gravitational · camscale · Apr 24, 2024 · Apr 24, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,22 +1,34 @@
 # Changelog
 
-## 15.2.3 (04/19/24)
-
-* Fixed spurious ambiguous host errors in SSH routing. [#40706](https://github.com/gravitational/teleport/pull/40706)
-* Patch `CVE-2023-45288` and `CVE-2024-32473`. [#40695](https://github.com/gravitational/teleport/pull/40695)
+## 15.2.4 (04/23/24)
+
+* Fixed a deprecation warning being shown when `tbot` is used with OpenSSH. [#40837](https://github.com/gravitational/teleport/pull/40837)
+* Added a new Audit log event that is emitted when an Agent or Bot request to join the cluster is denied. [#40814](https://github.com/gravitational/teleport/pull/40814)
+* Fixed regenerating cloud account recovery codes. [#40786](https://github.com/gravitational/teleport/pull/40786)
+* Changed UI for the sign-up and authentication reset flows. [#40773](https://github.com/gravitational/teleport/pull/40773)
+* Added a new Prometheus metric to track requests initiated by Teleport against the control plane API. [#40754](https://github.com/gravitational/teleport/pull/40754)
+* Fixed an issue that prevented uploading a zip file larger than 10MiB when updating an AWS Lambda function via tsh app access. [#40737](https://github.com/gravitational/teleport/pull/40737)
+* Patched CVE-2024-32650. [#40735](https://github.com/gravitational/teleport/pull/40735)
+* Fixed possible data race that could lead to concurrent map read and map write while proxying Kubernetes requests. [#40720](https://github.com/gravitational/teleport/pull/40720)
+* Fixed access request promotion of windows_desktop resources. [#40712](https://github.com/gravitational/teleport/pull/40712)
+* Fixed spurious ambiguous host errors in ssh routing. [#40706](https://github.com/gravitational/teleport/pull/40706)
+* Patched CVE-2023-45288 and CVE-2024-32473. [#40695](https://github.com/gravitational/teleport/pull/40695)
+* generic "not found" errors are returned whether a remote cluster can't be found or access is denied. [#40681](https://github.com/gravitational/teleport/pull/40681)
 * Fixed a resource leak in the Teleport proxy server when using proxy peering. [#40672](https://github.com/gravitational/teleport/pull/40672)
+* Added Azure CLI access support on AKS with Entra Workload ID. [#40660](https://github.com/gravitational/teleport/pull/40660)
 * Allow other issue types when configuring JIRA plugin. [#40644](https://github.com/gravitational/teleport/pull/40644)
-* Add `regexp.match` to access request `filter` and `where` expressions. [#40642](https://github.com/gravitational/teleport/pull/40642)
-* Notify the requester in Slack review request messages. [#40624](https://github.com/gravitational/teleport/pull/40624)
+* Added `regexp.match` to access request `filter` and `where` expressions. [#40642](https://github.com/gravitational/teleport/pull/40642)
+* Notify the requester in slack review request messages. [#40624](https://github.com/gravitational/teleport/pull/40624)
 * Handle passwordless in MFA audit events. [#40617](https://github.com/gravitational/teleport/pull/40617)
-* Add auto discover capability to EC2 enrollment in the web UI. [#40605](https://github.com/gravitational/teleport/pull/40605)
+* Added auto discover capability to EC2 enrollment in the web UI. [#40605](https://github.com/gravitational/teleport/pull/40605)
 * Fixes RDP licensing. [#40595](https://github.com/gravitational/teleport/pull/40595)
-* Adds support for the ASCII variants of smartcard calls. [#40566](https://github.com/gravitational/teleport/pull/40566)
-* Adds the ability to configure labels that should be set on the Kubernetes secret when using the `kubernetes_secret` destination in `tbot`. [#40550](https://github.com/gravitational/teleport/pull/40550)
-* Update cosign to address `CVE-2024-29902` and `CVE-2024-29903`. [#40497](https://github.com/gravitational/teleport/pull/40497)
-* Improve the responsiveness of the session player during long periods of idle time. [#40442](https://github.com/gravitational/teleport/pull/40442)
-* Fix incorrect format for `database_object_import_rule` resources with non-empty expiry. [#40203](https://github.com/gravitational/teleport/pull/40203)
-* Update Opsgenie annotations so approve-schedules is used for both alert creation and auto approval if notify schedules is not set. [#40121](https://github.com/gravitational/teleport/pull/40121)
+* Added support for the ascii variants of smartcard calls. [#40566](https://github.com/gravitational/teleport/pull/40566)
+* Added the ability to configure labels that should be set on the Kubernetes secret when using the `kubernetes_secret` destination in `tbot`. [#40550](https://github.com/gravitational/teleport/pull/40550)
+* Updated cosign to address CVE-2024-29902 and CVE-2024-29903. [#40497](https://github.com/gravitational/teleport/pull/40497)
+* The Web UI now supports large number of roles by paginating them. [#40463](https://github.com/gravitational/teleport/pull/40463)
+* Improved the responsiveness of the session player during long periods of idle time. [#40442](https://github.com/gravitational/teleport/pull/40442)
+* Fixed incorrect format for database_object_import_rule resources with non-empty expiry. [#40203](https://github.com/gravitational/teleport/pull/40203)
+* Updated Opsgenie annotations so approve-schedules is used for both alert creation and auto approval if notify schedules is not set. [#40121](https://github.com/gravitational/teleport/pull/40121)
 
