Release 16.4.17

CHANGELOG.md

@@ -267,6 +267,26 @@ credential for per-session MFA.
 
 TOTP will continue to be accepted for the initial login.
 
+## 16.4.17 (03/05/25)
+
+* Escape user provided labels when creating the shell script that enrolls servers, applications and databases into Teleport. [#52705](https://github.com/gravitational/teleport/pull/52705)
+* Support setting the public address for discovered apps based on Kubernetes annotations. [#52701](https://github.com/gravitational/teleport/pull/52701)
+* Workload ID: Support for Teleport Predicate Language in Workload Identity templates and rules. [#52565](https://github.com/gravitational/teleport/pull/52565)
+* Fixed `cannot execute: required file not found` error with the `teleport-spacelift-runner` image. [#52561](https://github.com/gravitational/teleport/pull/52561)
+* Added support for X509 revocations to Workload Identity. [#52502](https://github.com/gravitational/teleport/pull/52502)
+* Updated go-jose/v4 to v4.0.5 (addresses CVE-2025-27144). [#52468](https://github.com/gravitational/teleport/pull/52468)
+* Updated /x/crypto and /x/oauth2 (addresses CVE-2025-22869 and CVE-2025-22868). [#52438](https://github.com/gravitational/teleport/pull/52438)
+* Logging out from a cluster no longer clears the client autoupdate binaries. [#52338](https://github.com/gravitational/teleport/pull/52338)
+* Added JSON response support to the `/webapi/auth/export` public certificate API endpoint. [#52326](https://github.com/gravitational/teleport/pull/52326)
+* Resolved an issue with `tbot` where the web proxy port would be used instead of the SSH proxy port when ports separate mode is in use. [#52309](https://github.com/gravitational/teleport/pull/52309)
+* Fixed Azure SQL Servers connect failures when the database agent runs on a VM scale set. [#52268](https://github.com/gravitational/teleport/pull/52268)
+* Removed the ability of `tctl` to load the default configuration file on Windows. [#52189](https://github.com/gravitational/teleport/pull/52189)
+* Added support for non-FIPS AWS endpoints for IAM and STS on FIPS binaries (`TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes`). [#52129](https://github.com/gravitational/teleport/pull/52129)
+* Introduced the `allow_reissue` property to the tbot identity output for compatibility with tsh based reissuance. [#52115](https://github.com/gravitational/teleport/pull/52115)
+
+Enterprise:
+* Reduce resource consumption resolving Okta applications during login.
+
 ## 16.4.16 (02/13/25)
 
 ### Security Fixes

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.4.16
+VERSION=16.4.17
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.16</string>
+		<string>16.4.17</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.16</string>
+		<string>16.4.17</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.16</string>
+		<string>16.4.17</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.16</string>
+		<string>16.4.17</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

docs/cspell.json

@@ -817,6 +817,7 @@
     "redisinsight",
     "rediss",
     "regexes",
+    "reissuance",
     "relogged",
     "remask",
     "remotefx",

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.16"
+.version: &version "16.4.17"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-datadog-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-datadog-16.4.17
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-datadog-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-datadog-16.4.17
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 16.4.16
-            helm.sh/chart: teleport-plugin-datadog-16.4.16
+            app.kubernetes.io/version: 16.4.17
+            helm.sh/chart: teleport-plugin-datadog-16.4.17
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.16"
+.version: &version "16.4.17"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-discord-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-discord-16.4.17
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-discord-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-discord-16.4.17
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 16.4.16
-            helm.sh/chart: teleport-plugin-discord-16.4.16
+            app.kubernetes.io/version: 16.4.17
+            helm.sh/chart: teleport-plugin-discord-16.4.17
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.16"
+.version: &version "16.4.17"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-email-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-email-16.4.17
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-email-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-email-16.4.17
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-email-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-email-16.4.17
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-email-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-email-16.4.17
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-email-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-email-16.4.17
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.16
-        helm.sh/chart: teleport-plugin-email-16.4.16
+        app.kubernetes.io/version: 16.4.17
+        helm.sh/chart: teleport-plugin-email-16.4.17
       name: RELEASE-NAME-teleport-plugin-email