Release 17.7.0

CHANGELOG.md

@@ -1,5 +1,62 @@
 # Changelog
 
+## 17.7.0 (07/28/25)
+
+### Managed Updates canary support
+
+Managed Updates v2 now support performing canary updates. When canary updates
+are enabled for a group, Teleport will update a few agents first and confirm
+they come back healthy before updating the rest of the group.
+
+You can unable canary updates by setting `canary_count` in your
+`autoupdate_config`:
+
+```yaml
+kind: autoupdate_config
+spec:
+  agents:
+    mode: enabled
+    schedules:
+      regular:
+      - name: dev
+        days:
+        - Mon
+        - Tue
+        - Wed
+        - Thu
+        start_hour: 20
+        canary_count: 5
+    strategy: halt-on-error
+```
+
+Each group can have a maximum of 5 canaries, canaries are picked randomly among
+the connected agents.
+
+Canary update support is currently only support by Linux agents, Kubernetes
+support will be part of a future release.
+
+### Other fixes and improvements
+
+* Allow YubiKeys running 5.7.4+ firmware to be usable as PIV hardware keys. [#57217](https://github.com/gravitational/teleport/pull/57217)
+* Tctl will now warn the user when importing a SPIFFE issuer override chain that contains the root CA. [#57168](https://github.com/gravitational/teleport/pull/57168)
+* Fixed fallback for web login when second factor is set to `on` but only OTP is configured. [#57159](https://github.com/gravitational/teleport/pull/57159)
+* Fix a bug causing `tctl`/`tsh` to fail on read-only file systems. [#57148](https://github.com/gravitational/teleport/pull/57148)
+* The `teleport-distroless` container image now disables client tools updates by default (when using tsh/tctl, you will always use the version from the image). You can enable them back by unsetting the `TELEPORT_TOOLS_VERSION` environment variable. [#57148](https://github.com/gravitational/teleport/pull/57148)
+* Fixed a crash in Teleport Connect that could occur when copying large clipboard content during desktop sessions. [#57131](https://github.com/gravitational/teleport/pull/57131)
+* Audit log events for SPIFFE SVID issuances now include the name/label selector used by the client. [#57128](https://github.com/gravitational/teleport/pull/57128)
+* Fixed client tools managed updates downgrade to older version. [#57111](https://github.com/gravitational/teleport/pull/57111)
+* Removed unnecessary macOS entitlements from Teleport Connect subprocesses. [#57067](https://github.com/gravitational/teleport/pull/57067)
+* Machine and Workload ID: The `tbot` client will now discard expired identities if needed during renewal to allow automatic recovery without restarting the process. [#57062](https://github.com/gravitational/teleport/pull/57062)
+* Define access-plugin preset role. [#57057](https://github.com/gravitational/teleport/pull/57057)
+* Resolved an issue where RemoteCluster objects stored in the cache had incorrect revisions, causing Update calls to fail. [#56974](https://github.com/gravitational/teleport/pull/56974)
+* Update Application APIs to use pagination to avoid exceeding message size limitations. [#56949](https://github.com/gravitational/teleport/pull/56949)
+* Fix certificate revocation failures in Active Directory environments when Teleport is using HSM-backed key material. [#56928](https://github.com/gravitational/teleport/pull/56928)
+
+Enterprise:
+
+* Fix SCIM user provisioning when a user already exists and is managed by the same connector as the SCIM integration.
+* Fix SCIM integration front-end enroll flow.
+
 ## 17.6.0 (07/22/25)
 
 ## VNet for SSH

Makefile

@@ -13,7 +13,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=17.6.0
+VERSION=17.7.0
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>17.6.0</string>
+		<string>17.7.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>17.6.0</string>
+		<string>17.7.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>17.6.0</string>
+		<string>17.7.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>17.6.0</string>
+		<string>17.7.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.6.0"
+.version: &version "17.7.0"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-datadog-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-datadog-17.7.0
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-datadog-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-datadog-17.7.0
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 17.6.0
-            helm.sh/chart: teleport-plugin-datadog-17.6.0
+            app.kubernetes.io/version: 17.7.0
+            helm.sh/chart: teleport-plugin-datadog-17.7.0
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.6.0"
+.version: &version "17.7.0"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-discord-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-discord-17.7.0
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-discord-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-discord-17.7.0
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 17.6.0
-            helm.sh/chart: teleport-plugin-discord-17.6.0
+            app.kubernetes.io/version: 17.7.0
+            helm.sh/chart: teleport-plugin-discord-17.7.0
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.6.0"
+.version: &version "17.7.0"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-email-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-email-17.7.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-email-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-email-17.7.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-email-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-email-17.7.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-email-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-email-17.7.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-email-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-email-17.7.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.6.0
-        helm.sh/chart: teleport-plugin-email-17.6.0
+        app.kubernetes.io/version: 17.7.0
+        helm.sh/chart: teleport-plugin-email-17.7.0
       name: RELEASE-NAME-teleport-plugin-email