 ## 15.2.2 (04/11/24)
 

diff --git a/Makefile b/Makefile
@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=15.2.3
+VERSION=15.2.4
 
 DOCKER_IMAGE ?= teleport
 

diff --git a/api/version.go b/api/version.go
diff --git a/build.assets/macos/tsh/tsh.app/Contents/Info.plist b/build.assets/macos/tsh/tsh.app/Contents/Info.plist
@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>15.2.3</string>
+		<string>15.2.4</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>15.2.3</string>
+		<string>15.2.4</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

diff --git a/build.assets/macos/tshdev/tsh.app/Contents/Info.plist b/build.assets/macos/tshdev/tsh.app/Contents/Info.plist
@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>15.2.3</string>
+		<string>15.2.4</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>15.2.3</string>
+		<string>15.2.4</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

diff --git a/docs/cspell.json b/docs/cspell.json
@@ -60,6 +60,7 @@
     "ERRO",
     "Elastcsearch",
     "Elasticvue",
+    "Entra",
     "Exfiltrate",
     "Exrch",
     "FGHIJ",

diff --git a/examples/chart/access/discord/Chart.yaml b/examples/chart/access/discord/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "16.0.0-dev"
+.version: &version "15.2.4"
 
 apiVersion: v2
 name: teleport-plugin-discord

diff --git a/examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap b/examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap
@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-discord-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-discord-15.2.4
       name: RELEASE-NAME-teleport-plugin-discord
diff --git a/examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap
@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-discord-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-discord-15.2.4
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 16.0.0-dev
-            helm.sh/chart: teleport-plugin-discord-16.0.0-dev
+            app.kubernetes.io/version: 15.2.4
+            helm.sh/chart: teleport-plugin-discord-15.2.4
         spec:
           containers:
           - command:

diff --git a/examples/chart/access/email/Chart.yaml b/examples/chart/access/email/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "16.0.0-dev"
+.version: &version "15.2.4"
 
 apiVersion: v2
 name: teleport-plugin-email

diff --git a/examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap b/examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap
@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
diff --git a/examples/chart/access/email/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/access/email/tests/__snapshot__/deployment_test.yaml.snap
@@ -7,8 +7,8 @@ should be possible to override volume name (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should be possible to override volume name (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.0.0-dev
-            helm.sh/chart: teleport-plugin-email-16.0.0-dev
+            app.kubernetes.io/version: 15.2.4
+            helm.sh/chart: teleport-plugin-email-15.2.4
         spec:
           containers:
           - command:
@@ -34,7 +34,7 @@ should be possible to override volume name (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.0.0-dev
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.2.4
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -75,8 +75,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -90,8 +90,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.0.0-dev
-            helm.sh/chart: teleport-plugin-email-16.0.0-dev
+            app.kubernetes.io/version: 15.2.4
+            helm.sh/chart: teleport-plugin-email-15.2.4
         spec:
           containers:
           - command:
@@ -136,8 +136,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -151,8 +151,8 @@ should match the snapshot (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.0.0-dev
-            helm.sh/chart: teleport-plugin-email-16.0.0-dev
+            app.kubernetes.io/version: 15.2.4
+            helm.sh/chart: teleport-plugin-email-15.2.4
         spec:
           containers:
           - command:
@@ -163,7 +163,7 @@ should match the snapshot (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.0.0-dev
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.2.4
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -204,8 +204,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -219,8 +219,8 @@ should match the snapshot (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.0.0-dev
-            helm.sh/chart: teleport-plugin-email-16.0.0-dev
+            app.kubernetes.io/version: 15.2.4
+            helm.sh/chart: teleport-plugin-email-15.2.4
         spec:
           containers:
           - command:
@@ -231,7 +231,7 @@ should match the snapshot (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.0.0-dev
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.2.4
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -272,8 +272,8 @@ should mount external secret (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -287,8 +287,8 @@ should mount external secret (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.0.0-dev
-            helm.sh/chart: teleport-plugin-email-16.0.0-dev
+            app.kubernetes.io/version: 15.2.4
+            helm.sh/chart: teleport-plugin-email-15.2.4
         spec:
           containers:
           - command:
@@ -299,7 +299,7 @@ should mount external secret (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.0.0-dev
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.2.4
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -340,8 +340,8 @@ should mount external secret (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.0.0-dev
-        helm.sh/chart: teleport-plugin-email-16.0.0-dev
+        app.kubernetes.io/version: 15.2.4
+        helm.sh/chart: teleport-plugin-email-15.2.4
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -355,8 +355,8 @@ should mount external secret (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 16.0.0-dev
-            helm.sh/chart: teleport-plugin-email-16.0.0-dev
+            app.kubernetes.io/version: 15.2.4
+            helm.sh/chart: teleport-plugin-email-15.2.4
         spec:
           containers:
           - command:
@@ -367,7 +367,7 @@ should mount external secret (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:16.0.0-dev
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.2.4
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:

diff --git a/examples/chart/access/jira/Chart.yaml b/examples/chart/access/jira/Chart.yaml
@@ -1,4 +1,4 @@
-.version: &version "16.0.0-dev"
+.version: &version "15.2.4"
 
 apiVersion: v2
 name: teleport-plugin-jira