Update module github.com/gravitational/teleport/api to v14 #24
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.0.0-20230607072028-2f3f42ef14ad
->v14.2.3
Release Notes
gravitational/teleport (github.com/gravitational/teleport/api)
v14.2.3
: Teleport 14.2.3Compare Source
Description
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.2.2
: Teleport 14.2.2Compare Source
Description
/webapi/presetroles
. #35463insecure-drop
host user creation mode. #35403rds:DescribeDBProxyTargets
are no longer required for RDS Proxy discovery. #353891.21.5
. #35371cluster_auth_preferences
to the shortcuts forcluster_auth_preference
. #35329podSecurityPolicy
configurable in theteleport-kube-agent
chart. #35320tbot
to misconfiguration of auth connectors when generating a Kubernetes output. #35309tctl auth sign --tar
. #34874Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.2.1
: Teleport 14.2.1Compare Source
Description
tsh db connect <mongodb>
does not give reason on connection errors. #34910Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.2.0
: Teleport 14.2.0Compare Source
Description
New Features
Advanced Okta Integration (Enterprise Edition only)
Teleport will be able to automatically create SSO connector and sync users when configuring Okta integration.
Connect my Computer support in Web UI
The Teleport web UI will provide a guided flow for joining your computer to the Teleport cluster using Teleport Connect.
Dynamic credential reloading for plugins
Teleport plugins will support dynamic credential reloading, allowing them to take advantage of short-lived (and frequently rotated) credentials generated by Machine ID.
Fixes and Improvements
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.1.5
: Teleport 14.1.5Compare Source
Description
tsh --piv-slot
custom PIV slot setting for Hardware Key Support. #34592.tsh/environment
values from overriding prior set values. #34626cluster_networking_config
andcluster_auth_preference
via--bootstrap
. #34445tsh logout
with broken key directory. #34435Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.1.4
Compare Source
v14.1.3
: Teleport 14.1.3Compare Source
Description
This release contains two security fixes, plus numerous other fixes and improvements.
Security Fixes
[Medium] Arbitrary code execution with
LD_PRELOAD
andSFTP
Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.
This is addressed by preventing
LD_PRELOAD
and other dangerous environmentvariables from being forwarded during re-exec.
#3274
[Medium] Outbound SSH from Proxy can lead to IP spoofing
If the Teleport auth or proxy services are configured to accept
PROXY
protocol headers, a malicious actor can use this to spoof their IP address.
This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.
#33729
Other Fixes & Improvements
bash
instead ofsh
#34144teleport_auth_type
config parameter to the AWS Terraform examples #34124host:port
totsh puttyconfig
#33883--set-context-name
totsh proxy kube
tsh aws ecs execute-command
would always fail #33833tsh
#33633Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
v14.1.2
Compare Source
v14.1.1
: Teleport 14.1.1Compare Source
Description
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.1.0
: Teleport 14.1.0Compare Source
New features
Security fixes
google.golang.org/grpc
to v1.57.1. #33487Other fixes and improvements
tsh
or runningtsh status
. #33468tsh
connection issue when Proxy is in separate mode and Web port is TLS-terminated by a load balancer. #32531 #33406extensions/v1beta1
group/version. #33402@teleport-access-approver
role tov6
to support downgrades to Teleport 13. #33354Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
v14.0.3
: Teleport 14.0.3Compare Source
Description
This release of Teleport contains one security fix, and various other updates.
Security Fixes
[Critical] Privilege escalation through
RecursiveChown
When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to
chown
arbitrary files on the system.Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.
#33248
Other Fixes
tsh puttyconfig
now usesValidity
format for WinSCP compatibility #32856tsh device enroll --current-device
#32756etcd
backend will now start if some nodes are unreachable #32779kubectl exec
#32768tsh proxy kube
#33172tsh kube credentials
when root cluster roles don't allow Kube access #33210Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.0.1
: Teleport 14.0.1Compare Source
Description
create_host_user_mode
issue with TeleportRole in the Teleport Operator CRDs #32557teleport-kube-agent
Helm chart would created the sameServiceAccount
multiple times #32338IneligibleStatus
fields for access list members and owners #32278SIGINT
/SIGTERM
#32189Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v14.0.0
: Teleport 14.0.0Compare Source
Description
Teleport 14 brings the following new major features and improvements:
In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.
New Features
Advanced audit log
Teleport 14 includes support for a new audit log powered by Amazon S3 and Athena that supports efficient searching, sorting, and filtering operations. Teleport Cloud customers will have their audit log automatically migrated to this new backend.
See the documentation here.
