Release 10.0.0 (#14193)

CHANGELOG.md

@@ -2,13 +2,213 @@
 
 ## 10.0.0
 
-Teleport 10.0 is a major release of Teleport that contains new features, improvements, and bug fixes.
+Teleport 10 is a major release that brings the following new features.
 
-### Breaking Changes
+Platform:
+
+* Passwordless (Preview)
+* Resource Access Requests (Preview)
+* Proxy Peering (Preview)
+
+Server Access:
+
+* IP-Based Restrictions (Preview)
+* Automatic User Provisioning (Preview)
+
+Database Access:
+
+* Audit Logging for Microsoft SQL Server Database Access
+* Snowflake Database Access (Preview)
+* ElastiCache/MemoryDB Database Access (Preview)
+
+Teleport Connect:
+
+* Teleport Connect for Server and Database Access (Preview)
+
+Machine ID:
+
+* Machine ID Database Access Support (Preview)
+
+### Passwordless (Preview)
+
+Teleport 10 introduces passwordless support to your clusters. To use passwordless
+users may register a security key with resident credentials or use a built-in
+authenticator, like Touch ID.
+
+See https://goteleport.com/docs/access-controls/guides/passwordless/.
+
+### Resource Access Requests (Preview)
+
+Teleport 10 expands just-in-time access requests to allow for requesting access
+to specific resources. This lets you grant users the least privileged access
+needed for their workflows.
+
+Just-in-time access requests are only available in Teleport Enterprise Edition.
+
+### Proxy Peering (Preview)
+
+Proxy peering enables Teleport deployments to scale without an increase in load
+from the number of agent connections. This is accomplished by allowing Proxy
+Services to tunnel client connections to the desired agent through a neighboring
+proxy and decoupling the number of agent connections from the number of Proxies.
+
+Proxy peering can be enabled with the following configurations:
+
+```yaml
+auth_service:
+  tunnel_strategy:
+    type: proxy_peering
+    agent_connection_count: 1
+```
+
+```yaml
+proxy_service:
+  peer_listen_addr: 0.0.0.0:3021
+```
+
+Network connectivity between proxy servers to the `peer_listen_addr` is required
+for this feature to work.
+
+Proxy peering is only available in Teleport Enterprise Edition.
+
+### IP-Based Restrictions (Preview)
+
+Teleport 10 introduces a new role option to pin the source IP in SSH
+certificates. When enabled, the source IP that was used to request certificates
+is embedded in the certificate, and SSH servers will reject connection attempts
+from other IPs. This protects against attacks where valid credentials are
+exfiltrated from disk and copied out into other environments.
+
+IP-based restrictions are only available in Teleport Enterprise Edition.
+
+### Automatic User Provisioning (Preview)
+
+Teleport 10 can be configured to automatically create Linux host users upon
+login without having to use Teleport's PAM integration. Users can be added to specific
+Linux groups and assigned appropriate “sudoer” privileges.
+
+To learn more about configuring automatic user provisioning read the guide:
+https://goteleport.com/docs/server-access/guides/host-user-creation/.
+
+### Audit Logging for Microsoft SQL Server Database Access
+
+Teleport 9 introduced a preview of Database Access support for Microsoft SQL
+Server which didn’t include audit logging of user queries. Teleport 10 captures
+users' queries and prepared statements and sends them to the audit log, similarly
+to other supported database protocols.
+
+Teleport Database Access for SQL Server remains in Preview mode with more UX
+improvements coming in future releases.
+
+Refer to the guide to set up access to a SQL Server with Active Directory
+authentication: https://goteleport.com/docs/database-access/guides/sql-server-ad/.
+
+### Snowflake Database Access (Preview)
+
+Teleport 10 brings support for Snowflake to Database Access. Administrators can
+set up access to Snowflake databases through Teleport for their users with
+standard Database Access features like role-based access control and audit
+logging, including query activity.
+
+Connect your Snowflake database to Teleport following this guide:
+https://goteleport.com/docs/database-access/guides/snowflake/.
+
+### Elasticache/MemoryDB Database Access (Preview)
+
+Teleport 9 added Redis protocol support to Database Access. Teleport 10 improves
+this integration by adding native support for AWS-hosted Elasticache and
+MemoryDB, including auto-discovery and automatic credential management in some
+deployment configurations.
+
+Learn more about it in this guide:
+https://goteleport.com/docs/database-access/guides/redis-aws/.
+
+### Teleport Connect for Server and Database Access (Preview)
+
+Teleport Connect is a graphical macOS application that simplifies access to your
+Teleport resources. Teleport Connect 10 supports Server Access and Database Access.
+Other protocols and Windows support are coming in a future release.
+
+Get Teleport Connect installer from the macOS tab on the downloads page:
+https://goteleport.com/download/.
+
+### Machine ID Database Access Support (Preview)
+
+In Teleport 10 we’ve added Database Access support to Machine ID. Applications
+can use Machine ID to access databases protected by Teleport.
+
+You can find Machine ID guide for database access in the documentation:
+https://goteleport.com/docs/machine-id/guides/databases/.
+
+### Breaking changes
+
+Please familiarize yourself with the following potentially disruptive changes in
+Teleport 10 before upgrading.
+
+#### Auth Service version check
+
+Teleport 10 agents will now refuse to start if they detect that the Auth Service
+is more than one major version behind them. You can use the `--skip-version-check` flag to
+bypass the version check.
+
+Take a look at component compatibility guarantees in the documentation:
+https://goteleport.com/docs/setup/operations/upgrading/#component-compatibility.
+
+#### HTTP_PROXY for reverse tunnels
+
+Reverse tunnel connections will now respect `HTTP_PROXY` environment variables.
+This may result in reverse tunnel agents not being able to re-establish
+connections if the HTTP proxy is set in their environment and does not allow
+connections to the Teleport Proxy Service.
+
+Refer to the following documentation section for more details:
+https://goteleport.com/docs/setup/reference/networking/#http-connect-proxies.
+
+#### New APT repos
+
+With Teleport 10 we’ve migrated to new APT repositories that now support
+multiple release channels, Teleport versions and OS distributions. The new
+repositories have been backfilled with Teleport versions starting from 6.2.31
+and we recommend upgrading to them. The old repositories will be maintained for
+the foreseeable future.
+
+See updated installation instructions:
+https://goteleport.com/docs/server-access/getting-started/#step-14-install-teleport-on-your-linux-host.
+
+#### Removed “tctl access ls”
+
+The `tctl access ls` command that returned information about user server access
+within the cluster was removed. Please use a previous `tctl` version if you’d like
+to keep using it.
 
