Release 18.2.0 (#58761)

* Release 18.2.0

* changelog typo fix

* Add notes to changelog

* Remove duplicate changelog entries, fix tense

---------

Co-authored-by: Cam Hutchison <[email protected]>

Author: fheinecke

CHANGELOG.md

@@ -1,5 +1,67 @@
 # Changelog
 
+## 18.2.0 (09/04/25)
+
+### Encrypted session recordings
+
+Teleport now provides the ability to integrate with Hardware Security Modules (HSMs) in order to encrypt session recordings prior to uploading them to storage.
+
+### AI session summaries
+
+Teleport Identity Security users are now able to view AI-generated summaries for SSH, Kubernetes and database sessions.
+
+### Updated session recordings page
+
+Session recordings page in Teleport web UI are now updated with a new design that will include session thumbnails and ability to view session summaries for Identity Security users.
+
+### Teleport Connect Managed Updates
+
+Teleport Connect is now able to detect when application updates are available and automatically apply them on the next restart.
+
+### Teleport Device Trust Intune Support
+
+Teleport now includes a new hosted plugin for Microsoft's Intune suite, allowing trusted devices to be synchronized from the Intune inventory.
+
+### Terraform support for Access List members
+
+Users are now able to provision Access Lists and their members (including other nested Access Lists) with terraform.
+
+### Long-term access requests UX
+
+Teleport access requests creation dialog in web UI now better differentiate between short and long-term access requests.
+
+### Database web terminal for MySQL
+
+Teleport web UI now provides terminal interface for MySQL database access.
+
+### Database access for AlloyDB
+
+Teleport now supports database access for GCP AlloyDB databases.
+
+### Other changes and improvements
+
+* Improved observability by adding health check metrics for healthy, unhealthy, and unknown states. Database health checks can now be monitored with these metrics. [#58708](https://github.com/gravitational/teleport/pull/58708)
+* Removed AccessList review notification check from tsh login/status flow. [#58662](https://github.com/gravitational/teleport/pull/58662)
+* Lock, unlock and delete from the Bot Details page, as well as viewing lock status. [#58653](https://github.com/gravitational/teleport/pull/58653)
+* Fixed internal access list membership caching issue that caused high CPU usage when the total number of members exceeded 200. [#58614](https://github.com/gravitational/teleport/pull/58614)
+* Fixed internal cache issue that could cause crashes in AWS IC, Database, and App access flows. [#58611](https://github.com/gravitational/teleport/pull/58611)
+* Fixed panic in `tbot`'s `ssh-multiplexer` service. [#58595](https://github.com/gravitational/teleport/pull/58595)
+* Teleport now honours Entra ID OIDC groups overage claim. The OIDC connector spec in Teleport must be updated to request OIDC `profile` scope and the enterprise application in Entra ID must be granted with `User.ReadBasic.All` Graph API permission for this feature to work. By default, Teleport will query the Microsoft Graph API `graph.microsoft.com` endpoint and filter user's group membership of "security groups" group type. This behaviour can be updated by configuring `entra_id_groups_provider` configuration field, which is available in the OIDC connector configuration spec. [#58593](https://github.com/gravitational/teleport/pull/58593)
+* Enhanced session recordings RBAC to enforce recording access based on rules that reference creator’s roles, traits, and resource properties. [#58563](https://github.com/gravitational/teleport/pull/58563)
+* Added support for configure SCIM Plugin with OIDC or Github Teleport Connectors. [#58554](https://github.com/gravitational/teleport/pull/58554)
+* Added `user_agent` field to MySQL database session start audit events. [#58523](https://github.com/gravitational/teleport/pull/58523)
+* `tbot` now supports the configuration of a default namespace for kubeconfig files generated by the `kubernetes/v2` service. [#58494](https://github.com/gravitational/teleport/pull/58494)
+* Reduced audit log clutter by compacting contiguous shared directory read/write events into a single audit log event. [#58446](https://github.com/gravitational/teleport/pull/58446)
+* Session metadata now appears next to SSH sessions in the UI. [#58405](https://github.com/gravitational/teleport/pull/58405)
+* Refreshed the list session recordings UI with thumbnails, more filtering options and a card/list view. [#58390](https://github.com/gravitational/teleport/pull/58390)
+* Added thumbnail and metadata generation for session recordings. [#58360](https://github.com/gravitational/teleport/pull/58360)
+* Teleport Connect now supports managed updates. [#58260](https://github.com/gravitational/teleport/pull/58260)
+* Teleport Connect now brings focus back from the browser to itself after a successful SSO login. [#58260](https://github.com/gravitational/teleport/pull/58260)
+* Added support for GCP AlloyDB. [#58202](https://github.com/gravitational/teleport/pull/58202)
+* Added support for encrypting session recordings at rest across all recording modes. Encryption can be enabled statically by setting `auth_server.session_recording_config.enabled: yes` in the Teleport file configuration, or dynamically by editing the `session_recording_config` resource and setting `spec.encryption.enabled: yes`. [#57959](https://github.com/gravitational/teleport/pull/57959)
+* Added SSH SELinux module management to teleport-update. [#57660](https://github.com/gravitational/teleport/pull/57660)
+* Added Terraform support for Access List members. [#57058](https://github.com/gravitational/teleport/pull/57058)
+
 ## 18.1.8 (08/29/25)
 
 * Fixed an issue introduced in v18.1.5 that caused desktop connection attempts to stall on the loading screen. [#58500](https://github.com/gravitational/teleport/pull/58500)

Makefile

@@ -13,7 +13,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=18.1.8
+VERSION=18.2.0
 
 DOCKER_IMAGE ?= teleport
 

api/version.go

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>18.1.8</string>
+		<string>18.2.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>18.1.8</string>
+		<string>18.2.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>18.1.8</string>
+		<string>18.2.0</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>18.1.8</string>
+		<string>18.2.0</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -1,4 +1,4 @@
-.version: &version "18.1.8"
+.version: &version "18.2.0"
 
 apiVersion: v2
 name: teleport-plugin-datadog

e

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 18.1.8
-        helm.sh/chart: teleport-plugin-datadog-18.1.8
+        app.kubernetes.io/version: 18.2.0
+        helm.sh/chart: teleport-plugin-datadog-18.2.0
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/Chart.yaml

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 18.1.8
-        helm.sh/chart: teleport-plugin-datadog-18.1.8
+        app.kubernetes.io/version: 18.2.0
+        helm.sh/chart: teleport-plugin-datadog-18.2.0
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 18.1.8
-            helm.sh/chart: teleport-plugin-datadog-18.1.8
+            app.kubernetes.io/version: 18.2.0
+            helm.sh/chart: teleport-plugin-datadog-18.2.0
         spec:
           containers:
           - command:

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -1,4 +1,4 @@
-.version: &version "18.1.8"
+.version: &version "18.2.0"
 
 apiVersion: v2
 name: teleport-plugin-discord