Access lists
Teleport 14 introduces foundational support for access lists, an extension to the short-lived access requests system targeted towards longer-term access. Administrators can add users to access lists granting them long-term permissions within the cluster.
As the feature is being developed, future Teleport releases will add support for periodic audit reviews and deeper integration of access lists with Okta.
You can find existing access lists documentation here.
Unified resources view
The web UI in Teleport 14 has been updated to show all resources in a single unified view.
This is the first step in a series of changes designed to support a customizable Teleport experience and make it easier to access the resources that are most important to you.
Kubernetes apps auto-discovery
Teleport 14 updates its auto-discovery capabilities with support for web applications in Kubernetes clusters. When connected to a Kubernetes cluster (or deployed as a Helm chart), Teleport discovery service will automatically find and enroll web applications for use with app access.
See documentation here.
Extended Kubernetes per-resource RBAC
Teleport 14 extends resource-based access requests to support more Kubernetes resources than just pods, including custom resources, and verbs. Note that this feature requires role version
v7
.See Kubernetes resources documentation to see a full list of supported resources.
ClickHouse support for database access
Teleport 14 adds database access support for ClickHouse HTTP and native (TCP) protocols. When using HTTP protocol, the user's query activity is captured in the Teleport audit log.
See how to connect ClickHouse to Teleport here.
Oracle database access audit logging support
In Teleport 14, database access for Oracle integration is updated with query audit logging support.
See documentation on how to configure it in the Oracle guide.
Limited passwordless access for local Windows users in OSS Teleport
In Teleport 14, access to Windows desktops with local Windows users has been extended to Community Edition. Teleport will permit users to register and connect to up to 5 desktops with local users without an enterprise license.
For more information on using Teleport with local Windows users, see docs.
Discord and ServiceNow hosted plugins
Teleport 14 includes support for hosted Discord and ServiceNow plugins. Teleport Cloud users can configure Discord and ServiceNow integrations to receive access request notifications.
Discord plugin is available now, ServiceNow is coming in 14.0.1.
Enhanced PuTTY Support
tsh on Windows now supports the
tsh puttyconfig
command, which can easily configure saved sessions inside the well-known PuTTY client to connect to Teleport SSH services.For more information, see docs.
Support for TLS routing in Terraform deployment examples
The ha-autoscale-cluster and starter-cluster Terraform deployment examples now support a
USE_TLS_ROUTING
variable to enable TLS routing inside the deployed Teleport cluster.Machine ID: Kubernetes Secret destination
In Teleport 14,
tbot
can now be configured to write artifacts such as credentials and configuration files directly to a Kubernetes secret rather than a directory on the local file system. This allows other services to more easily consume the credentials output bytbot
.For more information, see docs.
Breaking changes and deprecations
Please familiarize yourself with the following potentially disruptive changes in Teleport 14 before upgrading.
SSH node open dial no longer supported
Teleport 14 no longer allows connecting to OpenSSH servers not registered with the cluster. Follow the updated agentless OpenSSH integration guide to register your OpenSSH nodes in the cluster’s inventory.
You can set
TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes
environment variable on Teleport proxy to temporarily re-enable the open dial functionality. The environment variable will be removed in Teleport 15.Proxy protocol default change
Starting from version 14, Teleport will require users to explicitly enable or disable PROXY protocol in their
proxy_service
/auth_service
configuration usingproxy_protocol: on|off
option.Users who run their proxies behind L4 load balancers with PROXY protocol enabled, should set
proxy_protocol: on
. Users who don’t run Teleport behind PROXY protocol enabled load balancers, should disableproxy_protocol: off
explicitly for security reasons.By default, Teleport will accept the PROXY line but will prevent connections with IP pinning enabled. IP pinning users will need to explicitly enable/disable proxy protocol like explained above.
See more details in our documentation.
Legacy deb/rpm package repositories are deprecated
Teleport 14 will be the last release published to the legacy package repositories at
deb.releases.teleport.dev
andrpm.releases.teleport.dev
. Starting with Teleport 15, packages will only be published to the new repositories atapt.releases.teleport.dev
andyum.releases.teleport.dev
.All users are recommended to switch to
apt.releases.teleport.dev
andyum.releases.teleport.dev
repositories as described in installation instructions.Cf-Access-Token
header no longer included with app access requestsStarting from Teleport 14, the
Cf-Access-Token
header containing the signed JWT token will no longer be included by default with all app access requests. All requests will still includeTeleport-JWT-Assertion
containing the JWT token.See documentation for details on how to inject the JWT token into any header using header rewriting.
tsh db CLI commands changes
In Teleport 14 tsh db sub-commands will attempt to select a default value for
--db-user
or--db-name
flags if they are not provided by the user by examining their alloweddb_users
anddb_names
.The flags
--cert-file
and--key-file
for tsh proxy db command were also removed, in favor of the--tunnel
flag that opens an authenticated local database proxy.MongoDB versions prior to 3.6 are no longer supported
Teleport 14 includes an update to the MongoDB driver.
Due to the MongoDB team dropping support for servers prior to version 3.6 (which reached EOL on April 30, 2021), Teleport also will no longer be able to support these old server versions.
Symlinks for
~/.tsh/environment
no longer supportedIn order to strengthen the security in Teleport 14, file loading from home directories where the path includes a symlink is no longer allowed. The most common use case for this is loading environment variables from the
~/.tsh/environment
file. This will still work normally as long as the path includes no symlinks.Deprecated audit event
Teleport 14 deprecates the
trusted_cluster_token.create
audit event, replacing it with a newjoin_token.create
event. The new event is emitted when any join token is created, whether it be for trusted clusters or other Teleport services.Teleport 14 will emit both events when a trusted cluster join token is created. Starting in Teleport 15, the
trusted_cluster_token.create
event will no longer be emitted.Other changes
DynamoDB billing mode defaults to on-demand
In Teleport 14, when creating new DynamoDB tables, Teleport will now create them with the billing mode set to
pay_per_request
instead of being set to provisioned mode.The old behavior can be restored by setting the
billing_mode
option in the storage configuration.Default role version is v7
The default role version in Teleport 14 is
v7
which enables support for extended Kubernetes per-resource RBAC, and changes thekubernetes_resources
default to wildcard for better getting started user experience.You can review role versions in the documentation.
Stricter name validation for auto-discovered databases
In Teleport 14, database discovery via
db_service
config enforces the same name validation as for databases created via tctl, static config, anddiscovery_service
.As such, database names in AWS, GCP and Azure must start with a letter, contain only letters, digits, and hyphens and end with a letter or digit (no trailing hyphens).
Access Request API changes
Teleport 14 introduces a new and more secure API for submitting access requests. As a result, tsh users may be prompted to upgrade their clients before submitting an access request.
Desktop discovery name change
Desktops discovered via LDAP will have a short suffix appended to their name to ensure uniqueness. Users will notice duplicate desktops (with and without the suffix) for up to an hour after upgrading. Connectivity to desktops will not be affected, and the old record will naturally expire after 1 hour.
Machine ID : New configuration schema
Teleport 14 introduces a new configuration schema (v2) for Machine ID’s agent
tbot
. The new schema is designed to be simpler, more explicit and more extensible:tbot
will continue to support the v1 schema for several Teleport versions but it is recommended that you migrate to v2 as soon as possible to benefit from new Machine ID features.For more details and guidance on how to upgrade to v2, see docs.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v13.4.11
: Teleport 13.4.11Compare Source
Description
/webapi/presetroles
. #35462--fips
flag. #35111tsh db connect <mongodb>
to give reason on connection errors. #34909Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v13.4.10
: Teleport 13.4.10Compare Source
Description
tctl auth sign --tar
#34822Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v13.4.9
: Teleport 13.4.9Compare Source
Description
.tsh/environment
values from overriding prior set values. #34625Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v13.4.8
Compare Source
v13.4.7
: Teleport 13.4.7Compare Source
Description
This release contains two security fixes, plus numerous other fixes and improvements.
Security Fixes
[Medium] Arbitrary code execution with
LD_PRELOAD
andSFTP
Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.
This is addressed by preventing
LD_PRELOAD
and other dangerous environmentvariables from being forwarded during re-exec.
#34275
[Medium] Outbound SSH from Proxy can lead to IP spoofing
If the Teleport auth or proxy services are configured to accept
PROXY
protocol headers, a malicious actor can use this to spoof their IP address.
This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.
#33730
Other Fixes & Improvements
bash
instead ofsh
#34143host:port
totsh puttyconfig
#33884tsh aws ecs execute-command
would always fail #33832Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes
v13.4.6
Compare Source
v13.4.5
: Teleport 13.4.5Compare Source
Description
tsh
to accept--proxy
values withhttps://
prefixes #33647Enhanced PuTTY/WinSCP Support
tsh
on Windows now supports thetsh puttyconfig
command, which can easily configure saved sessions inside the well-known PuTTY and WinSCP clients to connect to Teleport SSH services.Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
v13.4.4
: Teleport 13.4.4Compare Source
Description
tsh
or runningtsh status
. #33469Security fixes
google.golang.org/grpc
to v1.57.1. #33488Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.