 #### Relaxed session join permissions
 
-In previous versions of Teleport users need full access to the node/Kubernetes pod in order to join a session. With Teleport 10.0 we have relaxed this requirement. Joining sessions remains deny-by-default as of Teleport 9.0 but now only `join_policy` statements as described in the [Moderated Sessions Guide](https://goteleport.com/docs/access-controls/guides/moderated-sessions/) are checked for session join RBAC.
+In previous versions of Teleport users needed full access to a Node/Kubernetes
+pod in order to join a session. Teleport 10 relaxes this requirement. Joining
+sessions remains deny-by-default but now only `join_policy` statements are
+checked for session join RBAC.
+
+See the Moderated Sessions guide for more details:
+https://goteleport.com/docs/access-controls/guides/moderated-sessions/.
+
+#### GitHub connectors
+
+The GitHub authentication connector’s `teams_to_logins` field is deprecated in favor of the new
+`teams_to_roles` field. The old field will be removed in a future release.
+
+#### Teleport FIPS AWS endpoints
+
+Teleport 10 will now automatically use FIPS endpoints for AWS S3 and DynamoDB
+when started with the `--fips` flag. You can use the `use_fips_endpoint=false`
+connection endpoint option to use regular endpoints for Teleport in FIPS mode,
+for example:
+
+```
+s3://bucket/path?region=us-east-1&use_fips_endpoint=false
+```
+
+See the S3/DynamoDB backends documentation for more information:
+https://goteleport.com/docs/setup/reference/backends/#s3.
 
 ## 8.0.0
 

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=10.0.0-rc.1
+VERSION=10.0.0
 
 DOCKER_IMAGE ?= quay.io/gravitational/teleport
 DOCKER_IMAGE_CI ?= quay.io/gravitational/teleport-ci

api/version.go

@@ -3,7 +3,7 @@
 package api
 
 const (
-	Version = "10.0.0-rc.1"
+	Version = "10.0.0"
 )
 
 // Gitref variable is automatically set to the output of git-describe

examples/chart/teleport-cluster/Chart.yaml

@@ -1,7 +1,7 @@
 name: teleport-cluster
 apiVersion: v2
-version: "10.0.0-rc.1"
-appVersion: "10.0.0-rc.1"
+version: "10.0.0"
+appVersion: "10.0.0"
 description: Teleport is a unified access plane for your infrastructure
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords: