Release 17.0.3 (#49726)

* Release 17.0.3

* Using multi-factor instead of second factor

* Updating CHANGELOG to not use library name

CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 17.0.3 (12/3/2024)
+
+* Restore ability to disable multi-factor authentication for local users. [#49692](https://github.com/gravitational/teleport/pull/49692)
+* Bumping one of our dependencies to a more secure version to address CVE-2024-53259. [#49662](https://github.com/gravitational/teleport/pull/49662)
+* Add ability to configure resource labels in `teleport-cluster`'s operator sub-chart. [#49647](https://github.com/gravitational/teleport/pull/49647)
+* Fixed proxy peering listener not using the exact address specified in `peer_listen_addr`. [#49589](https://github.com/gravitational/teleport/pull/49589)
+* Teleport Connect now shows whether it is being used on a trusted device or if enrollment is required for full access. [#49577](https://github.com/gravitational/teleport/pull/49577)
+* Kubernetes in-cluster joining now also accepts tokens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience). Kubernetes JWKS joining is unchanged and still requires tokens with the cluster name in the audience. [#49556](https://github.com/gravitational/teleport/pull/49556)
+* Session recording playback in the web UI is now searchable. [#49506](https://github.com/gravitational/teleport/pull/49506)
+* Fixed an incorrect warning indicating that tsh v17.0.2 was incompatible with cluster v17.0.1, despite full compatibility. [#49491](https://github.com/gravitational/teleport/pull/49491)
+* Increase CockroachDB setup timeout from 5 to 30 seconds. This mitigates the Auth Service not being able to configure TTL on slow CockroachDB event backends. [#49469](https://github.com/gravitational/teleport/pull/49469)
+* Fixed a potential panic in login rule and SAML IdP expression parser. [#49429](https://github.com/gravitational/teleport/pull/49429)
+* Support for long-running kube exec/port-forward, respect client_idle_timeout config. [#49421](https://github.com/gravitational/teleport/pull/49421)
+* Fixed a permissions error with Postgres database user auto-provisioning that occurs when the database admin is not a superuser and the database is upgraded to Postgres v16 or higher. [#49390](https://github.com/gravitational/teleport/pull/49390)
+
+Enterprise:
+* Jamf Service sync audit events are attributed to "Jamf Service".
+* Users can now see a list of their enrolled devices on their Account page.
+* Add support for Entra ID groups being members of other groups using Nested Access Lists.
+
 ## 17.0.2 (11/25/2024)
 
 * Fixed missing user participants in session recordings listing for non-interactive Kubernetes recordings. [#49343](https://github.com/gravitational/teleport/pull/49343)

Makefile

@@ -13,7 +13,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=17.0.2
+VERSION=17.0.3
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>17.0.2</string>
+		<string>17.0.3</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>17.0.2</string>
+		<string>17.0.3</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>17.0.2</string>
+		<string>17.0.3</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>17.0.2</string>
+		<string>17.0.3</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.2"
+.version: &version "17.0.3"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-datadog-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-datadog-17.0.3
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-datadog-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-datadog-17.0.3
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-datadog-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-datadog-17.0.3
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.2"
+.version: &version "17.0.3"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-discord-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-discord-17.0.3
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-discord-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-discord-17.0.3
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-discord-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-discord-17.0.3
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "17.0.2"
+.version: &version "17.0.3"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should be possible to override volume name (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should be possible to override volume name (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-email-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-email-17.0.3
         spec:
           containers:
           - command:
@@ -34,7 +34,7 @@ should be possible to override volume name (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.3
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -75,8 +75,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -90,8 +90,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-email-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-email-17.0.3
         spec:
           containers:
           - command:
@@ -136,8 +136,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -151,8 +151,8 @@ should match the snapshot (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-email-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-email-17.0.3
         spec:
           containers:
           - command:
@@ -163,7 +163,7 @@ should match the snapshot (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.3
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -204,8 +204,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -219,8 +219,8 @@ should match the snapshot (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-email-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-email-17.0.3
         spec:
           containers:
           - command:
@@ -231,7 +231,7 @@ should match the snapshot (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.3
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -272,8 +272,8 @@ should mount external secret (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -287,8 +287,8 @@ should mount external secret (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-email-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-email-17.0.3
         spec:
           containers:
           - command:
@@ -299,7 +299,7 @@ should mount external secret (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.3
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -340,8 +340,8 @@ should mount external secret (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.2
-        helm.sh/chart: teleport-plugin-email-17.0.2
+        app.kubernetes.io/version: 17.0.3
+        helm.sh/chart: teleport-plugin-email-17.0.3
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -355,8 +355,8 @@ should mount external secret (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 17.0.2
-            helm.sh/chart: teleport-plugin-email-17.0.2
+            app.kubernetes.io/version: 17.0.3
+            helm.sh/chart: teleport-plugin-email-17.0.3
         spec:
           containers:
           - command:
@@ -367,7 +367,7 @@ should mount external secret (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.2
+            image: public.ecr.aws/gravitational/teleport-plugin-email:17.0.3
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports: