Release 17.7.0

[doggydogworld]

17.7.0 (07/28/25)

Managed Updates canary support

Managed Updates v2 now support performing canary updates. When canary updates
are enabled for a group, Teleport will update a few agents first and confirm
they come back healthy before updating the rest of the group.

You can unable canary updates by setting canary_count in your
autoupdate_config:

kind: autoupdate_config
spec:
  agents:
    mode: enabled
    schedules:
      regular:
      - name: dev
        days:
        - Mon
        - Tue
        - Wed
        - Thu
        start_hour: 20
        canary_count: 5
    strategy: halt-on-error

Each group can have a maximum of 5 canaries, canaries are picked randomly among
the connected agents.

Canary update support is currently only support by Linux agents, Kubernetes
support will be part of a future release.

Other fixes and improvements

• Allow YubiKeys running 5.7.4+ firmware to be usable as PIV hardware keys. #57217
• Tctl will now warn the user when importing a SPIFFE issuer override chain that contains the root CA. #57168
• Fixed fallback for web login when second factor is set to on but only OTP is configured. #57159
• Fix a bug causing tctl/tsh to fail on read-only file systems. #57148
• The teleport-distroless container image now disables client tools updates by default (when using tsh/tctl, you will always use the version from the image). You can enable them back by unsetting the TELEPORT_TOOLS_VERSION environment variable. #57148
• Fixed a crash in Teleport Connect that could occur when copying large clipboard content during desktop sessions. #57131
• Audit log events for SPIFFE SVID issuances now include the name/label selector used by the client. #57128
• Fixed client tools managed updates downgrade to older version. #57111
• Removed unnecessary macOS entitlements from Teleport Connect subprocesses. #57067
• Machine and Workload ID: The tbot client will now discard expired identities if needed during renewal to allow automatic recovery without restarting the process. #57062
• Define access-plugin preset role. #57057
• Resolved an issue where RemoteCluster objects stored in the cache had incorrect revisions, causing Update calls to fail. #56974
• Update Application APIs to use pagination to avoid exceeding message size limitations. #56949
• Fix certificate revocation failures in Active Directory environments when Teleport is using HSM-backed key material. #56928

Enterprise:

• Fix SCIM user provisioning when a user already exists and is managed by the same connector as the SCIM integration.
• Fix SCIM integration front-end enroll flow.

[doggydogworld]

Waiting on #57252