Release 14.3.22 (#45283)

CHANGELOG.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## 14.3.22 (08/08/24)
+
+* Updated Go toolchain to `1.22.6`. [#45196](https://github.com/gravitational/teleport/pull/45196)
+* Teleport Connect now sets `TERM_PROGRAM: Teleport_Connect` and `TERM_PROGRAM_VERSION: <app_version>` environment variables in the integrated terminal. [#45065](https://github.com/gravitational/teleport/pull/45065)
+* Fixed race condition between session recording uploads and session recording upload cleanup. [#44980](https://github.com/gravitational/teleport/pull/44980)
+* Prevent Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. [#44976](https://github.com/gravitational/teleport/pull/44976)
+* Improved stability of very large teleport clusters during temporary backend disruption/degradation. [#44696](https://github.com/gravitational/teleport/pull/44696)
+* Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. [#44630](https://github.com/gravitational/teleport/pull/44630)
+* Use the registered port of the target host when `tsh puttyconfig` is invoked without `--port`. [#44574](https://github.com/gravitational/teleport/pull/44574)
+* Fixed Teleport Connect binaries not being signed correctly. [#44473](https://github.com/gravitational/teleport/pull/44473)
+* Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. [#44467](https://github.com/gravitational/teleport/pull/44467)
+* Fixed a low-probability panic in audit event upload logic. [#44423](https://github.com/gravitational/teleport/pull/44423)
+* Prevented DoSing the cluster during a mass failed join event by agents. [#44416](https://github.com/gravitational/teleport/pull/44416)
+* Added audit events for AWS and Azure integration resource actions. [#44405](https://github.com/gravitational/teleport/pull/44405)
+* Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. [#44273](https://github.com/gravitational/teleport/pull/44273)
+* Fixed a `kube-agent-updater` bug affecting resolutions of private images. [#44193](https://github.com/gravitational/teleport/pull/44193)
+* Prevented redirects to arbitrary URLs when launching an app. [#44190](https://github.com/gravitational/teleport/pull/44190)
+* The `teleport-cluster` chart can now use existing ingresses instead of creating its own. [#44148](https://github.com/gravitational/teleport/pull/44148)
+* Ensured that `tsh login` outputs accurate status information for the new session. [#44145](https://github.com/gravitational/teleport/pull/44145)
+* Fixes "device trust mode _x_ requires Teleport Enterprise" errors on `tctl`. [#44136](https://github.com/gravitational/teleport/pull/44136)
+* Honor proxy templates in `tsh ssh`. [#44031](https://github.com/gravitational/teleport/pull/44031)
+* Fix eBPF error occurring during startup on Linux RHEL 9. [#44025](https://github.com/gravitational/teleport/pull/44025)
+* Fixed Redshift auto-user deactivation/deletion failure that occurs when a user is created or deleted and another user is deactivated concurrently. [#43984](https://github.com/gravitational/teleport/pull/43984)
+* Lowered latency of detecting Kubernetes cluster becoming online. [#43969](https://github.com/gravitational/teleport/pull/43969)
+* Teleport AMIs now optionally source environment variables from `/etc/default/teleport` as regular Teleport package installations do. [#43960](https://github.com/gravitational/teleport/pull/43960)
+* Fixed `teleport-kube-agent` Helm chart to correctly propagate `extraLabels` to post-delete hooks. A new `extraLabels.job` object has been added for labels which should only apply to the post-delete job. [#43933](https://github.com/gravitational/teleport/pull/43933)
+* Added audit events for discovery config actions. [#43795](https://github.com/gravitational/teleport/pull/43795)
+* Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile. [#43651](https://github.com/gravitational/teleport/pull/43651)
+* Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of `cluster.local`. [#43633](https://github.com/gravitational/teleport/pull/43633)
+* Wait for user MFA input when reissuing expired certificates for a kube proxy. [#43614](https://github.com/gravitational/teleport/pull/43614)
+* Display errors in the web UI console for SSH sessions. [#43492](https://github.com/gravitational/teleport/pull/43492)
+* Updated `go-retryablehttp` to `v0.7.7` (fixes `CVE-2024-6104`). [#43476](https://github.com/gravitational/teleport/pull/43476)
+* Fixed an issue preventing accurate inventory reporting of the updater after it is removed. [#43452](https://github.com/gravitational/teleport/pull/43452)
+* Remaining alert TTL is now displayed with `tctl alerts ls`. [#43434](https://github.com/gravitational/teleport/pull/43434)
+* Fixed headless auth for SSO users, including when local auth is disabled. [#43363](https://github.com/gravitational/teleport/pull/43363)
+* Fixed an issue with incorrect yum/zypper updater packages being installed. [#4686](https://github.com/gravitational/teleport.e/pull/4686)
+* Fixed inaccurately notifying user that access list reviews are due in the web UI. [#4523](https://github.com/gravitational/teleport.e/pull/4523)
+* The Teleport updater will no longer default to using the global version channel, avoiding incompatible updates. [#4475](https://github.com/gravitational/teleport.e/pull/4475)
+
 ## 14.3.21 (06/20/24)
 
