Merge branch 'branch/v17' into bot/backport-48860-branch/v17

Makefile

@@ -13,7 +13,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=17.0.0-beta.1
+VERSION=17.0.0-beta.2
 
 DOCKER_IMAGE ?= teleport
 

api/types/constants.go

@@ -1066,10 +1066,10 @@ const (
 	// group they should attempt to be connected to.
 	ProxyGroupGenerationLabel = TeleportInternalLabelPrefix + "proxygroup-gen"
 
-	// ProxyPeerQUICLabel is the internal-user label for proxy heartbeats that's
-	// used to signal that the proxy supports receiving proxy peering
-	// connections over QUIC.
-	ProxyPeerQUICLabel = TeleportInternalLabelPrefix + "proxy-peer-quic"
+	// UnstableProxyPeerQUICLabel is the internal-use label for proxy heartbeats
+	// that's used to signal that the proxy supports receiving proxy peering
+	// connections over QUIC. The value should be "yes".
+	UnstableProxyPeerQUICLabel = TeleportInternalLabelPrefix + "proxy-peer-quic"
 
 	// OktaAppNameLabel is the individual app name label.
 	OktaAppNameLabel = TeleportInternalLabelPrefix + "okta-app-name"

docs/pages/admin-guides/teleport-policy/crown-jewels.mdx

@@ -3,12 +3,12 @@ title: See permission changes with Access Graph Crown Jewels
 description: Describes how to use Access Graph Crown Jewels to see permission changes in Teleport.
 ---
 
-Access Graph's Crown Jewel feature allows you to track changes to access for your most sensitive users or resources.
-When you mark a resource as a Crown Jewel, Teleport emits audit events any time access to that resource changes.
-These audit events include snapshots of the permissions before and after the change,
-which can alert you of unexpected access changes and allow you to verify the results.
+Access Graph's Crown Jewel feature allows you to track changes to access for
+your most sensitive users or resources. When you mark a resource as a Crown
+Jewel, Teleport emits audit events any time access to that resource changes.
 
-This guide shows you how to configure Crown Jewels, how to mark resources as Crown Jewels, and how to see permission changes for these resources.
+This guide shows you how to configure Crown Jewels, how to mark resources as
+Crown Jewels, and how to see permission changes for these resources.
 
 ## Prerequisites
 

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.0-beta.1"
+.version: &version "17.0.0-beta.2"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-datadog-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-datadog-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-datadog-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-datadog-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-datadog-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-datadog-17.0.0-beta.2
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.0-beta.1"
+.version: &version "17.0.0-beta.2"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-discord-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-discord-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-discord-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-discord-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-discord-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-discord-17.0.0-beta.2
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.0-beta.1"
+.version: &version "17.0.0-beta.2"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should be possible to override volume name (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should be possible to override volume name (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
         spec:
           containers:
           - command:
@@ -34,7 +34,7 @@ should be possible to override volume name (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.1
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.2
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -75,8 +75,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -90,8 +90,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
         spec:
           containers:
           - command:
@@ -136,8 +136,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -151,8 +151,8 @@ should match the snapshot (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
         spec:
           containers:
           - command:
@@ -163,7 +163,7 @@ should match the snapshot (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.1
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.2
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -204,8 +204,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -219,8 +219,8 @@ should match the snapshot (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
         spec:
           containers:
           - command:
@@ -231,7 +231,7 @@ should match the snapshot (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.1
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.2
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -272,8 +272,8 @@ should mount external secret (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -287,8 +287,8 @@ should mount external secret (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
         spec:
           containers:
           - command:
@@ -299,7 +299,7 @@ should mount external secret (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.1
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.2
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -340,8 +340,8 @@ should mount external secret (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -355,8 +355,8 @@ should mount external secret (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.0-beta.1
-            helm.sh/chart: teleport-plugin-email-17.0.0-beta.1
+            app.kubernetes.io/version: 17.0.0-beta.2
+            helm.sh/chart: teleport-plugin-email-17.0.0-beta.2
         spec:
           containers:
           - command:
@@ -367,7 +367,7 @@ should mount external secret (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.1
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.0-beta.2
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:

examples/chart/access/jira/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.0-beta.1"
+.version: &version "17.0.0-beta.2"
 
 apiVersion: v2
 name: teleport-plugin-jira

examples/chart/access/jira/tests/__snapshot__/configmap_test.yaml.snap

@@ -32,6 +32,6 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-jira
-        app.kubernetes.io/version: 17.0.0-beta.1
-        helm.sh/chart: teleport-plugin-jira-17.0.0-beta.1
+        app.kubernetes.io/version: 17.0.0-beta.2
+        helm.sh/chart: teleport-plugin-jira-17.0.0-beta.2
       name: RELEASE-NAME-teleport-plugin-jira