Release 17.0.0

Author: r0mant

CHANGELOG.md

@@ -1,10 +1,148 @@
 # Changelog
 
-## 17.0.0 (11/xx/2024)
+## 17.0.0 (11/15/2024)
+
+Teleport 17 brings the following new features and improvements:
+
+- Refreshed web UI
+- Modern signature algorithms
+- (Preview) AWS IAM Identity Center integration
+- Hardware key support for Teleport Connect
+- Nested access lists
+- Access lists UI/UX improvements
+- Signed and notarized macOS assets
+- Datadog Incident Management plugin for access requests
+- Hosted Microsoft Teams plugin for access requests
+- Dynamic registration for Windows desktops
+- Support for images in web SSH sessions
+- `tbot` CLI updates
 
-### ** Not yet released **
+### Description
+
+#### Refreshed Web UI
+
+We have updated and improved designs and added a new navigation menu to Teleport
+17’s web UI to enhance its usability and scalability.
+
+#### Modern signature algorithms
+
+Teleport 17 admins have the option to use elliptic curve cryptography for the
+majority of user, host, and certificate authority key material.
+
+This includes Ed25519 SSH keys and ECDSA TLS keys, replacing the RSA keys used
+today.
+
+New clusters will leverage [modern signature algorithms](https://goteleport.com/docs/ver/17.x/reference/signature-algorithms/)
+by default. Existing Teleport clusters will continue to use RSA2048 until a CA
+rotation is performed.
+
+#### (Preview) AWS IAM Identity Center integration
+
+Teleport 17 integrates with AWS IAM Identity Center to allow users to sync and
+manage AWS IC group members via Access Lists.
+
+#### Hardware key support for Teleport Connect
+
+We have extended Teleport 17’s support for
+[hardware-backed private keys](https://goteleport.com/docs/admin-guides/access-controls/guides/hardware-key-support/)
+to Teleport Connect.
+
+#### Nested access lists
+
+Teleport 17 admins and access list owners can add access lists as members in
+other access lists.
+
+See details in the [documentation](https://goteleport.com/docs/ver/17.x/admin-guides/access-controls/access-lists/nested-access-lists/).
+
+#### Access lists UI/UX improvements
+
+Teleport 17 web UI has an updated access lists page that will include the new
+table view, improved search and filtering capabilities.
+
+#### Signed and notarized macOS assets
+
+Starting from Teleport 17 macOS `teleport.pkg` installer includes signed and
+notarized `tsh.app` and `tctl.app` so downloading a separate tsh.pkg to use
+Touch ID is no longer necessary.
+
+In addition, Teleport 17 event handler and Terraform provider for macOS are also
+signed and notarized.
+
+#### Datadog Incident Management plugin for access requests
+
+Teleport 17 supports PagerDuty-like integration with Datadog's [on-call](https://docs.datadoghq.com/service_management/on-call/)
+and [incident management](https://docs.datadoghq.com/service_management/incident_management/)
+APIs for access request notifications.
+
+See the [configuration guide](https://goteleport.com/docs/ver/17.x/admin-guides/access-controls/access-request-plugins/datadog-hosted/).
+
+#### Hosted Microsoft Teams plugin for access requests
+
+Teleport 17 adds support for Microsoft Teams integration for access request
+notifications using Teleport web UI without needing to self-host the plugin.
+
+#### Dynamic registration for Windows desktops
+
+Dynamic registration allows Teleport administrators to register new Windows
+desktops without having to update the static configuration files read by
+Teleport Windows Desktop Service instances.
+
+#### Support for images in web SSH sessions
+
+The SSH console in Teleport’s web UI includes support for rendering images via
+both the SIXEL and iTerm Inline Image Protocol (IIP).
+
+#### tbot CLI updates
+
+The `tbot` client now supports starting most outputs and services directly from
+the command line with no need for a configuration file using the new
+`tbot start <mode>` family of commands. If desired, a given command can be
+converted to a YAML configuration file with `tbot configure <mode>`.
+
+Additionally, `tctl` now supports inspection and management of bot instances using
+the `tctl bots instances` family of commands. This allows onboarding of new
+instances for existing bots with `tctl bots instances add`, and inspection of
+existing instances with `tctl bots instances list`.
+
+### Breaking changes and deprecations
+
+#### macOS assets
+
+Starting with version 17, Teleport no longer provides a separate `tsh.pkg` macOS
+package.
+
+Instead, `teleport.pkg` and all macOS tarballs include signed and notarized
+`tsh.app` and `tctl.app`.
+
+#### Enforced stricter requirements for SSH hostnames
+
+Hostnames are only allowed if they are less than 257 characters and consist of
+only alphanumeric characters and the symbols `.` and `-`.
+
+Any hostname that violates the new restrictions will be changed, the original
+hostname will be moved to the `teleport.internal/invalid-hostname` label for
+discoverability.
+
+Any Teleport agents with an invalid hostname will be replaced with the host UUID.
+Any Agentless OpenSSH Servers with an invalid hostname will be replaced with
+the host of the address, if it is valid, or a randomly generated identifier.
+Any hosts with invalid hostnames should be updated to comply with the new
+requirements to avoid Teleport renaming them.
+
+#### `TELEPORT_ALLOW_NO_SECOND_FACTOR` removed
+
+As of Teleport 16, multi-factor authentication is required for local users. To
+assist with upgrades, Teleport 16 included a temporary opt-out mechanism via the
+`TELEPORT_ALLOW_NO_SECOND_FACTOR` environment variable. This opt-out mechanism
+has been removed.
+
+#### TOTP for per-session MFA
+
+Teleport 17 is the last release where `tsh` will allow for using TOTP with
+per-session MFA. Starting with Teleport 18, `tsh` will require a strong webauthn
+credential for per-session MFA.
 
