Release 14.3.33

gravitational · Oct 30, 2024 · 249c542 · 249c542
1 parent 53b8ba8
commit 249c542
Show file tree

Hide file tree

Showing 17 changed files with 131 additions and 104 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,32 @@
 # Changelog
 
+## 14.3.33 (10/30/24)
+
+* Fixed a bug in the External Audit Storage bootstrap script that broke S3 bucket creation. [#48179](https://github.com/gravitational/teleport/pull/48179)
+* During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. [#47959](https://github.com/gravitational/teleport/pull/47959)
+* Fixed `teleport_connected_resource` metric overshooting after keepalive errors. [#47951](https://github.com/gravitational/teleport/pull/47951)
+* Fixed an issue preventing connections with users whose configured home directories were inaccessible. [#47918](https://github.com/gravitational/teleport/pull/47918)
+* Auto-enroll may be locally disabled using the `TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1` environment variable. [#47718](https://github.com/gravitational/teleport/pull/47718)
+* Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. [#47701](https://github.com/gravitational/teleport/pull/47701)
+* Avoid tsh auto-enroll escalation in machines without a TPM. [#47697](https://github.com/gravitational/teleport/pull/47697)
+* Postgres database session start events now include the Postgres backend PID for the session. [#47645](https://github.com/gravitational/teleport/pull/47645)
+* Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. [#47623](https://github.com/gravitational/teleport/pull/47623)
+* Adds support for custom SQS consumer lock name and disabling a consumer. [#47612](https://github.com/gravitational/teleport/pull/47612)
+* Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. [#47603](https://github.com/gravitational/teleport/pull/47603)
+* Allow using a custom database for Firestore backends. [#47585](https://github.com/gravitational/teleport/pull/47585)
+* Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. [#47566](https://github.com/gravitational/teleport/pull/47566)
+* Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. [#47562](https://github.com/gravitational/teleport/pull/47562)
+* The `tctl tokens ls` command redacts secret join tokens by default. To include the token values, provide the new `--with-secrets` flag. [#47547](https://github.com/gravitational/teleport/pull/47547)
+* Fixed an issue with the Microsoft license negotiation for RDP sessions. [#47544](https://github.com/gravitational/teleport/pull/47544)
+* Fixed a bug where tsh logout failed to parse flags passed with spaces. [#47461](https://github.com/gravitational/teleport/pull/47461)
+* Added kubeconfig context name to the output table of `tsh proxy kube` command for enhanced clarity. [#47381](https://github.com/gravitational/teleport/pull/47381)
+* Improve error messaging when connections to offline agents are attempted. [#47363](https://github.com/gravitational/teleport/pull/47363)
+* Teleport Connect for Linux now requires glibc 2.31 or later. [#47264](https://github.com/gravitational/teleport/pull/47264)
+* Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. [#47128](https://github.com/gravitational/teleport/pull/47128)
+
+Enterprise:
+* Device auto-enroll failures are now recorded in the audit log.
+
 ## 14.3.32 (10/03/24)
 
 * Fixes an issue preventing access requests from displaying user friendly resource names. [#47110](https://github.com/gravitational/teleport/pull/47110)

diff --git a/Makefile b/Makefile
@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=14.3.32
+VERSION=14.3.33
 
 DOCKER_IMAGE ?= teleport
 

diff --git a/api/version.go b/api/version.go
diff --git a/build.assets/macos/tsh/tsh.app/Contents/Info.plist b/build.assets/macos/tsh/tsh.app/Contents/Info.plist
@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.3.32</string>
+		<string>14.3.33</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.3.32</string>
+		<string>14.3.33</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

diff --git a/build.assets/macos/tshdev/tsh.app/Contents/Info.plist b/build.assets/macos/tshdev/tsh.app/Contents/Info.plist
@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.3.32</string>
+		<string>14.3.33</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.3.32</string>
+		<string>14.3.33</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

