Release 15.4.0

CHANGELOG.md

@@ -1,21 +1,41 @@
 # Changelog
 
-## 15.3.8 (unreleased)
+## 15.4.0 (05/31/24)
 
+### Access requests notification routing rules
+
+Hosted Slack plugin users can now configure notification routing rules for
+role-based access requests.
+
+### Database access for Spanner
+
+Database access users can now connect to GCP Spanner.
+
+### Unix Workload Attestation
+
+*Delayed from Teleport 15.3.0*
+
+Teleport Workload ID now supports basic workload attestation on Unix systems,
+allowing cluster administrators to restrict the issuance of SVIDs to specific
+workloads based on UID/PID/GID.
+
+### Other improvements and fixes
+
+* Fixed an issue where mix-and-match of join tokens could interfere with some services appearing correctly in heartbeats. [#42189](https://github.com/gravitational/teleport/pull/42189)
+* Added an alternate EC2 auto discover flow using AWS Systems Manager as a more scalable method than EICE in the "Enroll New Resource" view in the web UI. [#42205](https://github.com/gravitational/teleport/pull/42205)
+* Fixed `kubectl exec` functionality when Teleport is running behind L7 load balancer. [#42192](https://github.com/gravitational/teleport/pull/42192)
+* Fixed the plugins AMR cache to be updated when Access requests are removed from the subject of an existing rule. [#42186](https://github.com/gravitational/teleport/pull/42186)
 * Improved temporary disk space usage for session recording processing. [#42174](https://github.com/gravitational/teleport/pull/42174)
 * Fixed a regression where Kubernetes Exec audit events were not properly populated and lacked error details. [#42145](https://github.com/gravitational/teleport/pull/42145)
-* Fix Azure join method when using Resource Groups in the allow section. [#42141](https://github.com/gravitational/teleport/pull/42141)
-* Fix userState forwarding in CreateSessionCert. [#42136](https://github.com/gravitational/teleport/pull/42136)
-* New commands for debugging/troubleshooting Teleport instances. `teleport debug set-log-level` enables changing the instance log level without a restart. Also, the `teleport debug profile` can collect pprof profiles. [#42122](https://github.com/gravitational/teleport/pull/42122)
-* Add ability to manage access monitoring rules via tctl. [#42092](https://github.com/gravitational/teleport/pull/42092)
+* Fixed Azure join method when using Resource Groups in the allow section. [#42141](https://github.com/gravitational/teleport/pull/42141)
+* Added new `teleport debug set-log-level / profile` commands changing instance log level without a restart and collecting pprof profiles. [#42122](https://github.com/gravitational/teleport/pull/42122)
+* Added ability to manage access monitoring rules via `tctl`. [#42092](https://github.com/gravitational/teleport/pull/42092)
+* Added access monitoring rule routing for slack access plugin. [#42087](https://github.com/gravitational/teleport/pull/42087)
 * Extended Discovery Service to self-bootstrap necessary permissions for Kubernetes Service to interact with the Kubernetes API on behalf of users. [#42075](https://github.com/gravitational/teleport/pull/42075)
 * Fixed resource leak in session recording cleanup. [#42066](https://github.com/gravitational/teleport/pull/42066)
-* Reduced memory and cpu usage after control plane restarts in clusters with a high number of roles. [#42062](https://github.com/gravitational/teleport/pull/42062)
-* Added an option to send a Ctrl+Alt+Del sequence to remote desktops. [#41720](https://github.com/gravitational/teleport/pull/41720)
+* Reduced memory and CPU usage after control plane restarts in clusters with a high number of roles. [#42062](https://github.com/gravitational/teleport/pull/42062)
+* Added an option to send a `Ctrl+Alt+Del` sequence to remote desktops. [#41720](https://github.com/gravitational/teleport/pull/41720)
 * Added support for GCP Spanner to Teleport Database Service. [#41349](https://github.com/gravitational/teleport/pull/41349)
-* Fixed "kubectl exec" functionality when Teleport is running behind L7 load balancer. [#42192](https://github.com/gravitational/teleport/pull/42192)
-* Fixed bug where the plugins AMR cache is not updated in the event Access requests are removed from the subject of an existing rule. [#42186](https://github.com/gravitational/teleport/pull/42186)
-* Added access monitoring rule routing for slack access plugin. [#42087](https://github.com/gravitational/teleport/pull/42087)
 
 ## 15.3.7 (05/23/24)
 

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=15.3.8-cloud.2
+VERSION=15.4.0
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>1.0</string>
+		<string>15.4.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>1.0</string>
+		<string>15.4.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>1.0</string>
+		<string>15.4.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>1.0</string>
+		<string>15.4.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "15.3.8-cloud.2"
+.version: &version "15.4.0"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-discord-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-discord-15.4.0
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-discord-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-discord-15.4.0
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 15.3.8-cloud.2
-            helm.sh/chart: teleport-plugin-discord-15.3.8-cloud.2
+            app.kubernetes.io/version: 15.4.0
+            helm.sh/chart: teleport-plugin-discord-15.4.0
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "15.3.8-cloud.2"
+.version: &version "15.4.0"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should be possible to override volume name (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should be possible to override volume name (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.3.8-cloud.2
-            helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+            app.kubernetes.io/version: 15.4.0
+            helm.sh/chart: teleport-plugin-email-15.4.0
         spec:
           containers:
           - command:
@@ -34,7 +34,7 @@ should be possible to override volume name (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.3.8-cloud.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -75,8 +75,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -90,8 +90,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.3.8-cloud.2
-            helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+            app.kubernetes.io/version: 15.4.0
+            helm.sh/chart: teleport-plugin-email-15.4.0
         spec:
           containers:
           - command:
@@ -136,8 +136,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -151,8 +151,8 @@ should match the snapshot (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.3.8-cloud.2
-            helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+            app.kubernetes.io/version: 15.4.0
+            helm.sh/chart: teleport-plugin-email-15.4.0
         spec:
           containers:
           - command:
@@ -163,7 +163,7 @@ should match the snapshot (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.3.8-cloud.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -204,8 +204,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -219,8 +219,8 @@ should match the snapshot (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.3.8-cloud.2
-            helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+            app.kubernetes.io/version: 15.4.0
+            helm.sh/chart: teleport-plugin-email-15.4.0
         spec:
           containers:
           - command:
@@ -231,7 +231,7 @@ should match the snapshot (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.3.8-cloud.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -272,8 +272,8 @@ should mount external secret (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -287,8 +287,8 @@ should mount external secret (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.3.8-cloud.2
-            helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+            app.kubernetes.io/version: 15.4.0
+            helm.sh/chart: teleport-plugin-email-15.4.0
         spec:
           containers:
           - command:
@@ -299,7 +299,7 @@ should mount external secret (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.3.8-cloud.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -340,8 +340,8 @@ should mount external secret (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.3.8-cloud.2
-        helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+        app.kubernetes.io/version: 15.4.0
+        helm.sh/chart: teleport-plugin-email-15.4.0
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -355,8 +355,8 @@ should mount external secret (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.3.8-cloud.2
-            helm.sh/chart: teleport-plugin-email-15.3.8-cloud.2
+            app.kubernetes.io/version: 15.4.0
+            helm.sh/chart: teleport-plugin-email-15.4.0
         spec:
           containers:
           - command:
@@ -367,7 +367,7 @@ should mount external secret (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.3.8-cloud.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.0
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:

examples/chart/access/jira/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "15.3.8-cloud.2"
+.version: &version "15.4.0"
 
 apiVersion: v2
 name: teleport-plugin-jira