Release 16.5.0

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Changelog
 
-## 16.5.0 (Upcoming)
+## 16.5.0 (03/28/25)
 
 ### Automatic Updates
 
@@ -27,6 +27,34 @@ The binaries will be symlinked to their previous location, no change should be r
 
 This change allows us to do automatic updates without conflicting with the package manager.
 
+### Readiness endpoint changes
+
+The Auth Service readiness now reflects the connectivity from the instance to
+the backend storage, and the Proxy Service readiness reflects the connectivity
+to the Auth Service API. In case of Auth or backend storage failure, the
+instances will now turn unready. This change ensures that control plane
+components can be excluded from their relevant load-balancing pools. If you want
+to preserve the old behaviour (the Auth Service or Proxy Service instance stays
+ready and runs in degraded mode) in the `teleport-cluster` Helm chart, you can
+now tune the readiness setting to have the pods become unready after a high
+number of failed probes.
+
+### Other improvements and fixes
+
+* Fix a bug causing the discovery service to fail to configure teleport on discovered nodes when managed updates v2 are enabled. [#53544](https://github.com/gravitational/teleport/pull/53544)
+* Enable support for joining Kubernetes sessions in the web UI. [#53456](https://github.com/gravitational/teleport/pull/53456)
+* Fix an issue `tsh proxy db` does not honour `--db-roles` when renewing certificates. [#53446](https://github.com/gravitational/teleport/pull/53446)
+* Added static_jwks field to the GitLab join method configuration to support cases where Teleport Auth Service cannot reach the GitLab instance. [#53412](https://github.com/gravitational/teleport/pull/53412)
+* The `teleport-cluster` Helm chart now supports tuning the pod readiness. [#53353](https://github.com/gravitational/teleport/pull/53353)
+* Fix panic when trimming audit log entries. [#53307](https://github.com/gravitational/teleport/pull/53307)
+* Improve resource consumption when retrieving resources via the Web UI or tsh ls. [#53303](https://github.com/gravitational/teleport/pull/53303)
+* Fixed rare high CPU usage bug in reverse tunnel agents. [#53282](https://github.com/gravitational/teleport/pull/53282)
+* Add support for `SendEnv` OpenSSH option in `tsh`. [#53217](https://github.com/gravitational/teleport/pull/53217)
+* Add support for using DynamoDB Streams FIPS endpoints. [#53202](https://github.com/gravitational/teleport/pull/53202)
+* Workload ID: support for attesting Systemd services. [#53109](https://github.com/gravitational/teleport/pull/53109)
+* Machine ID: Added warning when generated certificates will not last as long as expected. [#53103](https://github.com/gravitational/teleport/pull/53103)
+* Improve latency and reduce resource consumption of generating Kubernetes certificates via tctl auth sign and tsh kube login. [#52147](https://github.com/gravitational/teleport/pull/52147)
+
 ## 16.4.18 (03/18/25)
 
 * Fixed the Teleport process to crashing on group database errors when host user creation was enabled. [#53080](https://github.com/gravitational/teleport/pull/53080)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.4.18
+VERSION=16.5.0
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.18</string>
+		<string>16.5.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.18</string>
+		<string>16.5.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.18</string>
+		<string>16.5.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.18</string>
+		<string>16.5.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.18"
+.version: &version "16.5.0"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-datadog-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-datadog-16.5.0
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-datadog-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-datadog-16.5.0
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 16.4.18
-            helm.sh/chart: teleport-plugin-datadog-16.4.18
+            app.kubernetes.io/version: 16.5.0
+            helm.sh/chart: teleport-plugin-datadog-16.5.0
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.18"
+.version: &version "16.5.0"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-discord-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-discord-16.5.0
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-discord-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-discord-16.5.0
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 16.4.18
-            helm.sh/chart: teleport-plugin-discord-16.4.18
+            app.kubernetes.io/version: 16.5.0
+            helm.sh/chart: teleport-plugin-discord-16.5.0
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.18"
+.version: &version "16.5.0"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-email-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-email-16.5.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-email-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-email-16.5.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-email-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-email-16.5.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-email-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-email-16.5.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-email-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-email-16.5.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.18
-        helm.sh/chart: teleport-plugin-email-16.4.18
+        app.kubernetes.io/version: 16.5.0
+        helm.sh/chart: teleport-plugin-email-16.5.0
       name: RELEASE-NAME-teleport-plugin-email