diff --git a/examples/chart/teleport-cluster/Chart.yaml b/examples/chart/teleport-cluster/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "14.3.32"
+.version: &version "14.3.33"
 
 name: teleport-cluster
 apiVersion: v2

diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "14.3.32"
+.version: &version "14.3.33"
 
 name: teleport-operator
 apiVersion: v2

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
@@ -8,8 +8,8 @@ adds operator permissions to ClusterRole:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.32
-        helm.sh/chart: teleport-cluster-14.3.32
+        app.kubernetes.io/version: 14.3.33
+        helm.sh/chart: teleport-cluster-14.3.33
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME
     rules:

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
@@ -1797,8 +1797,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.32
-        helm.sh/chart: teleport-cluster-14.3.32
+        app.kubernetes.io/version: 14.3.33
+        helm.sh/chart: teleport-cluster-14.3.33
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-auth
       namespace: NAMESPACE

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
@@ -1,6 +1,6 @@
 should add an operator side-car when operator is enabled:
   1: |
-    image: public.ecr.aws/gravitational/teleport-operator:14.3.32
+    image: public.ecr.aws/gravitational/teleport-operator:14.3.33
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
@@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -174,7 +174,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -271,7 +271,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -357,7 +357,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
@@ -567,8 +567,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.32
-        helm.sh/chart: teleport-cluster-14.3.32
+        app.kubernetes.io/version: 14.3.33
+        helm.sh/chart: teleport-cluster-14.3.33
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
@@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.32
-        helm.sh/chart: teleport-cluster-14.3.32
+        app.kubernetes.io/version: 14.3.33
+        helm.sh/chart: teleport-cluster-14.3.33
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
@@ -26,16 +26,16 @@ sets clusterDomain on Deployment Pods:
       template:
         metadata:
           annotations:
-            checksum/config: 75a5fce8eb5dc94193c7eaf8a5bbcef77dab3e1b320ab45ff2e8dc5cbbca24bc
+            checksum/config: f7106583f842c0c8420a999ea1f7f57be18184cb5688bb9c59d0cf769a824842
             kubernetes.io/pod: test-annotation
             kubernetes.io/pod-different: 4
           labels:
             app.kubernetes.io/component: proxy
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-cluster
-            app.kubernetes.io/version: 14.3.32
-            helm.sh/chart: teleport-cluster-14.3.32
+            app.kubernetes.io/version: 14.3.33
+            helm.sh/chart: teleport-cluster-14.3.33
             teleport.dev/majorVersion: "14"
         spec:
           affinity:
@@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods:
           containers:
           - args:
             - --diag-addr=0.0.0.0:3000
-            image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+            image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
             imagePullPolicy: IfNotPresent
             lifecycle:
               preStop:
@@ -105,7 +105,7 @@ sets clusterDomain on Deployment Pods:
             - wait
             - no-resolve
             - RELEASE-NAME-auth-v13.NAMESPACE.svc.test.com
-            image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+            image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
             name: wait-auth-update
           serviceAccountName: RELEASE-NAME-proxy
           terminationGracePeriodSeconds: 60
@@ -137,7 +137,7 @@ should provision initContainer correctly when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       name: wait-auth-update
     - args:
       - echo test
@@ -194,7 +194,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -255,7 +255,7 @@ should set nodeSelector when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -306,7 +306,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -374,7 +374,7 @@ should set resources when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       name: wait-auth-update
     serviceAccountName: RELEASE-NAME-proxy
     terminationGracePeriodSeconds: 60
@@ -407,7 +407,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -475,7 +475,7 @@ should set securityContext for initContainers when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -515,7 +515,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -583,7 +583,7 @@ should set securityContext when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.32
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.33
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false

diff --git a/examples/chart/teleport-kube-agent/Chart.yaml b/examples/chart/teleport-kube-agent/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "14.3.32"
+.version: &version "14.3.33"
 
 name: teleport-kube-agent
 apiVersion: v2