Sessions Table Misalignment (#699)
* use has* to determine when to render the Add resource buttons.
* Properly use `css` prop
* Make connections icon bigger
* Enable `babel-plugin-styled-components` in production and tests (#697)
* Apply `Identity` design changes
* Change command `cluster-remove` to `cluster-logout`
* Adjust `Identity` layout, combine `logout` and `clusterRemove` into a single action
* Update snapshots for new UI changes.
* Cleanup issues with jumping elements and some button cleanup.
* Use connection dropdown instead of modal for supplying SSH username
* Render ssh menu item as `NavLink` only when URL is provided
* Update protobufs for Teleterm (LoginRequest params)
* Update command for updating proto files
* Show username when possible in identity list (#687)
* Prevent breaking layout on long cluster name (#688)
* remove `Navigator` code (#685)
* Update electron-builder to 23.0.3
* Fixed up failing CI.
* Update failing snapshot tests from the updated Empty UI.
* Use inline style instead of modifying text template.
* Lint
* Fix flashing the 'add entity' button on load when empty.
* Hide header add button if empty.
* Update desktop UI empty state to new layout.
* Updated nodes page to new empty state.
* Update empty state for databases to new design.
* Update empty Kubernetes listing page to new design.
* Format Empty component to new design layout and apply new change to applications view.
* Change shortcut to open `QuickInput`
* Force `TopBar` items to take full height
* Hide kubes and apps
* Show leaf cluster name when possible in Connections list
* Change placeholder text in `ClusterAdd`
* Autocomplete database names for tsh proxy db
* Don't close the tab on non-zero exit code
* Always use root cluster URI to obtain `documentsService` in `useServerConnect`
* Update connection icon
* Automatically try to connect a connection when possible
* Display cluster name for each connection
* Take `localClusterUri` into account in `QuickInput` (#679)
* make middle part of `TopBar` central
* always show active item in `QuickInputList`
* adjust `QuickInput` to match designs
* add simple empty state to pickers
* Launch unsupported invocations of tsh ssh in local shell
* Remove leftover cruft from quick pickers
* Simplify manual db join (#653)
* Refactor join tokens generation to use new endpoint (#672)
* Update teleterm styles (#674)
* Create DocumentTshNode after executing "tsh ssh" in command bar
* Include command to run in AutocompleteResult
* useQuickInput: Rename serviceQuickInput to quickInputService
* Fix opening new terminal when there's no active document
* Adjust how showing & hiding autocomplete works in command bar
* Append space after picking command suggestion
* Open command bar commands in new local shell
* Autocomplete ssh hostnames
* QuickInputService.getAutocomplete: Return no-match on empty suggestions
* Automatically append @ after ssh login suggestion
* Ignore case for autocomplete
* Autocomplete commands and ssh logins
* Remove old pickers, rename Item to Suggestion
* Remove code related to empty command bar item
* Show autocomplete suggestions in command bar
* Remove command palette commands from command launcher
* Reformat commandLauncher.ts
* Improve identity picker (#670)
* Add clusters picker (#668)
* Update e-ref for regression fixes (#665)
* Fix Table Regression Bugs (#642)
* Support the 'unknown' audit event
* Updates Alert to use break-word (#655)
* Add keyboard support to `Connections` popover (#651)
* changes hostname to be the hostname rather than the ip addr (#654)
* Simplify manual app joining process (#641)
* Add connections switcher (#647)
* smooth out progress bar (#648)
* Add cluster context switching (#624)
* added internal back in
* Add windows internal logins back in
* internal k8s users
* internal k8s groups add
* remove whitespace and changes
* grammer
* Set all protocols
* Update default roles template
* desktop playback error handling (#638)
* only synchronize clipboards if data was or is going to be sent (#640)
* Update FormLogin.tsx (#608)
* Disable autocomplete on the SSH login input (#605)
* Fix two 'unkown' mispellings in alerts
* Use generated join token to simplify manual resources join (#619)
* Maintain aspect ratio on Desktop Playback (#635)
* Edit api response for getXXX (resources) (#622)
* Fix clipboard sync (#628)
* added missing prop.
* lint.
* Add cluster name to `tsh login` for kube instructions (#632)
* Use prop drilling to get the isEnterprise flag down into the DownloadLinks components.
* Remove the context calls from DownloadLinks to make testing easier.
