gravitational/teleport v16.5.0

Teleport 16.5.0

on GitHub

Description

Automatic Updates

16.5 introduces a new automatic update mechanism for system administrators to control which Teleport version their
agents are running. You can now configure the agent update schedule and desired agent version via the autoupdate_config
and autoupdate_version resources.

Updates are performed by the new teleport-update binary.
This new system is package manager-agnostic and opt-in. Existing agents won't be automatically enrolled, you can enroll
existing 17.3+ agents by running teleport-update enable.

teleport-update will become the new standard way of installing Teleport as it always picks the appropriate Teleport
edition (Community vs Enterprise), the cluster's desired version, and the correct Teleport variant (e.g. FIPS-compliant
cryptography).

You can find more information about the feature in our documentation.

Package layout changes

Starting with 16.5.0, the Teleport DEB and RPM packages, notably used by the apt, yum, dnf and zypper package
managers, will place the Teleport binaries in /opt/teleport instead of /usr/local/bin.

The binaries will be symlinked to their previous location, no change should be required in your scripts or systemd units.

This change allows us to do automatic updates without conflicting with the package manager.

Readiness endpoint changes

The Auth Service readiness now reflects the connectivity from the instance to
the backend storage, and the Proxy Service readiness reflects the connectivity
to the Auth Service API. In case of Auth or backend storage failure, the
instances will now turn unready. This change ensures that control plane
components can be excluded from their relevant load-balancing pools. If you want
to preserve the old behaviour (the Auth Service or Proxy Service instance stays
ready and runs in degraded mode) in the teleport-cluster Helm chart, you can
now tune the readiness setting to have the pods become unready after a high
number of failed probes.

Other improvements and fixes

• Fix a bug causing the discovery service to fail to configure teleport on discovered nodes when managed updates v2 are enabled. #53544
• Enable support for joining Kubernetes sessions in the web UI. #53456
• Fix an issue tsh proxy db does not honour --db-roles when renewing certificates. #53446
• Added static_jwks field to the GitLab join method configuration to support cases where Teleport Auth Service cannot reach the GitLab instance. #53412
• The teleport-cluster Helm chart now supports tuning the pod readiness. #53353
• Fix panic when trimming audit log entries. #53307
• Improve resource consumption when retrieving resources via the Web UI or tsh ls. #53303
• Fixed rare high CPU usage bug in reverse tunnel agents. #53282
• Add support for SendEnv OpenSSH option in tsh. #53217
• Add support for using DynamoDB Streams FIPS endpoints. #53202
• Workload ID: support for attesting Systemd services. #53109
• Machine ID: Added warning when generated certificates will not last as long as expected. #53103
• Improve latency and reduce resource consumption of generating Kubernetes certificates via tctl auth sign and tsh kube login. #52147

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64