Skip to content

Instantly share code, notes, and snippets.

@glennpratt

glennpratt/teleport-cluster-v14.0.1-v14.3.18.patch

Last active October 1, 2024 23:44
Show Gist options
  • Save glennpratt/aed8cb35d0a4a71554c95f8437995369 to your computer and use it in GitHub Desktop.
Save glennpratt/aed8cb35d0a4a71554c95f8437995369 to your computer and use it in GitHub Desktop.
Download ZIP
Teleport git diff v14.0.1...v14.3.18 -- examples/chart/teleport-cluster
Raw
teleport-cluster-v14.0.1-v14.3.18.patch
diff --git a/examples/chart/teleport-cluster/.lint/extra-containers.yaml b/examples/chart/teleport-cluster/.lint/extra-containers.yaml
new file mode 100644
index 0000000000..14d04af93c
--- /dev/null
+++ b/examples/chart/teleport-cluster/.lint/extra-containers.yaml
@@ -0,0 +1,12 @@
+clusterName: helm-lint.example.com
+extraContainers:
+ - name: nscenter
+ command:
+ - /bin/bash
+ - -c
+ - sleep infinity & wait
+ image: praqma/network-multitool
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: true
+ runAsNonRoot: false
diff --git a/examples/chart/teleport-cluster/.lint/pod-security-context-empty.yaml b/examples/chart/teleport-cluster/.lint/pod-security-context-empty.yaml
new file mode 100644
index 0000000000..14ff54654e
--- /dev/null
+++ b/examples/chart/teleport-cluster/.lint/pod-security-context-empty.yaml
@@ -0,0 +1 @@
+clusterName: helm-lint
diff --git a/examples/chart/teleport-cluster/.lint/pod-security-context.yaml b/examples/chart/teleport-cluster/.lint/pod-security-context.yaml
new file mode 100644
index 0000000000..50710c44fa
--- /dev/null
+++ b/examples/chart/teleport-cluster/.lint/pod-security-context.yaml
@@ -0,0 +1,7 @@
+clusterName: helm-lint
+podSecurityContext:
+ fsGroup: 99
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 99
+ runAsNonRoot: true
+ runAsUser: 99
diff --git a/examples/chart/teleport-cluster/.lint/session-recording-off.yaml b/examples/chart/teleport-cluster/.lint/session-recording-off.yaml
new file mode 100644
index 0000000000..20ee1ba2a6
--- /dev/null
+++ b/examples/chart/teleport-cluster/.lint/session-recording-off.yaml
@@ -0,0 +1,2 @@
+clusterName: helm-lint
+sessionRecording: "off"
diff --git a/examples/chart/teleport-cluster/Chart.yaml b/examples/chart/teleport-cluster/Chart.yaml
index ec3ca40af4..7e178c10ef 100644
--- a/examples/chart/teleport-cluster/Chart.yaml
+++ b/examples/chart/teleport-cluster/Chart.yaml
@@ -1,11 +1,11 @@
-.version: &version "14.0.1"
+.version: &version "14.3.18"
name: teleport-cluster
apiVersion: v2
version: *version
appVersion: *version
description: Teleport is an access platform for your infrastructure
-icon: https://goteleport.com/images/logos/logo-teleport-square.svg
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml
index d7f0a947e4..386e12ea65 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml
@@ -1,10 +1,10 @@
-.version: &version "14.0.1"
+.version: &version "14.3.18"
name: teleport-operator
apiVersion: v2
version: *version
appVersion: *version
description: Teleport Operator provides management of select Teleport resources.
-icon: https://goteleport.com/images/logos/logo-teleport-square.svg
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
index 9d4a18d2d6..ca64e03c4d 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
@@ -181,6 +181,16 @@ spec:
must be accessible over HTTPS at this hostname and the certificate
must be trusted by the Auth Server.
type: string
+ enterprise_slug:
+ description: EnterpriseSlug allows the slug of a GitHub Enterprise
+ organisation to be included in the expected issuer of the OIDC
+ tokens. This is for compatibility with the `include_enterprise_slug`
+ option in GHE. This field should be set to the slug of your
+ enterprise if this is enabled. If this is not enabled, then
+ this field must be left empty. This field cannot be specified
+ if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise
+ for more information about customised issuer values.
+ type: string
type: object
gitlab:
description: GitLab allows the configuration of options specific to
@@ -192,20 +202,38 @@ spec:
must match one allow rule to use this token.
items:
properties:
+ ci_config_ref_uri:
+ type: string
+ ci_config_sha:
+ type: string
+ deployment_tier:
+ type: string
environment:
type: string
+ environment_protected:
+ type: boolean
namespace_path:
type: string
pipeline_source:
type: string
project_path:
type: string
+ project_visibility:
+ type: string
ref:
type: string
+ ref_protected:
+ type: boolean
ref_type:
type: string
sub:
type: string
+ user_email:
+ type: string
+ user_id:
+ type: string
+ user_login:
+ type: string
type: object
nullable: true
type: array
@@ -257,6 +285,32 @@ spec:
type: string
nullable: true
type: array
+ spacelift:
+ description: Spacelift allows the configuration of options specific
+ to the "spacelift" join method.
+ nullable: true
+ properties:
+ allow:
+ description: Allow is a list of Rules, nodes using this token
+ must match one allow rule to use this token.
+ items:
+ properties:
+ caller_id:
+ type: string
+ caller_type:
+ type: string
+ scope:
+ type: string
+ space_id:
+ type: string
+ type: object
+ nullable: true
+ type: array
+ hostname:
+ description: Hostname is the hostname of the Spacelift tenant
+ that tokens will originate from. E.g `example.app.spacelift.io`
+ type: string
+ type: object
suggested_agent_matcher_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -274,6 +328,37 @@ spec:
set when using this token to enroll themselves in the cluster. Currently,
only node-join scripts create a configuration according to the suggestion.
type: object
+ tpm:
+ description: TPM allows the configuration of options specific to the
+ "tpm" join method.
+ nullable: true
+ properties:
+ allow:
+ description: Allow is a list of Rules, the presented delegated
+ identity must match one allow rule to permit joining.
+ items:
+ properties:
+ description:
+ type: string
+ ek_certificate_serial:
+ type: string
+ ek_public_hash:
+ type: string
+ type: object
+ nullable: true
+ type: array
+ ekcert_allowed_cas:
+ description: EKCertAllowedCAs is a list of CA certificates that
+ will be used to validate TPM EKCerts. When specified, joining
+ TPMs must present an EKCert signed by one of the specified CAs.
+ TPMs that do not present an EKCert will be not permitted to
+ join. When unspecified, TPMs will be allowed to join with either
+ an EKCert or an EKPubHash.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
type: object
status:
description: TeleportProvisionTokenStatus defines the observed state of
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
index e41e29a660..f02463bca8 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
@@ -993,6 +993,10 @@ spec:
description: CreateDatabaseUser enabled automatic database user
creation.
type: boolean
+ create_db_user_mode:
+ description: CreateDatabaseUserMode allows users to be automatically
+ created on a database when not set to off.
+ x-kubernetes-int-or-string: true
create_desktop_user:
description: CreateDesktopUser allows users to be automatically
created on a Windows desktop
@@ -2186,6 +2190,10 @@ spec:
description: CreateDatabaseUser enabled automatic database user
creation.
type: boolean
+ create_db_user_mode:
+ description: CreateDatabaseUserMode allows users to be automatically
+ created on a database when not set to off.
+ x-kubernetes-int-or-string: true
create_desktop_user:
description: CreateDesktopUser allows users to be automatically
created on a Windows desktop
diff --git a/examples/chart/teleport-cluster/templates/auth/_config.aws.tpl b/examples/chart/teleport-cluster/templates/auth/_config.aws.tpl
index 9fb0863116..8a2f6e6896 100644
--- a/examples/chart/teleport-cluster/templates/auth/_config.aws.tpl
+++ b/examples/chart/teleport-cluster/templates/auth/_config.aws.tpl
@@ -4,11 +4,7 @@
type: dynamodb
region: {{ required "aws.region is required in chart values" .Values.aws.region }}
table_name: {{ required "aws.backendTable is required in chart values" .Values.aws.backendTable }}
- {{- if .Values.aws.auditLogMirrorOnStdout }}
- audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}', 'stdout://']
- {{- else }}
- audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}']
- {{- end }}
+ audit_events_uri: {{- include "teleport-cluster.auth.config.aws.audit" . | nindent 4 }}
audit_sessions_uri: s3://{{ required "aws.sessionRecordingBucket is required in chart values" .Values.aws.sessionRecordingBucket }}
continuous_backups: {{ required "aws.backups is required in chart values" .Values.aws.backups }}
{{- if .Values.aws.dynamoAutoScaling }}
@@ -24,3 +20,26 @@
auto_scaling: false
{{- end }}
{{- end -}}
+
+{{- define "teleport-cluster.auth.config.aws.audit" -}}
+ {{- if and .Values.aws.auditLogTable (not .Values.aws.athenaURL) -}}
+- 'dynamodb://{{.Values.aws.auditLogTable}}'
+ {{- else if and (not .Values.aws.auditLogTable) .Values.aws.athenaURL -}}
+- {{ .Values.aws.athenaURL | quote }}
+ {{- else if and .Values.aws.auditLogTable .Values.aws.athenaURL -}}
+ {{- if eq .Values.aws.auditLogPrimaryBackend "dynamo" -}}
+- 'dynamodb://{{.Values.aws.auditLogTable}}'
+- {{ .Values.aws.athenaURL | quote }}
+ {{- else if eq .Values.aws.auditLogPrimaryBackend "athena" -}}
+- {{ .Values.aws.athenaURL | quote }}
+- 'dynamodb://{{.Values.aws.auditLogTable}}'
+ {{- else -}}
+ {{- fail "Both Dynamo and Athena audit backends are enabled. You must specify the primary backend by setting `aws.auditLogPrimaryBackend` to either 'dynamo' or 'athena'." -}}
+ {{- end -}}
+ {{- else -}}
+ {{- fail "You need an audit backend. In AWS mode, you must set at least one of `aws.auditLogTable` (Dynamo) and `aws.athenaURL` (Athena)." -}}
+ {{- end -}}
+ {{- if .Values.aws.auditLogMirrorOnStdout }}
+- 'stdout://'
+ {{- end -}}
+{{- end -}}
diff --git a/examples/chart/teleport-cluster/templates/auth/_config.common.tpl b/examples/chart/teleport-cluster/templates/auth/_config.common.tpl
index bdfda15fc0..fbfdb50783 100644
--- a/examples/chart/teleport-cluster/templates/auth/_config.common.tpl
+++ b/examples/chart/teleport-cluster/templates/auth/_config.common.tpl
@@ -49,7 +49,7 @@ auth_service:
{{- end }}
{{- end }}
{{- if .Values.sessionRecording }}
- session_recording: {{ .Values.sessionRecording }}
+ session_recording: {{ .Values.sessionRecording | squote }}
{{- end }}
{{- if .Values.proxyListenerMode }}
proxy_listener_mode: {{ .Values.proxyListenerMode }}
diff --git a/examples/chart/teleport-cluster/templates/auth/clusterrole.yaml b/examples/chart/teleport-cluster/templates/auth/clusterrole.yaml
index 6bf0886b43..2d04ce23e6 100644
--- a/examples/chart/teleport-cluster/templates/auth/clusterrole.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/clusterrole.yaml
@@ -1,8 +1,14 @@
{{- if .Values.rbac.create -}}
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.clusterRole }}
+ {{- toYaml $auth.extraLabels.clusterRole | nindent 4 }}
+ {{- end }}
rules:
- apiGroups:
- ""
diff --git a/examples/chart/teleport-cluster/templates/auth/clusterrolebinding.yaml b/examples/chart/teleport-cluster/templates/auth/clusterrolebinding.yaml
index ba39919d59..6c37c232f6 100644
--- a/examples/chart/teleport-cluster/templates/auth/clusterrolebinding.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/clusterrolebinding.yaml
@@ -1,9 +1,14 @@
{{- if .Values.rbac.create -}}
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.clusterRoleBinding }}
+ {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }}
+ {{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -19,7 +24,11 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-auth
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.clusterRoleBinding }}
+ {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }}
+ {{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
