Release 16.2.0 (#45883)

CHANGELOG.md

@@ -1,5 +1,48 @@
 # Changelog
 
+## 16.2.0 (08/26/24)
+
+### NLA Support
+
+Teleport now supports Network Level Authentication (NLA) when connecting to
+Windows hosts that are part of an Active Directory domain, eliminating the need
+for administrators to disable NLA when setting up Teleport.
+
+### DocumentDB IAM authentication support
+
+Teleport now supports authenticating to DocumentDB with IAM users and roles
+[recently released](https://aws.amazon.com/about-aws/whats-new/2024/06/amazon-documentdb-iam-database-authentication/)
+by AWS.
+
+### Join Tokens in the Web UI
+
+Teleport now allows users to manage join tokens in the web UI as an alternative
+to the tctl tokens commands.
+
+### Database Access Controls in Access Graph
+
+Database Access users are now able to see database objects and their access
+paths in Access Graph.
+
+### Logrotate support
+
+Teleport now integrates with logrotate by automatically reopening log files when
+detecting that they were renamed.
+
+### Other improvements and fixes
+
+* Failure to share a local directory in a Windows desktop session is no longer considered a fatal error. [#45852](https://github.com/gravitational/teleport/pull/45852)
+* Add `teleport.dev/project-id` label for auto-enrolled instances in GCP. [#45820](https://github.com/gravitational/teleport/pull/45820)
+* Fix an issue that prevented the creation of AWS App Access for an Integration that used digits only (eg, AWS Account ID). [#45819](https://github.com/gravitational/teleport/pull/45819)
+* Slack plugin now lists logins permitted by requested roles. [#45759](https://github.com/gravitational/teleport/pull/45759)
+* For new EKS Cluster auto-enroll configurations, the temporary Access Entry is tagged with `teleport.dev/` namespaced tags. For existing set ups, please add the `eks:TagResource` action to the Integration IAM Role to get the same behavior. [#45725](https://github.com/gravitational/teleport/pull/45725)
+* Added support for importing S3 Bucket Tags into Teleport Policy's Access Graph. For existing configurations, ensure that the `s3:GetBucketTagging` permission is manually included in the Teleport Access Graph integration role. [#45551](https://github.com/gravitational/teleport/pull/45551)
+* Add a `tctl terraform env` command to simplify running the Teleport Terraform provider locally. [#44690](https://github.com/gravitational/teleport/pull/44690)
+* Add native MachineID support to the Terraform provider. Environments with delegated joining methods such as GitHub Actions, GitLab CI, CircleCI, GCP, or AWS can run the Terraform provider without having to setup `tbot`. [#44690](https://github.com/gravitational/teleport/pull/44690)
+* The Terraform Provider now sequentially tries every credential source and provide more actionable error messages if it cannot connect. [#44690](https://github.com/gravitational/teleport/pull/44690)
+* When the Terraform provider finds expired credentials it will now fail fast with a clear error instead of hanging for 30 seconds and sending potentially misleading error about certificates being untrusted. [#44690](https://github.com/gravitational/teleport/pull/44690)
+* Fix a bug that caused some enterprise clusters to incorrectly display a message that the cluster had a monthly allocation of 0 access requests. [#4923](https://github.com/gravitational/teleport.e/pull/4923)
+
 ## 16.1.8 (08/23/24)
 
 ### Security fix

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.1.8
+VERSION=16.2.0
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.1.8</string>
+		<string>16.2.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.1.8</string>
+		<string>16.2.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.1.8</string>
+		<string>16.2.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.1.8</string>
+		<string>16.2.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.1.8"
+.version: &version "16.2.0"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-discord-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-discord-16.2.0
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-discord-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-discord-16.2.0
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 16.1.8
-            helm.sh/chart: teleport-plugin-discord-16.1.8
+            app.kubernetes.io/version: 16.2.0
+            helm.sh/chart: teleport-plugin-discord-16.2.0
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.1.8"
+.version: &version "16.2.0"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should be possible to override volume name (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should be possible to override volume name (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.1.8
-            helm.sh/chart: teleport-plugin-email-16.1.8
+            app.kubernetes.io/version: 16.2.0
+            helm.sh/chart: teleport-plugin-email-16.2.0
         spec:
           containers:
           - command:
@@ -34,7 +34,7 @@ should be possible to override volume name (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.1.8
+            image: public.ecr.aws/gravitational/teleport-plugin-email:16.2.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -75,8 +75,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -90,8 +90,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.1.8
-            helm.sh/chart: teleport-plugin-email-16.1.8
+            app.kubernetes.io/version: 16.2.0
+            helm.sh/chart: teleport-plugin-email-16.2.0
         spec:
           containers:
           - command:
@@ -136,8 +136,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -151,8 +151,8 @@ should match the snapshot (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.1.8
-            helm.sh/chart: teleport-plugin-email-16.1.8
+            app.kubernetes.io/version: 16.2.0
+            helm.sh/chart: teleport-plugin-email-16.2.0
         spec:
           containers:
           - command:
@@ -163,7 +163,7 @@ should match the snapshot (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.1.8
+            image: public.ecr.aws/gravitational/teleport-plugin-email:16.2.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -204,8 +204,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -219,8 +219,8 @@ should match the snapshot (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.1.8
-            helm.sh/chart: teleport-plugin-email-16.1.8
+            app.kubernetes.io/version: 16.2.0
+            helm.sh/chart: teleport-plugin-email-16.2.0
         spec:
           containers:
           - command:
@@ -231,7 +231,7 @@ should match the snapshot (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.1.8
+            image: public.ecr.aws/gravitational/teleport-plugin-email:16.2.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -272,8 +272,8 @@ should mount external secret (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -287,8 +287,8 @@ should mount external secret (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.1.8
-            helm.sh/chart: teleport-plugin-email-16.1.8
+            app.kubernetes.io/version: 16.2.0
+            helm.sh/chart: teleport-plugin-email-16.2.0
         spec:
           containers:
           - command:
@@ -299,7 +299,7 @@ should mount external secret (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.1.8
+            image: public.ecr.aws/gravitational/teleport-plugin-email:16.2.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -340,8 +340,8 @@ should mount external secret (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-email-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-email-16.2.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -355,8 +355,8 @@ should mount external secret (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.1.8
-            helm.sh/chart: teleport-plugin-email-16.1.8
+            app.kubernetes.io/version: 16.2.0
+            helm.sh/chart: teleport-plugin-email-16.2.0
         spec:
           containers:
           - command:
@@ -367,7 +367,7 @@ should mount external secret (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.1.8
+            image: public.ecr.aws/gravitational/teleport-plugin-email:16.2.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:

examples/chart/access/jira/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.1.8"
+.version: &version "16.2.0"
 
 apiVersion: v2
 name: teleport-plugin-jira

examples/chart/access/jira/tests/__snapshot__/configmap_test.yaml.snap

@@ -32,6 +32,6 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-jira
-        app.kubernetes.io/version: 16.1.8
-        helm.sh/chart: teleport-plugin-jira-16.1.8
+        app.kubernetes.io/version: 16.2.0
+        helm.sh/chart: teleport-plugin-jira-16.2.0
       name: RELEASE-NAME-teleport-plugin-jira