-* Refreshed the Web UI and Teleport Connect UI design [#46812](https://github.com/gravitational/teleport/pull/46812)
+TOTP will continue to be accepted for the initial login.
 
 ## 16.4.6 (10/22/2024)
 

Makefile

@@ -13,7 +13,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=17.0.0-rc.3
+VERSION=17.0.0
 
 DOCKER_IMAGE ?= teleport
 

api/version.go

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>1.0</string>
+		<string>17.0.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>1.0</string>
+		<string>17.0.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>1.0</string>
+		<string>17.0.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>1.0</string>
+		<string>17.0.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -193,6 +193,7 @@
     "SIEM",
     "SIGINT",
     "SIGUSR",
+    "SIXEL",
     "SLAVEOF",
     "SLES",
     "SLOWLOG",
@@ -1030,4 +1031,4 @@
     "**/reference/terraform-provider/**",
     "**/reference/operator-resources/**"
   ]
-}
+}

docs/cspell.json

@@ -1,4 +1,4 @@
-.version: &version "17.0.0-rc.3"
+.version: &version "17.0.0"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/Chart.yaml

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-datadog-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-datadog-17.0.0
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-datadog-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-datadog-17.0.0
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 17.0.0-rc.3
-            helm.sh/chart: teleport-plugin-datadog-17.0.0-rc.3
+            app.kubernetes.io/version: 17.0.0
+            helm.sh/chart: teleport-plugin-datadog-17.0.0
         spec:
           containers:
           - command:

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -1,4 +1,4 @@
-.version: &version "17.0.0-rc.3"
+.version: &version "17.0.0"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/Chart.yaml

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-discord-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-discord-17.0.0
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-discord-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-discord-17.0.0
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 17.0.0-rc.3
-            helm.sh/chart: teleport-plugin-discord-17.0.0-rc.3
+            app.kubernetes.io/version: 17.0.0
+            helm.sh/chart: teleport-plugin-discord-17.0.0
         spec:
           containers:
           - command:

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -1,4 +1,4 @@
-.version: &version "17.0.0-rc.3"
+.version: &version "17.0.0"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/Chart.yaml

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-email-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-email-17.0.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-email-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-email-17.0.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-email-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-email-17.0.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-email-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-email-17.0.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-email-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-email-17.0.0
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 17.0.0-rc.3
-        helm.sh/chart: teleport-plugin-email-17.0.0-rc.3
+        app.kubernetes.io/version: 17.0.0
+        helm.sh/chart: teleport-plugin-email-17.0.0
       name: RELEASE-NAME-teleport-plugin-email