diff --git a/examples/chart/teleport-cluster/templates/auth/config.yaml b/examples/chart/teleport-cluster/templates/auth/config.yaml
index b5b53cb55a..8a6eb8850d 100644
--- a/examples/chart/teleport-cluster/templates/auth/config.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/config.yaml
@@ -5,7 +5,11 @@ kind: ConfigMap
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.config }}
+ {{- toYaml $auth.extraLabels.config | nindent 4 }}
+ {{- end }}
{{- if $auth.annotations.config }}
annotations: {{- toYaml $auth.annotations.config | nindent 4 }}
{{- end }}
diff --git a/examples/chart/teleport-cluster/templates/auth/deployment.yaml b/examples/chart/teleport-cluster/templates/auth/deployment.yaml
index 8b86131d31..088cb4648d 100644
--- a/examples/chart/teleport-cluster/templates/auth/deployment.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/deployment.yaml
@@ -9,6 +9,9 @@ metadata:
labels:
{{- include "teleport-cluster.auth.labels" . | nindent 4 }}
app: {{ .Release.Name }}
+ {{- if $auth.extraLabels.deployment }}
+ {{- toYaml $auth.extraLabels.deployment | nindent 4 }}
+ {{- end }}
{{- if $auth.annotations.deployment }}
annotations: {{- toYaml $auth.annotations.deployment | nindent 4 }}
{{- end }}
@@ -43,6 +46,9 @@ spec:
labels:
{{- include "teleport-cluster.auth.labels" . | nindent 8 }}
app: {{ .Release.Name }}
+ {{- if $auth.extraLabels.pod }}
+ {{- toYaml $auth.extraLabels.pod | nindent 8 }}
+ {{- end }}
{{- if eq $auth.chartMode "azure"}}
azure.workload.identity/use: "true"
{{- end }}
@@ -270,6 +276,9 @@ spec:
readOnly: true
{{- end }}
{{ end }}
+{{- if $auth.extraContainers }}
+ {{- toYaml $auth.extraContainers | nindent 6 }}
+{{- end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
@@ -323,6 +332,9 @@ spec:
{{- end }}
{{- if $auth.priorityClassName }}
priorityClassName: {{ $auth.priorityClassName }}
+{{- end }}
+{{- if $auth.podSecurityContext }}
+ securityContext: {{- toYaml $auth.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.auth.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ $auth.terminationGracePeriodSeconds }}
diff --git a/examples/chart/teleport-cluster/templates/auth/pdb.yaml b/examples/chart/teleport-cluster/templates/auth/pdb.yaml
index 01095895aa..02983f7f2f 100644
--- a/examples/chart/teleport-cluster/templates/auth/pdb.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/pdb.yaml
@@ -9,7 +9,11 @@ kind: PodDisruptionBudget
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.podDisruptionBudget }}
+ {{- toYaml $auth.extraLabels.podDisruptionBudget | nindent 4 }}
+ {{- end }}
spec:
minAvailable: {{ $auth.highAvailability.podDisruptionBudget.minAvailable }}
selector:
diff --git a/examples/chart/teleport-cluster/templates/auth/predeploy_config.yaml b/examples/chart/teleport-cluster/templates/auth/predeploy_config.yaml
index 14194400dd..e866df467c 100644
--- a/examples/chart/teleport-cluster/templates/auth/predeploy_config.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/predeploy_config.yaml
@@ -6,7 +6,11 @@ kind: ConfigMap
metadata:
name: {{ .Release.Name }}-auth-test
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.config }}
+ {{- toYaml $auth.extraLabels.config | nindent 4 }}
+ {{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "4"
diff --git a/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml b/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
index a03225d240..a8edf708e0 100644
--- a/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
@@ -5,7 +5,11 @@ kind: Job
metadata:
name: {{ .Release.Name }}-auth-test
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.job }}
+ {{- toYaml $auth.extraLabels.job | nindent 4 }}
+ {{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "5"
diff --git a/examples/chart/teleport-cluster/templates/auth/pvc.yaml b/examples/chart/teleport-cluster/templates/auth/pvc.yaml
index 640e3ebfe0..8d2c07c4b7 100644
--- a/examples/chart/teleport-cluster/templates/auth/pvc.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/pvc.yaml
@@ -9,7 +9,11 @@ kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.persistentVolumeClaim }}
+ {{- toYaml $auth.extraLabels.persistentVolumeClaim | nindent 4 }}
+ {{- end }}
spec:
accessModes:
- ReadWriteOnce
diff --git a/examples/chart/teleport-cluster/templates/auth/service-previous-version.yaml b/examples/chart/teleport-cluster/templates/auth/service-previous-version.yaml
index 75b4b06262..9f17d2793c 100644
--- a/examples/chart/teleport-cluster/templates/auth/service-previous-version.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/service-previous-version.yaml
@@ -1,9 +1,14 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "teleport-cluster.auth.previousVersionServiceName" . }}
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.service }}
+ {{- toYaml $auth.extraLabels.service | nindent 4 }}
+ {{- end }}
spec:
# This is a headless service. Resolving it will return the list of all auth pods running the previous major version
# Proxies should not connect to auth pods from the previous major version
@@ -20,7 +25,11 @@ kind: Service
metadata:
name: {{ include "teleport-cluster.auth.currentVersionServiceName" . }}
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.service }}
+ {{- toYaml $auth.extraLabels.service | nindent 4 }}
+ {{- end }}
spec:
# This is a headless service. Resolving it will return the list of all auth pods running the current major version
clusterIP: "None"
diff --git a/examples/chart/teleport-cluster/templates/auth/service.yaml b/examples/chart/teleport-cluster/templates/auth/service.yaml
index e5175fbb7f..6e45b4802e 100644
--- a/examples/chart/teleport-cluster/templates/auth/service.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/service.yaml
@@ -4,7 +4,11 @@ kind: Service
metadata:
name: {{ include "teleport-cluster.auth.serviceName" . }}
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.service }}
+ {{- toYaml $auth.extraLabels.service | nindent 4 }}
+ {{- end }}
{{- if $auth.annotations.service }}
annotations: {{- toYaml $auth.annotations.service | nindent 4 }}
{{- end }}
diff --git a/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml b/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml
index 2ee2e1ad6a..0eb96f032e 100644
--- a/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml
@@ -5,6 +5,11 @@ kind: ServiceAccount
metadata:
name: {{ template "teleport-cluster.auth.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+ {{- if $auth.extraLabels.serviceAccount }}
+ {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
+ {{- end }}
{{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
annotations:
{{- if $auth.annotations.serviceAccount }}
diff --git a/examples/chart/teleport-cluster/templates/proxy/certificate.yaml b/examples/chart/teleport-cluster/templates/proxy/certificate.yaml
index d2a4dbdf02..7693722c30 100644
--- a/examples/chart/teleport-cluster/templates/proxy/certificate.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/certificate.yaml
@@ -22,7 +22,8 @@ kind: Certificate
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
spec:
secretName: teleport-tls
{{- if $proxy.highAvailability.certManager.addCommonName }}
@@ -36,8 +37,13 @@ spec:
name: {{ required "highAvailability.certManager.issuerName is required in chart values" $proxy.highAvailability.certManager.issuerName }}
kind: {{ required "highAvailability.certManager.issuerKind is required in chart values" $proxy.highAvailability.certManager.issuerKind }}
group: {{ required "highAvailability.certManager.issuerGroup is required in chart values" $proxy.highAvailability.certManager.issuerGroup }}
- {{- with $proxy.annotations.certSecret }}
+ {{- if or $proxy.annotations.certSecret $proxy.extraLabels.certSecret }}
secretTemplate:
+ {{- with $proxy.annotations.certSecret }}
annotations: {{- toYaml . | nindent 6 }}
+ {{- end }}
+ {{- with $proxy.extraLabels.certSecret }}
+ labels: {{- toYaml . | nindent 6 }}
+ {{- end }}
{{- end }}
{{- end }}
diff --git a/examples/chart/teleport-cluster/templates/proxy/config.yaml b/examples/chart/teleport-cluster/templates/proxy/config.yaml
index 8cd7788ad0..9154ef056b 100644
--- a/examples/chart/teleport-cluster/templates/proxy/config.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/config.yaml
@@ -8,6 +8,11 @@ kind: ConfigMap
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.config }}
+ {{- toYaml $proxy.extraLabels.config | nindent 4 }}
+ {{- end }}
{{- if $proxy.annotations.config }}
annotations: {{- toYaml $proxy.annotations.config | nindent 4 }}
{{- end }}
diff --git a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
index a77c339b30..7a8a85b10e 100644
--- a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
@@ -1,5 +1,5 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
-{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName -}}
+{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
