Merge branch 'branch/v16' into bernard/backport-47106-branch/v16

CHANGELOG.md

@@ -1,5 +1,63 @@
 # Changelog
 
+## 16.4.5 (10/22/2024)
+
+### Security Fixes
+
+#### [High] Privilege persistence in Okta SCIM-only integration
+
+When Okta SCIM-only integration is enabled, in certain cases Teleport could
+calculate the effective set of permission based on SSO user's stale traits. This
+could allow a user who was unassigned from an Okta group to log into a Teleport
+cluster once with a role granted by the unassigned group being present in their
+effective role set.
+
+Note: This issue only affects Teleport clusters that have installed a SCIM-only
+Okta integration as described in this guide. If you have an Okta integration
+with user sync enabled or only using Okta SSO auth connector to log into your
+Teleport cluster without SCIM integration configured, you're unaffected. To
+verify your configuration:
+
+- Use `tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"`
+  command to check if you have Okta integration with user sync enabled. If it
+  outputs null or false, you may be affected and should upgrade.
+- Check SCIM provisioning settings for the Okta application you created or
+  updated while following the SCIM-only setup guide. If SCIM provisioning is
+  enabled, you may be affected and should upgrade.
+
+We strongly recommend customers who use Okta SCIM integration to upgrade their
+auth servers to version 16.3.0 or later. Teleport services other than auth
+(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
+impacted and do not need to be updated.
+
+### Other improvements and fixes
+
+* Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. [#47812](https://github.com/gravitational/teleport/pull/47812)
+* Teleport's Windows Desktop Service now filters domain-joined Linux hosts out during LDAP discovery. [#47773](https://github.com/gravitational/teleport/pull/47773)
+* The `join_token.create` audit event has been enriched with additional metadata. [#47765](https://github.com/gravitational/teleport/pull/47765)
+* Propagate resources configured in teleport-kube-agent chart values to post-install and post-delete hooks. [#47743](https://github.com/gravitational/teleport/pull/47743)
+* Add support for the Datadog Incident Management plugin helm chart. [#47727](https://github.com/gravitational/teleport/pull/47727)
+* Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. [#47720](https://github.com/gravitational/teleport/pull/47720)
+* Fixed the Machine ID and GitHub Actions wizard. [#47708](https://github.com/gravitational/teleport/pull/47708)
+* Added migration to update the old import_all_objects database object import rule to the new preset. [#47707](https://github.com/gravitational/teleport/pull/47707)
+* Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. [#47703](https://github.com/gravitational/teleport/pull/47703)
+* Avoid tsh auto-enroll escalation in machines without a TPM. [#47695](https://github.com/gravitational/teleport/pull/47695)
+* Fixed a bug that prevented users from canceling `tsh scan keys` executions. [#47658](https://github.com/gravitational/teleport/pull/47658)
+* Postgres database session start events now include the Postgres backend PID for the session. [#47643](https://github.com/gravitational/teleport/pull/47643)
+* Reworked the `teleport-event-handler` integration to significantly improve performance, especially when running with larger `--concurrency` values. [#47633](https://github.com/gravitational/teleport/pull/47633)
+* Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. [#47622](https://github.com/gravitational/teleport/pull/47622)
+* Adds support for custom SQS consumer lock name and disabling a consumer. [#47614](https://github.com/gravitational/teleport/pull/47614)
+* Fixed an issue that prevented RDS Aurora discovery configuration in the AWS OIDC enrollment wizard when any cluster existed without member instances. [#47605](https://github.com/gravitational/teleport/pull/47605)
+* Extend the Datadog plugin to support automatic approvals. [#47602](https://github.com/gravitational/teleport/pull/47602)
+* Allow using a custom database for Firestore backends. [#47583](https://github.com/gravitational/teleport/pull/47583)
+* Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. [#47578](https://github.com/gravitational/teleport/pull/47578)
+* Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. [#47512](https://github.com/gravitational/teleport/pull/47512)
+* Add new `tctl` subcommands to manage bot instances. [#47225](https://github.com/gravitational/teleport/pull/47225)
+
+Enterprise:
+* Device auto-enroll failures are now recorded in the audit log.
+* Fixed possible panic when processing Okta assignments.
+
 ## 16.4.3 (10/16/2024)
 
 * Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. [#47568](https://github.com/gravitational/teleport/pull/47568)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.4.3
+VERSION=16.4.5
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.3</string>
+		<string>16.4.5</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.3</string>
+		<string>16.4.5</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.3</string>
+		<string>16.4.5</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.3</string>
+		<string>16.4.5</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

docs/pages/admin-guides/access-controls/sso/azuread.mdx

@@ -92,14 +92,18 @@ Before you get started, you’ll need:
 
    ![Put in Security group claim](../../../../img/azuread/azuread-8b-groupclaim.png)
 
-1. Add a claim that transforms the format of the Azure AD username to lower case, in order to pass it to
-   Teleport. Set the Source to "Transformation". In the new panel:
+1. (optional) Add a claim that transforms the format of the Azure AD username to lower case, in order to use it inside
+   Teleport roles as the `{{external.username}}` property.
+
+   Set the Source to "Transformation". In the new panel:
 
    - Set the Transformation value to "Extract()"
 
    - Set the Attribute name to `user.userprincipalname`.
 