* Update command for generating gRPC files for Teleterm
* Add more tests to Teleterm (#601)
* add missing license.
* If running in enterprise version then provide the enterprise download links.
* desktop per session mfa (#613)
* Clipboard (#594)
* Add chrome as unsupported for U2F checks (#609)
* Update e-ref for fetch more btn move (#607)
* Move Fetch More Button In Table (#606)
* Fix date picker (#604)
* postgres function is not prepared statements, revert
* update postgres events, and 2 more mysql statements event
* Add desktop clipboard audit events
* switch recordings service endpoint back to clusterEventsRecordingsPath so that returned recordings respect rbac where clauses, and users won't try to playback desktop sessions they don't have permission to (#600)
* Add `VirtualScroll` component (#595)
* add UT and test out storybook
* Add the `cert.create` event (#584)
* Update teleterm proto files (#593)
* Allow the automatic toggle to be visible when adding new nodes in OSS version.
* add db_name
* add events
* modifyResponse: Add optional space before /> to regex (#591)
* Teleterm Preview (beta) (#590)
* moving progress bar (#577)
* Add session connect event (#583)
* Update e-ref for flaky test fix and DataTable import (#582)
* Remove DataTable v1 (#573)
* Add storybook, make TunnelPublicAddress prop optional
* Add public tunnel address
* desktop session recording (#572)
* Fix typo in makeCluster and add unit test (#578)
* Update e-ref for date-fns migration (#571)
* Replace momentjs with date-fns (#568)
* Fixed the lint warnings for unused variables in the desktop session story.
* List recordings (#558)
* Add x11 forward events (#561)
* Clean up custom cells in Tables (#550)
* Update e-ref for updated UsageSummary and RequestList (#551)
* Update MfaDeviceList to use TableV2 (#549)
* Update RecordingList to TableV2 (#546)
* Table V2 Tweaks (#544)
* Update SessionList to TableV2 (#545)
* Update ClusterList to TableV2 (#548)
* Update RoleList to TableV2 (#542)
* Update UserList to TableV2 (#543)
* Update EventList to TableV2 (#541)
* Disable drone for PR (#540)
* Add Postgres Audit Events (#512)
* Update AppList to use TableV2 (#535)
* Add the `access_request.delete` event (#532)
* Update DesktopList to use TableV2 (#537)
* Update KubeList to use TableV2 (#536)
* Update DatabaseList to TableV2 (#534)
* Update NodeList to use Table V2 (#525)
* Add Table V2 (#524)
* Update xterm to the latest (#511)
* Adds a TDP Error message (#527)
* Replace `waitForElement` and `wait` with `waitFor` in tests (#529)
* Add error message for failed SSO authorization (#530)
* Add pagination to SelectFilters component (#518)
* Address `eslint` warnings (#522)
* Restore Build pipeline in CI (#521)
* Remove unused code (#517)
* Revert "Remove old `PlayerNext` (#513)" (#515)
* Remove old `PlayerNext` (#513)
* Create url filter and query params hook (#465)
* FIx devServer csrf and berear token handling (#506)
* Move search bar into Table (#502)
* Update e-ref for Invite/Reset refactoring and YAML import fix (#503)
* Fix YAML template imports (#501)
* Refactor Invites/Reset Components (#496)
* move jest rules to test overrides (#498)
* Add Separate Recordings List Service (#491)
* GCB buildfile
* cleanup `webpack.base.js` (#476)
* CR
* Makes getDisplaySize its own function
* removing unecessary client from onInit
* mirroring backend variable name updates
* updates to use connection string params rather than json
* attempting to add login and screensize to websocket string but getting smartcard not enabled, going back to master for a sanity check
* Update build depedencies (#473)
* Update e-ref for invite/reset welcome card (#483)
* Add prompt prior to form for Invite and Reset (#479)
* Make language for empty resources list more accurate (#472)
* Fix Safari Favicon & Update Docker Node Version (#464)
* changes inaccurate desktopId to desktopName
* updated to use cleaner backend api
* adds useMemo for document.title
* consolidating username, desktopId, clusterId extraction
* mimics clusterId • username@hostname document title of console for desktop sessions
* Create a general multiselect filter component (#454)
* Bug fix: Show a authentication dialog for web terminal (#452)
* Add created date to recovery codes respones (#442)
* State UTC timezone for consistent dates in tests (#449)
* Add account dashboard support for SSO users (#445)
* Update e-ref for dashboard (#446)
* MFA Device Management Dashboard (#412)
* Add audit log support for privilege token event (#440)
* adds Firefox specific keycodes
* adds mouse wheel support
* add preventDefault to prevent default browser shortcuts from interfering with desktop sessions
* refinements while creating isaiah/features-test branch for enterprise repo
* adds a test to ensure that the client only emits a "connect" message on the first png frame
* emit connect event when the connection is actually confirmed
* adds back disconnected flag (now private)
* Revert "removing disconnected flag"
* adding desktops to the cluster list
* fixing cell naming and component usage
* adding name column
* Add webauthn options to forms (#423)
* changing ts to js to remove allow json from tsconfig to see if that fixes ci error
* Remove the OS column in the desktop list view
* updating test and snapshot
* changing the disconnected message
* configuring Audit logs to display desktop events
* removing disconnected flag
* redesign to remove focus variable
* refactored with styled components
* removing resize
* moving TdpClientCanvas to its own directory
* CR nits
* refining naming
* Change RenderData to ImageData
* adds test for decoding regions
* adds test for message decoding
* Adds Desktops (preview) to the Main.story
* fixing test.
* making chrome-windows keycodes the default
* changing desktopServers to desktops
* fixing tests
* adds ui labels
* removing unnecessary useCallback
* shorter topbar and domain changed to hostname
* pipes in the windows logins from the userACL and displays allowed logins (carbon copy of how we do it for ssh server access
* Adds (preview) to desktop features and adds acl check for desktops. Now needs to add logic for windows_desktop_logins
* dealing with ts version discrepancy
* removing saveMessages flag
* rename connection to connectionAttempt
* performance testing code for requestAnimationFrame-array
* Sets up the basics of a performance test in storybook
* adding flag for capturing arraybufs as they come in and printing them to the console on disconnect
* fixing storybook
* makes system work accross browsers by using onload function
* moves openNewTab into a utils file and uses it for Desktop
* adds storybook and fixes incorrect loading jsx logic
* big performance improvements by converting image array buffer to a base64 encoded string and strapping that as the source of an html image element
* Changing websocket type to arraybuffer and modifying codec to work with that
* ignoring unrecognized keys
* refactor
* extending protocol functionality to full mvp functionality
* finishing touches
* makes TdpClientCanvas its own file component with state hook
* refactored internal structure
* refactors client and DesktopSession to simplify state management
* Revert "Noticed that it was confusing the the tdpclient was now both an emitter, and could return a Promise on the initial connection. This redesign puts the Promise logic into useDesktopSession so that tdpclient remains exclusively an event emitter."
* Noticed that it was confusing the the tdpclient was now both an emitter, and could return a Promise on the initial connection. This redesign puts the Promise logic into useDesktopSession so that tdpclient remains exclusively an event emitter.
* makes tdpclient.connect a promise so that it can be passed into a Promise.all and state can be consolidated
* changing styling
* CR
* adds disconnected state, adds storyboard
* Updating comments
* switches jsx components to use useTheme hook instead of being a implicit styled-components theme consumers which is confusing
* gets the real user@Host and adds logic for tracking a meta state between rest api calls and websocket
* updating topbar, icons, adding action menu
* Moves TopBar into its own file, adds ActionMenu (needs to updated with appropriate in-menu behavior)
* adds clipboard sharing en/disabled text and icon
* replace direct call to socket.close() with a tdpclient.disconnect for easier mock-ing
* adds cleanup handling and fixes bugs
* converts client to be an emitter
* deleting vestigial cruft
* move connection string wrangling to hook
* renamings and minor fixes
* First draft of a system which can pop up a new desktop session and render desktop screen to canvas
* Moves getHostName into api service for use elsewhere in the code
* Opens a new window when a desktop is selected (currently displays an empty Console component)
* nit
* removing status light
* CR
* nits
* cleaning up rdp port from domain addr
* Adds the basic design for the table
* Adding Desktop and Circle icons
* displays desktop data in table
* Strips Desktops of some database cruft that I'm not focusing on for now and creates a desktops service which successfully retrieves desktop objects from the backend
* renaming DatabaseList to DesktopList
* renaming Databases.tsx to Desktops
* copying Databases into a new Desktops dir and adding it as an option in the sidebar, and renaming useDatabases to useDesktops
* small fixes from final CR
* cosmetic changes + updating based on updated rfd0037
* renaming to "tdp"
* adds the nodejs TextEncoder to the window
* updating to use browser TextEncoder api. Unfortunately its another one jsdom hasn't caught up to yet
* adding codec and encoding tests
* Add webauthn support to web terminal mfa prompt (#421)
* Add webauthn methods to auth service (#418)
* Remove depracated endpoints (#417)
* Add Array Buffer and Base64URL converter (#415)
