Merge branch 'branch/v14' into backport-35257-branch/v14

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 14.2.3 (12/14/23)
+
+* Prevent Cloud tenants from being a leaf cluster. [#35687](https://github.com/gravitational/teleport/pull/35687)
+* Added "Show All Labels" button in the unified resources list view. [#35666](https://github.com/gravitational/teleport/pull/35666)
+* Added auto approval flow to servicenow plugin. [#35658](https://github.com/gravitational/teleport/pull/35658)
+* Added guided SAML entity descriptor creation when entity descriptor XML is not yet available. [#35657](https://github.com/gravitational/teleport/pull/35657)
+* Added a connection test when enrolling a new Connect My Computer resource in Web UI. [#35649](https://github.com/gravitational/teleport/pull/35649)
+* Fixed regression of Kubernetes Server Address when Teleport runs in multiplex mode. [#35633](https://github.com/gravitational/teleport/pull/35633)
+* When using the Slack plugin, users will now be notified directly of access requests and their approvals or denials. [#35577](https://github.com/gravitational/teleport/pull/35577)
+* Fixed bug where configuration errors with an individual SSO connector impacted other connectors. [#35576](https://github.com/gravitational/teleport/pull/35576)
+* Fixed client IP propagation from the Proxy to the Auth during IdP initiated SSO. [#35545](https://github.com/gravitational/teleport/pull/35545)
+
 ## 14.2.2 (12/07/23)
 
 **Note**: `tsh` v14.2.2 has a known issue where `tsh kube login` uses an

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=14.2.2
+VERSION=14.2.3
 
 DOCKER_IMAGE ?= teleport
 

api/proto/teleport/legacy/client/proto/certs.proto

@@ -25,9 +25,9 @@ option (gogoproto.unmarshaler_all) = true;
 
 // Set of certificates corresponding to a single public key.
 message Certs {
-  // SSH X509 cert (PEM-encoded).
+  // SSH certificate marshaled in the authorized key format.
   bytes SSH = 1 [(gogoproto.jsontag) = "ssh,omitempty"];
-  // TLS X509 cert (PEM-encoded).
+  // TLS X.509 certificate (PEM-encoded).
   bytes TLS = 2 [(gogoproto.jsontag) = "tls,omitempty"];
   // TLSCACerts is a list of TLS certificate authorities.
   repeated bytes TLSCACerts = 3 [(gogoproto.jsontag) = "tls_ca_certs,omitempty"];

api/proto/teleport/legacy/types/types.proto

@@ -3599,11 +3599,12 @@ message WebSessionV2 {
 message WebSessionSpecV2 {
   // User is the identity of the user to which the web session belongs.
   string User = 1 [(gogoproto.jsontag) = "user"];
-  // Pub is the SSH certificate for the user.
+  // Pub is the SSH certificate for the user, marshaled in the authorized key
+  // format.
   bytes Pub = 2 [(gogoproto.jsontag) = "pub"];
   // Priv is the SSH private key for the user.
   bytes Priv = 3 [(gogoproto.jsontag) = "priv,omitempty"];
-  // TLSCert is the TLS certificate for the user.
+  // TLSCert is the X.509 certificate for the user (PEM-encoded).
   bytes TLSCert = 4 [(gogoproto.jsontag) = "tls_cert,omitempty"];
   // BearerToken is a token that is paired with the session cookie for
   // authentication. It is periodically rotated so a stolen cookie itself

api/proto/teleport/usageevents/v1/usageevents.proto

@@ -628,6 +628,18 @@ message SecurityReportGetResultEvent {
   int32 days = 2;
 }
 
+// DiscoveryFetchEvent is emitted when a DiscoveryService polls for new resources of a given type
+message DiscoveryFetchEvent {
+  // cloud_provider is the cloud provider used to fetch resources
+  // Eg, AWS, Azure, GCP, Kubernetes
+  string cloud_provider = 1;
+
+  // resource_type is the type of resource that this fetch is polling.
+  // It depends on the Cloud Provider (defined above).
+  // Eg, rds, ec2, vm, aks, gce, app
+  string resource_type = 2;
+}
+
 // UsageEventOneOf is a message that can accept a oneof of any supported
 // external usage event.
 message UsageEventOneOf {
@@ -684,6 +696,7 @@ message UsageEventOneOf {
     SecurityReportGetResultEvent security_report_get_result = 51;
     AccessListReviewCreate access_list_review_create = 52;
     AccessListReviewDelete access_list_review_delete = 53;
+    DiscoveryFetchEvent discovery_fetch_event = 54;
   }
   reserved 2; //UIOnboardGetStartedClickEvent
   reserved "ui_onboard_get_started_click";

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.2.2</string>
+		<string>14.2.3</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.2.2</string>
+		<string>14.2.3</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.2.2</string>
+		<string>14.2.3</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.2.2</string>
+		<string>14.2.3</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

docs/config.json

@@ -1526,6 +1526,10 @@
             {
               "title": "Snowflake",
               "slug": "/database-access/guides/snowflake/"
+            },
+            {
+              "title": "Vitess (MySQL protocol)",
+              "slug": "/database-access/guides/vitess/"
             }
           ]
         },
@@ -2049,7 +2053,7 @@
       "aws_secret_access_key": "zyxw9876-this-is-an-example"
     },
     "cloud": {
-      "version": "14.2.1",
+      "version": "14.2.2",
       "major_version": "14",
       "sla": {
         "monthly_percentage": "99.9%",
@@ -2093,18 +2097,18 @@
     },
     "teleport": {
       "major_version": "14",
-      "version": "14.2.2",
+      "version": "14.2.3",
       "git": "api/14.0.0-gd1e081e",
       "url": "teleport.example.com",
       "golang": "1.21",
       "plugin": {
-        "version": "14.2.2"
+        "version": "14.2.3"
       },
       "helm_repo_url": "https://charts.releases.teleport.dev",
-      "latest_oss_docker_image": "public.ecr.aws/gravitational/teleport-distroless:14.2.2",
-      "latest_oss_debug_docker_image": "public.ecr.aws/gravitational/teleport-distroless-debug:14.2.2",
-      "latest_ent_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless:14.2.2",
-      "latest_ent_debug_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless-debug:14.2.2"
+      "latest_oss_docker_image": "public.ecr.aws/gravitational/teleport-distroless:14.2.3",
+      "latest_oss_debug_docker_image": "public.ecr.aws/gravitational/teleport-distroless-debug:14.2.3",
+      "latest_ent_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless:14.2.3",
+      "latest_ent_debug_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless-debug:14.2.3"
     },
     "terraform": {
       "version": "1.0.0"

docs/cspell.json

@@ -882,6 +882,9 @@
     "znmqk",
     "zxvf",
     "zztop",
+    "Vitess",
+    "vtgate",
+    "clientcert",
     "supervillain"
   ],
   "flagWords": [

docs/pages/application-access/cloud-apis/google-cloud.mdx

@@ -191,7 +191,7 @@ $ gcloud compute instances create teleport-app-service \
    --service-account=teleport-google-cloud-cli@<Var name="google-cloud-project" />.iam.gserviceaccount.com \
    --scopes=cloud-platform \
    --zone=<Var name="google-cloud-zone" /> \
-   --image=https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-2210-kinetic-arm64-v20230113
+   --image=https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-11-bullseye-v20231212
 ```
 
 You must use the `service-account` and `scopes` flags as we list them here,