-   - Set the Value to `ToLowercase()`.
+   - Set the Value to `@`.
+
+   - Click "Add Transformation" and set the Transformation to `ToLowercase()`.
 
      ![Add a transformed username](../../../../img/azuread/azuread-8c-usernameclaim.png)
 

docs/pages/admin-guides/teleport-policy/integrations/aws-sync.mdx

@@ -60,12 +60,13 @@ graphical representation thereof.
 ## Prerequisites
 
 - A running Teleport Enterprise cluster v14.3.9/v15.2.0 or later.
-- For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
-- For self-hosted clusters, a running Access Graph node v1.17.0 or later. 
-Check [Access Graph page](../teleport-policy.mdx) for details on
+- Teleport Policy enabled for your account.
+- For self-hosted clusters:
+  - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
+  - A running Access Graph node v1.17.0 or later.
+Check the [Teleport Policy page](../teleport-policy.mdx) for details on
 how to set up Access Graph.
-- The node running the Access Graph service must be reachable
-from Teleport Auth Service and Discovery Service. 
+  - The node running the Access Graph service must be reachable from the Teleport Auth Service.
 
 ## Step 1/2. Configure Discovery Service (Self-hosted only)
 

docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx

@@ -35,11 +35,12 @@ These resources are then visualized using the graph representation detailed in t
 
 - A running Teleport Enterprise cluster v15.4.2/v16.0.0 or later.
 - Teleport Identity and Teleport Policy enabled for your account.
-  - For self-hosted clusters, ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
-- For self-hosted clusters, a running Access Graph node v1.21.3 or later.
+- For self-hosted clusters:
+  - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
+  - A running Access Graph node v1.21.3 or later.
 Check the [Teleport Policy page](../teleport-policy.mdx) for details on
 how to set up Access Graph.
-- The node running the Access Graph service must be reachable from the Teleport Auth Service.
+  - The node running the Access Graph service must be reachable from the Teleport Auth Service.
 - Your user must have privileged administrator permissions in the Azure account
 
 To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI and navigate to the Management tab.

docs/pages/admin-guides/teleport-policy/integrations/gitlab.mdx

@@ -46,13 +46,14 @@ graphical representation thereof.
 ## Prerequisites
 
 - A running Teleport Enterprise cluster v14.3.20/v15.3.1/v16.0.0 or later.
-- For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
-- For self-hosted clusters, a running Access Graph node v1.21.4 or later.
-Check [Access Graph page](../teleport-policy.mdx) for details on
-how to set up Access Graph.
-- For self-hosted clusters, the node running the Access Graph service must be reachable
-from Teleport Auth Service.
+- Teleport Policy enabled for your account.
 - A GitLab instance running GitLab v9.0 or later.
+- For self-hosted clusters:
+  - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
+  - A running Access Graph node v1.21.4 or later.
+Check the [Teleport Policy page](../teleport-policy.mdx) for details on
+how to set up Access Graph.
+  - The node running the Access Graph service must be reachable from the Teleport Auth Service.
 
 ## Step 1/3. Create GitLab token
 

docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx

@@ -70,15 +70,16 @@ It also never sends the private key path or any other sensitive information.
 ## Prerequisites
 
 - A running Teleport Enterprise cluster v15.4.16/v16.2.0 or later.
-- For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
-- For self-hosted clusters, a running Access Graph node v1.22.0 or later.
-Check [Access Graph page](../teleport-policy.mdx) for details on
-how to set up Access Graph.
-- For self-hosted clusters, the node running the Access Graph service must be reachable
-from Teleport Auth Service.
+- Teleport Policy enabled for your account.
 - A Linux/macOS server running the Teleport SSH Service.
 - Devices enrolled in the [Teleport Device Trust feature](../../access-controls/device-trust.mdx).
 - For Jamf Pro integration, devices must be enrolled in Jamf Pro and have the signed `tsh` binary installed.
+- For self-hosted clusters:
+  - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
+  - A running Access Graph node v1.22.0 or later.
+Check the [Teleport Policy page](../teleport-policy.mdx) for details on
+how to set up Access Graph.
+  - The node running the Access Graph service must be reachable from the Teleport Auth Service.
 
 ## Step 1/3. Enable SSH Key Scanning
 

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.3"
+.version: &version "16.4.5"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-datadog-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-datadog-16.4.5
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-datadog-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-datadog-16.4.5
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 16.4.3
-            helm.sh/chart: teleport-plugin-datadog-16.4.3
+            app.kubernetes.io/version: 16.4.5
+            helm.sh/chart: teleport-plugin-datadog-16.4.5
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.3"
+.version: &version "16.4.5"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-discord-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-discord-16.4.5
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-discord-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-discord-16.4.5
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 16.4.3
-            helm.sh/chart: teleport-plugin-discord-16.4.3
+            app.kubernetes.io/version: 16.4.5
+            helm.sh/chart: teleport-plugin-discord-16.4.5
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.3"
+.version: &version "16.4.5"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-email-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-email-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-email-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-email-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-email-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.3
-        helm.sh/chart: teleport-plugin-email-16.4.3
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email