* Add database created/updated/deleted events (#413)
* Move FormLogin and FormInvite from shared to teleport (#411)
* Delete Gravity (#410)
* Update e-ref (#408)
* Add support for SessionProcessExit event (#407)
* Yarn workspace fails to add local package as dependency (#405)
* Add Account Recovery Flows (#398)
* Fix table pager clipping (#390)
* Update e-ref for access requests table fix (#392)
* Add support for unicode passwords (#389)
* Add watcher that logs user out when reaching max idle timeout (#378)
* Add lock events to audit log (#377)
* Update Github YAML (#365)
* Temp fix for empty paginate result in session recording list (#368)
* [forward-port] AWS Console Access Tweaks (#366)
* Fix overflowing text with long cluster name in tc list view (#361)
* update e-ref (#360)
* Convert applications tiles view to table view (#340) (#359)
* Update e-ref: Access request bug fix and design update (#355)
* MongoDB and MySQL GCP support (#350)
* Use filter `session.end` to retrieve events for session recording screen (#339)
* Allow webapps to build without e (#352)
* Update trusted_cluster_enterprise.yaml
* Revert events list sorting back to original (latest to oldest) (#341)
* Add pagination to Audit Log screen (#329)
* Update drone signature for drone.teleport.dev (#334)
* Empty States (#333)
* Refactor services get link return value (#331)
* Refactor default dropdown selector CSS (#317)
* Add more icons to design package (#327)
* Update e-ref for changes in switchback banner (#324)
* Add kube and db to our cluster list action menu (#323)
* :memo: Update e-ref for webapps.e database
* Created database access screen (#303)
* Update e-ref on adding Kube feature (#318)
* Create Kubernetes access screen (#304)
* Language/wording fixes with our editor (#313)
* Fix manual tsh login commands for apps and nodes (#311)
* Set default empty object on regular renew token request (#314)
* Filter out session end events with "session_recording" set to off (#306)
* Use dedicated API for app FQDN resolving (#284)
* Update e-ref on billing chart ytick formatting fix (#290)
* :bug: Fix not being able to filter nodes by searching exact label
* Updated empty node name to N/A and changed the placeholder text (#246, #276) (#278)
* Update renew session response and renew URL (#261)
* Type and style tweaks and add unix display date (#257)
* Correct misspelling in kubernetes comment for role (#263)
* Remove duplicate `deny` section in Role template (#260)
* Update e-ref: Remove verb update check for access request reviews (#258)
* Update README.md
* mfa related fixes (#251)
* Add more fields to user context (#216)
* terminal: check whether the browser supports U2F (#249)
* ssh: handle U2F challenge in web terminal (#248)
* Update link to github discussion and feedback email (#239)
* Add billing events for audit logs (#245)
* Convert datetimes returned by day-picker lib to begin at start and end of day (#244)
* Support multiple MFA methods on login (#241)
* Add Billing Feature (#238)
* Increase token renewal threshold to 3 min (#242)
* Update README.md
* mfa: support multiple U2F devices on login (#236)
* Handle new MFA audit events
* Implement OAuth-style state token for AAP auth flow
* Disable use of web workers in ace editor (#232)
* Fix bug and consistent error banner placement (#233)
* Fix error handling on the Delete Role Dialog (#231)
* Open source and refactor resources (#222)
* Refactor error handling for auth cn (#226)
* Add app URI validation regexp to match backend logic (#227)
* Tiny grammar fix (#223)
* Check for browser u2f support and display user-friendly err msg (#218)
* Update README.md
* Update README.md
* Update README.md
* Populate "Node" name in k8s session recordings (#214)
* Update e-ref (#213)
* Replace app name check with regex that conform to rfc 1035 (#210)
* Refactor and update user context object (#211)
* Add database access audit events
* Set default role to 'admin' vs 'admins' (#208)
* Grab auth type from config for manual step flag --auth (#201)
* Rename Blog (#202)
* Update links to https://goteleport.com (#200)