 * Fixed bug that caused gRPC connections to be disconnected when their certificate expired even though DisconnectCertExpiry was false. [#43292](https://github.com/gravitational/teleport/pull/43292)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=14.3.21
+VERSION=14.3.22
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.3.21</string>
+		<string>14.3.22</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.3.21</string>
+		<string>14.3.22</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.3.21</string>
+		<string>14.3.22</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.3.21</string>
+		<string>14.3.22</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

docs/cspell.json

@@ -724,6 +724,7 @@
     "replicaset",
     "requestable",
     "requirepass",
+    "retryablehttp",
     "reversetunnel",
     "reviewee",
     "rffx",
@@ -914,4 +915,4 @@
   "flagWords": [
     "hte"
   ]
-}
+}

examples/chart/teleport-cluster/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "14.3.21"
+.version: &version "14.3.22"
 
 name: teleport-cluster
 apiVersion: v2

examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "14.3.21"
+.version: &version "14.3.22"
 
 name: teleport-operator
 apiVersion: v2

examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap

@@ -8,8 +8,8 @@ adds operator permissions to ClusterRole:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.21
-        helm.sh/chart: teleport-cluster-14.3.21
+        app.kubernetes.io/version: 14.3.22
+        helm.sh/chart: teleport-cluster-14.3.22
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME
     rules:

examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap

@@ -1797,8 +1797,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.21
-        helm.sh/chart: teleport-cluster-14.3.21
+        app.kubernetes.io/version: 14.3.22
+        helm.sh/chart: teleport-cluster-14.3.22
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-auth
       namespace: NAMESPACE

examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap

@@ -1,6 +1,6 @@
 should add an operator side-car when operator is enabled:
   1: |
-    image: public.ecr.aws/gravitational/teleport-operator:14.3.21
+    image: public.ecr.aws/gravitational/teleport-operator:14.3.22
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
@@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -174,7 +174,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -271,7 +271,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -357,7 +357,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap

@@ -567,8 +567,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.21
-        helm.sh/chart: teleport-cluster-14.3.21
+        app.kubernetes.io/version: 14.3.22
+        helm.sh/chart: teleport-cluster-14.3.22
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE

examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap

@@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.21
-        helm.sh/chart: teleport-cluster-14.3.21
+        app.kubernetes.io/version: 14.3.22
+        helm.sh/chart: teleport-cluster-14.3.22
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
@@ -26,16 +26,16 @@ sets clusterDomain on Deployment Pods:
       template:
         metadata:
           annotations:
-            checksum/config: 7c4211990054c1dba86d9e66d3e5949bdaeb3dd035d3d37cf4385e2f00f5e43c
+            checksum/config: a01c03888376199abd6dcbb49c57406f9e4705a651de3ad94778a114e679457b
             kubernetes.io/pod: test-annotation
             kubernetes.io/pod-different: 4
           labels:
             app.kubernetes.io/component: proxy
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-cluster
-            app.kubernetes.io/version: 14.3.21
-            helm.sh/chart: teleport-cluster-14.3.21
+            app.kubernetes.io/version: 14.3.22
+            helm.sh/chart: teleport-cluster-14.3.22
             teleport.dev/majorVersion: "14"
         spec:
           affinity:
@@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods:
           containers:
           - args:
             - --diag-addr=0.0.0.0:3000
-            image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+            image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
             imagePullPolicy: IfNotPresent
             lifecycle:
               preStop:
@@ -105,7 +105,7 @@ sets clusterDomain on Deployment Pods:
             - wait
             - no-resolve
             - RELEASE-NAME-auth-v13.NAMESPACE.svc.test.com
-            image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+            image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
             name: wait-auth-update
           serviceAccountName: RELEASE-NAME-proxy
           terminationGracePeriodSeconds: 60
@@ -137,7 +137,7 @@ should provision initContainer correctly when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       name: wait-auth-update
     - args:
       - echo test
@@ -194,7 +194,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -255,7 +255,7 @@ should set nodeSelector when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -306,7 +306,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -374,7 +374,7 @@ should set resources when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       name: wait-auth-update
     serviceAccountName: RELEASE-NAME-proxy
     terminationGracePeriodSeconds: 60
@@ -407,7 +407,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -475,7 +475,7 @@ should set securityContext for initContainers when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -515,7 +515,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -583,7 +583,7 @@ should set securityContext when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.21
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.22
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false

examples/chart/teleport-kube-agent/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "14.3.21"
+.version: &version "14.3.22"
 
 name: teleport-kube-agent
 apiVersion: v2