* Fix manual steps and remove share session dialog (#199)
* Disable AddServer and AddApp buttons on leaf clusters (#198)
* Fix some regression bugs (#197)
* Fix instructions for Manual steps (#196)
* Minor improvements to dialogs (#195)
* Add ShareSession dialog and share button to DocumentSsh (#193)
* Safari fixes (#192)
* Add KUBE_REQUEST event and improve existing k8s events (#190)
* Lisa/manual testing bugs (#189)
* TextSelectCopy appends $ to text when bash flag is true (#188)
* Teleport V5 (#185)
* [teleport] Implement account access check and waiting room (#178)
* Fix case sensitive testing for sso providers (#174)
* [teleport] Add session.reject, trusted_cluster.create/delete events (#172)
* [teleport] Handle null value response when retrieving audit logs (#166)
* Remove gh from web-apps Docker image (#154)
* [teleport] Remove url, proxy version, node count from clusters list (#152)
* Update gh version to latest
* [teleport] Remove checking for error keywords for websocket close event (#147)
* Install gh in Dockerfile
* Tidy up
* Tidy up
* Remove update-teleport-repo
* Change update-teleport-repo job to raise a PR rather than instantly committing
* Raise a PR rather than pushing to Teleport
* [teleport] Set server/cluster ID for new session requests (#140)
* [teleport] Fix flex issue with terminal ActionBar (#141)
* Check out submodules
* Check out submodules
* Change directory
* Split up steps and add dockersock
* Install make
* Sign file
* Add initial .drone.yml
* [teleport] Work around for server sending close events for shell exit errors(#127)
* [teleport] Drop UTM link prefixes (#128)
* Add boaders and onhover styles to table rows (#126)
* [teleport] Fix grammar for non/interactive session event log (#124)
* [teleport] Various fixes (#123)
* Typescript conversion mostly in shared package (#120)
* Fix a bug with 0 nodes in the cluster list
* Add Open Terminal Button to the Cluster List (#121)
* Bring back QuickLaunch (#118)
* Better audit events description (#117)
* [teleport] Set user permission for viewing audit logs (#116)
* [design] Remove uppercasing of login names (#115)
* Update icomoon library with new icons (#114)
* Touchups round 2 (#113)
* Grammatical fix (#112)
* [Teleport] Remove sessions view from Audit Log (#109)
* [Teleport] Use native URLSearchParams to handle escape symbols in URL params (#107)
* [Teleport] Account for empty hostname and server addrs in Session (#106)
* Allow dashes for login name in QuickLauncher (#108)
* [Teleport] Replace session button with quicklauncher in Node (#105)
* [Teleport] Fix assortment of user issues (#103)
* Update e-ref (#104)
* [Teleport] Tweak styling for topbar auto scrollX and text alignment (#102)
* Replace cluster view button and open terminal related actions in new tabs (#101)
* Check for expired session before resources unload (redirect) (#100)
* Fix session scroller (#99)
* Replace "entity" with "name" in Audit Events
* Delete un-used files
* Alexey/updateddesign (#98)
* Update xterm to 2.8.1 (#95)
* Filter non interactive sessions out (#94)
* Address code review
* Change action btn, rename title, refactor fetchSession
* Add back clusterId for makeSessions, refactor fetchSession
* Clean up active sessions list
* update e-ref
* Bump jquery from 3.4.1 to 3.5.0 in /packages/gravity (#89)
* [Teleport] Allow switching tabs with hotkeys (#81)
* update e-ref (#82)
* [Teleport] Create Support component, story, and snpashot test (#78)
* Fix U2F login error messages (#76)
* Display nodes hostname instead of its ID under session audit log (#75)
* Display hostname and addr in active sessions list (#74)
* README file updates
* Fixed broken docker build
* Cleanup
* Type SessionList
* Use local tsc intance when building force project
* Fix eslint warning messages
* Add proto files to force MVP
* use custom scrollbars styles on macs
* Address url-loader breaking changes
* Fix OSS redirects (#72)
* Auto close active terminal tab on terminal.close event (#73)
* update e-ref (#71)
* Fix url-loader and file-loader (#70)
* Fix build pipeline (#66)
* Display cluster info when user clicks btn using user context (#63)
* Simplify and clean up Makefile (#62)
* use UTC in unit-tests (#58)
* Fix broken tests (#59)
* Automated builds (#53)
* Receive auth version for Cluster interface (#54)
* update e-ref (#57)
* fix: vscode does not resolve aliases in the new files
* Fix peer dep. warnings (#56)
* Cleanup
* cleanup
* dist files + updated e-ref
* Update e-ref
* JS to TS migration (#55)
* [teleport] Receive and display nodeCount and publicURL in cluster table (#52)
* Remove unused imports from makeEvent.ts
* Typescript migration (#51)
* [Teleport] Prompt user with a confirmation window for session tabs (#49)
* Refactor tabs creation to a separate hook and add unit-tests (#50)
* Do not rerender in-active document (#47)
* regenerate dist files
* New Terminal (#46)
* Unit test rest of Dialog*.jsx and TopNav*.jsx (#45)
* Read localAuthEnabled config from backend (#44)
* Unit Test Popover (#43)
* Unit test teleport/Login (#40) closes #39
* Test rendering of SideNav, SideNavItem, SideNavItemIcon (#41)
* Unit test featureBase (#38)
* Unit test useStore (#37)
* Unit test FormPassword (#36)
* Unit test FormLogin (#35)
* Unit test FieldSelect (#34)
* Test useRule unsubscribe behavior and some cleanup (#33)
* Unit test FieldInput (#32)
* Unit test useRule custom hook from Validation (#31)
* Prettify package design (#25)
* Unit test rules.js and Validation provider context (#30)
* Prettify package shared (#27)
* Prettify root config files for *.{js,json} (#29)
* Update README.md
* Unit Test ButtonSso and Validator Class (#24)
* Unit Test shared/ActionMenu (#23)
* Update dist files
* Fix modal test failing and include code coverage scripts (#22)
* Unit test design pkg (#18)
* Update E reference and port Gravity changes (#17)
* Add unit-test for Portal component (#16)
* Unit test LabelInput and LabelState (#15)
* Unit Test Design/Package/* [Part 3] (#14)
* Unit test all components inside Table.jsx (#13)
* Add vscode config file
* Add ResetPassword and Invite (#12)
* Unit Test Design/Packges [Part 2] (#11)
* Unit test Design/Alert, Button, ButtonIcon [Part 1] (#10)
* Snapshot Test package/gravity/login Story (#9)
* Finish converting package/design stories to CSF [Part 3] (#8)
* Disable eBPF stories (#7)
* Convert Card*, DataTable, Dialog*, Flex stories to CSF [Part 2] (#6)
* Update README and convert Alert, Button to CSF (#5)
* Upgrade storybook and convert a few stories to CSF
* Disable github hooks
* Docker should work when submodules are missing
* Rename e submodule to webapps.e
* Fix storybook sorting
* Add Force Web UI package
* Add initial BPF viewer implementation
* Add typescript support and update npm depenencies
* Update README.md (#2)
* Fix user invite
* Fix typos
* Add a better comment
* Do not delete dist folders on make clean
* Update packages/build README file.
* Update e-ref
* Allow custom webpack config in dev builds
* Refactor dev server code
* Change default datetime format
* Fix type on design stories
* Update e-ref
* Docs (#1)
* Exclude all dist folders
* Update e-ref
* dist files
* Update e-ref
* Add E reference
* Move code to this repo
* Initial commit
* Tue Jan 31 2023 kastl@b1-systems.de
- Update to version 11.3.1:
* Release 11.3.1 (#20864)
* Add tsh proxy types aws,db,ssh to CLI ref (#20547)
* Fixed issue where container image tag and push step would fail due to missing `docker pull` `--platform` argument (#20859)
* Tue Jan 31 2023 kastl@b1-systems.de
- Update to version 11.3.0:
* Release 11.3.0 (#20841)
* InstallNode Script: use correct version (oss vs ent) (#20816)
* WebAPI/CreateDB: improve error message when DB already exists (#20755)
* [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#20803)
* [v11] Add support for Moderated Sessions in the Web UI (#19647)
* Fix key attestation error on `tsh login` (#20712)
* [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#20790)
* Renew Kubernetes cluster credentials until the cluster is removed from inventory (#20788)
* [v11] update e and webassets to latest v11 (#20780)
* [v11] feat: evaluate login rules for OIDC and SAML users (#20738)
* Pass parent context to `prompt.Confirmation()` in `identityfile`. (#20685) (#20773)
* [v11] feat: evaluate login rules for GitHub users (#20737)
* fix(azure): verify if system identity is set (#20483)
* Add test that verifies connectivity when Auth is down (#20450) (#20683)
* [v11] Reject access requests with invalid cluster names (#20674)
* [v11] Convert rhel `VERSION_ID`s to only include the major version (#20604)
* Fix two issues with Oracle MySQL client on Windows. (#20599)
* [v11] feat: add login rule audit event types
* [v11] feat: add RW verbs for login rules to preset editor role
* [v11] ci: Use large macOS runner for build-macos workflow (#20718)
* [v11] Disconnect moderated session on Ctrl+C (#20588)
* Alert ack API + CLI implementation (#20692)
* Enforce using github.com/google/uuid (#20633) (#20681)
* Update ssh-approval-email.mdx (#20701)
* [v11] Move connection metrics to `proxy.Router` (#20688)
* [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#20625)
* [v11] (buddy) helm: Add nodeSelector field (#20441)
* [v11] helm: have proxy reload certificates daily (#20503)
* helm: addPodMonitor support (#20564)
* [v11] Fix typo in install-node script's usage message (#20668)
* Show `client_idle_timeout_message` for windows access (#20617)
* [v11] feat: add login rule evaluator to auth.Server (#20629)
* Document Machine ID and CircleCI joining (#20545)
* Docs. Direct invite link via docs (#20548)
* helm: support passing raw config in `teleport-kube-agent` (#20129) (#20449)
* [v11] Docker install doc updates (#20578)
* Update FedRAMP link (#20464)
* Docs version update (#20612)
* Fix: change var to inner scope's Testing t (#20595)
* fix `tctl auth sign --format kubernetes` when using remote auth server (#20497) (#20571)
* Increase `ReadDeadline` to accommodate slow clients (#20517)
* Tue Jan 24 2023 kastl@b1-systems.de
- Update to version 11.2.3:
* Release 11.2.3 (#20570)
* [11] Add metric for incomplete file uploads (#19724) (#20492)
* Fix kube access proxy peering compatibility (#20561) (#20566)
* docs: update trusted clusters page (#20159)
* Backport GHA workflows (#20507)
* [v11] Respect --auth and --mfa-mode before defaulting to passwordless (#20474)
* expand for CNAME records (#20445)
* [v11] feat: login rule tctl CRUD commands (#20236)
* sort database guides (#20501)
* Remove unmaintained AWS Cloudformation example (#20459)
* [v11] Support multiple transformations in role templates (#20296)
* Bump webassets. (#20422)
* [v11] Add initial instructions for cluster role map updating (#20480)
* Fix "tsh db connect" with "mariadb" when proxy is in seperate port mode (#20409)
* Don't prematurely close context in app service. (#20437)
* Integ tests: Use address of web UI as Proxy.PublicAddrs (#20470)
* spell fixes (#20457)
* update style guide relating to focus and content duplication (#20292)
* [v11] helm: support dnsConfig in `teleport-kube-agent` chart (#20107)
* Update Cloud architecture with DDoS security (#19429)
* [v11] Fix "*":"*" matching in EC2 auto discovery (#20390)
* adding video banner to documentation (#20354)
* [v11] Allow updating of trusted cluster role maps (#20286)
* Skip unparsable events when decoding searchevents results (#20329)
* Bump `gravitational/trace` to `v1.2.1` (#20349)
* Fri Jan 20 2023 kastl@b1-systems.de
- Update to version 11.2.2:
* Release 11.2.2 (#20363)
* [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#20375)
* Remove invalid commands on login with ssh port (#20364)
* spell fixes (#20279)
* [v11] Add Connect docs about linking tsh (#20029)
* Validate AWS regions when configuring the AWSMatcher (#20288)
* Add redirects to the new Audit Events section (#19553) (#19968)
* [v11] Point at source version in docs rather then generic master. (#20303)
* [v11] [Docs] Use gravitational.com to download checksums. (#20282)
* Added binary signing for darwin tarballs - branch/v11 backport (#20305)
* [v11] Machine ID and GitHub Actions docs copy improvements (#20291)
* Add mysql conn tester (#20177) (#20230)
* fix: Always dial to root cluster for single-use certificates (#20238)
* [v11] Set extra proxy headers in all `tsh` HTTP requests (#20071)
* [v11] Updates to cloud getting started (#20256)
* Update Rust to 1.66.1 (#20201)
* Bump Buf to v1.12.0 (#20194)
* [v11] Stop heartbeating during graceful shutdown (#20225)
* [v11] docs: add overview of session recording (#19934)
* [v11] Use pre-generated RSA keys in tests (#19448)
* [v11] Document GitHub Actions and Kubernetes (#20179)
* fixes ldap filter example (#20223)
* [v11] Update Linux install package link for Cloud (#20210)
* Grant the built-in kube role semaphore permissions (#20174)
* Adds a post-delete hook to delete the `kube-agent` state secrets (#20169)
* Stablize RemoteConnCleanup (#20048) (#20086)
* [v11] Change the application access authentication flow (#20165)
* Bump cloud version to 11.2.1 (#20157)
* [v11] capture additional prehog events (#20114)
* Ensure Proxy uses cache for periodic operations (#20153)
* Add kube and windows_desktop tctl tokens add handling (#20139)
* Added 01/12 Upcoming Releases Update (#20137)
* [v11] feat: add login rule service proto definition (#20112)
* [v11] Trim error messages on UserLogin events (#20125)
* [v11] Fix `certificate signed by unknown authority` after reconciling a dynamic RDS resource (#20099)
* Update to 11.2.1 for docs (#20117)
* Fix CertificateInvalidError in formatCertError (#20052)
* Thu Jan 12 2023 kastl@b1-systems.de
- Update to version 11.2.1:
* Release 11.2.1 (#20113)
* [auto] Update webassets in teleport/branch/v11 from webassets/teleport-v11 (#20102)
* [v11] chore: Bump Go to 1.19.5 (#20084)
* [v11] Minor docs fixes (#20006)
* Update config example to turn off ssh, proxy, auth and use teleport start example (#20076)
* revert plugin version (#20093)
* Update webassets in preparation for 11.2.1 release (#20074)
* Fix RFD link in the Directory Sharing guide (#20062)
* [v11] Periodically reload proxy certificates (#20040)
* Remove RW on `license` and `download` from preset editor role (#19997) (#20033)
* Unbundle TestAppInvalidateAppSessionsOnLogout (#20037)
* Change "name" to "sAMAccountName" (#20022)
* Fix bot IAM joining (#20011)
* docs: update version to 11.2.0 (#19971)
* Fix Machine ID Certificate TTL on IAM join (#20001)
* [v11] Make Connect's --insecure flag easier to find in docs (#19991)
* Use one Buf workspace instead of three (#19774) (#19990)
* Sat Jan 07 2023 kastl@b1-systems.de
- Update to version 11.2.0:
* Other improvements and bugfixes
- Added an improved database joining flow in the web UI #1487
- Added support for secure certificate mapping for Windows desktop certificates #19737
- Fixed an issue with desktop directory sharing where large files could be corrupted #1472
- Fixed an issue where Desktop Access users may see a an error after ending a session #1470
- Fixed an issue preventing database agents from joining due to improperly formatted YAML #19958
- Updated the web UI to use session storage instead of local storage for Teleport's bearer token #1470
- Added rate limiting to SAML/OIDC routes #19950
- Fixed an issue connecting to leaf cluster desktops via reverse tunnel #19945
- Fixed a backwards compability issue with Database Access in 11.1.4 #19940
- Fixed an issue where access requests for Kubernetes clusters used improperly cached credentials #19912
- Added support for CentOS 7 in ARM64 builds #19895
- Added rate limiting to unauthenticated routes #19869
- Add suggested reviewers and requestable roles to Teleport Connect access requests #19846
- Fixed an issue listing all nodes with tsh #19821
- Made gcp.credentialSecretName optional in the Teleport Cluster Helm chart #19803
- Fixed an issue preventing audit events that exceed the maximum size limit from being logged #19736
- Fixed an issue preventing some users from being able to play desktop recordings #19709
- Added validation of AWS Account IDs when adding databases (#19638) #19702
- Added a new audit event for DynamoDB requests via Application Access #19667
- Added the ability to export tsh traces even when the Auth Server is not configured for tracing #19583
- Added support for linking Teleport Connect's embedded tsh binary for use outside of Teleport Connect #1488
/usr/share/bash-completion/completions/teleport
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Apr 21 22:23:10 2026