# Deployment is {{ if not $replicable }}not {{end}}replicable
{{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
@@ -13,7 +13,11 @@ kind: Deployment
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.deployment }}
+ {{- toYaml $proxy.extraLabels.deployment | nindent 4 }}
+ {{- end }}
{{- if $proxy.annotations.deployment }}
annotations: {{- toYaml $proxy.annotations.deployment | nindent 4 }}
{{- end }}
@@ -49,7 +53,11 @@ spec:
{{- if $proxy.annotations.pod }}
{{- toYaml $proxy.annotations.pod | nindent 8 }}
{{- end }}
- labels: {{- include "teleport-cluster.proxy.labels" . | nindent 8 }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 8 }}
+ {{- if $proxy.extraLabels.pod }}
+ {{- toYaml $proxy.extraLabels.pod | nindent 8 }}
+ {{- end }}
spec:
{{- if $proxy.nodeSelector }}
nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }}
@@ -255,6 +263,9 @@ spec:
{{- if $proxy.extraVolumeMounts }}
{{- toYaml $proxy.extraVolumeMounts | nindent 8 }}
{{- end }}
+{{- if $proxy.extraContainers }}
+ {{- toYaml $proxy.extraContainers | nindent 6 }}
+{{- end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
@@ -302,6 +313,9 @@ spec:
{{- end }}
{{- if $proxy.priorityClassName }}
priorityClassName: {{ $proxy.priorityClassName }}
+{{- end }}
+{{- if $proxy.podSecurityContext }}
+ securityContext: {{- toYaml $proxy.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ $proxy.terminationGracePeriodSeconds }}
diff --git a/examples/chart/teleport-cluster/templates/proxy/ingress.yaml b/examples/chart/teleport-cluster/templates/proxy/ingress.yaml
index e0a2e38fdd..82ddea2e97 100644
--- a/examples/chart/teleport-cluster/templates/proxy/ingress.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/ingress.yaml
@@ -23,7 +23,11 @@ kind: Ingress
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.ingress }}
+ {{- toYaml $proxy.extraLabels.ingress | nindent 4 }}
+ {{- end }}
{{- if $proxy.annotations.ingress }}
annotations: {{- toYaml $proxy.annotations.ingress | nindent 4 }}
{{- end }}
diff --git a/examples/chart/teleport-cluster/templates/proxy/pdb.yaml b/examples/chart/teleport-cluster/templates/proxy/pdb.yaml
index f22003183b..2d198439a7 100644
--- a/examples/chart/teleport-cluster/templates/proxy/pdb.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/pdb.yaml
@@ -9,7 +9,11 @@ kind: PodDisruptionBudget
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.podDisruptionBudget }}
+ {{- toYaml $proxy.extraLabels.podDisruptionBudget | nindent 4 }}
+ {{- end }}
spec:
minAvailable: {{ $proxy.highAvailability.podDisruptionBudget.minAvailable }}
selector:
diff --git a/examples/chart/teleport-cluster/templates/proxy/predeploy_config.yaml b/examples/chart/teleport-cluster/templates/proxy/predeploy_config.yaml
index 6e2d374bec..4ef166ae9c 100644
--- a/examples/chart/teleport-cluster/templates/proxy/predeploy_config.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/predeploy_config.yaml
@@ -6,6 +6,11 @@ kind: ConfigMap
metadata:
name: {{ .Release.Name }}-proxy-test
namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.config }}
+ {{- toYaml $proxy.extraLabels.config | nindent 4 }}
+ {{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "4"
diff --git a/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml b/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
index e0fb551e3c..a0d8547d15 100644
--- a/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
@@ -5,7 +5,11 @@ kind: Job
metadata:
name: {{ .Release.Name }}-proxy-test
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.job }}
+ {{- toYaml $proxy.extraLabels.job | nindent 4 }}
+ {{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "5"
diff --git a/examples/chart/teleport-cluster/templates/proxy/service.yaml b/examples/chart/teleport-cluster/templates/proxy/service.yaml
index b7e9c27ed0..4b453e52e9 100644
--- a/examples/chart/teleport-cluster/templates/proxy/service.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/service.yaml
@@ -9,7 +9,11 @@ kind: Service
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
- labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.service }}
+ {{- toYaml $proxy.extraLabels.service | nindent 4 }}
+ {{- end }}
{{- if (or ($proxy.annotations.service) (eq $proxy.chartMode "aws")) }}
annotations:
{{- if and (eq $proxy.chartMode "aws") (not $proxy.ingress.enabled) }}
diff --git a/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml b/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml
index 66a9c4bc97..7f5ecd8c2d 100644
--- a/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml
@@ -5,6 +5,11 @@ kind: ServiceAccount
metadata:
name: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+ {{- if $proxy.extraLabels.serviceAccount }}
+ {{- toYaml $proxy.extraLabels.serviceAccount | nindent 4 }}
+ {{- end }}
{{- if $proxy.annotations.serviceAccount }}
annotations: {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }}
{{- end -}}
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
index 75650c0cdb..71d8204777 100644
--- a/examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
+++ b/examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
@@ -3,6 +3,14 @@ adds operator permissions to ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
+ labels:
+ app.kubernetes.io/component: auth
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: teleport-cluster
+ app.kubernetes.io/version: 14.3.18
+ helm.sh/chart: teleport-cluster-14.3.18
+ teleport.dev/majorVersion: "14"
name: RELEASE-NAME
rules:
- apiGroups:
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
index ed8eb560a4..9c83f57790 100644
--- a/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
+++ b/examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
@@ -12,6 +12,75 @@ adds a proxy token by default:
kubernetes:
allow:
- service_account: "NAMESPACE:RELEASE-NAME-proxy"
+keeps the second factor type even when it's "off":
+ 1: |
+ |-
+ auth_service:
+ authentication:
+ local_auth: true
+ second_factor: "off"
+ type: local
+ cluster_name: helm-lint
+ enabled: true
+ proxy_listener_mode: separate
+ kubernetes_service:
+ enabled: true
+ kube_cluster_name: helm-lint
+ listen_addr: 0.0.0.0:3026
+ public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+ proxy_service:
+ enabled: false
+ ssh_service:
+ enabled: false
+ teleport:
+ auth_server: 127.0.0.1:3025
+ log:
+ format:
+ extra_fields:
+ - timestamp
+ - level
+ - component
+ - caller
+ output: text
+ output: stderr
+ severity: INFO
+ version: v3
+keeps the session_recording type even when it's "off":
+ 1: |
+ |-
+ auth_service:
+ authentication:
+ local_auth: true
+ second_factor: "on"
+ type: local
+ webauthn:
+ rp_id: helm-lint
+ cluster_name: helm-lint
+ enabled: true
+ proxy_listener_mode: separate
+ session_recording: "off"
+ kubernetes_service:
+ enabled: true
+ kube_cluster_name: helm-lint
+ listen_addr: 0.0.0.0:3026
+ public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+ proxy_service:
+ enabled: false
+ ssh_service:
+ enabled: false
+ teleport:
+ auth_server: 127.0.0.1:3025
+ log:
+ format:
+ extra_fields:
+ - timestamp
+ - level
+ - component
+ - caller
+ output: text
+ output: stderr
+ severity: INFO
+ version: v3
matches snapshot for acme-off.yaml:
1: |
|-
@@ -1672,3 +1741,139 @@ matches snapshot for volumes.yaml:
output: stderr
severity: INFO
version: v3
+uses athena as primary backend when configured:
+ 1: |
+ |-
+ auth_service:
+ authentication:
+ local_auth: true
+ second_factor: "on"
+ type: local
+ webauthn:
+ rp_id: teleport.example.com
+ cluster_name: teleport.example.com
+ enabled: true
+ proxy_listener_mode: separate
+ kubernetes_service:
+ enabled: true
+ kube_cluster_name: teleport.example.com
+ listen_addr: 0.0.0.0:3026
+ public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+ proxy_service:
+ enabled: false
+ ssh_service:
+ enabled: false
+ teleport:
+ auth_server: 127.0.0.1:3025
+ log:
+ format:
+ extra_fields:
+ - timestamp
+ - level
+ - component
+ - caller
+ output: text
+ output: stderr
+ severity: INFO
+ storage:
+ audit_events_uri:
+ - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name
+ - dynamodb://my-dynamodb-table
+ audit_sessions_uri: s3://asd
+ auto_scaling: false
+ continuous_backups: false
+ region: asd
+ table_name: asd
+ type: dynamodb
+ version: v3
+uses athena, dynamo, and stdout when everything is on:
+ 1: |
+ |-
+ auth_service:
+ authentication:
+ local_auth: true
+ second_factor: "on"
+ type: local
+ webauthn:
+ rp_id: teleport.example.com
+ cluster_name: teleport.example.com
+ enabled: true
+ proxy_listener_mode: separate
+ kubernetes_service:
+ enabled: true
+ kube_cluster_name: teleport.example.com
+ listen_addr: 0.0.0.0:3026
+ public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+ proxy_service:
+ enabled: false
+ ssh_service:
+ enabled: false
+ teleport:
+ auth_server: 127.0.0.1:3025
+ log:
+ format:
+ extra_fields:
+ - timestamp
+ - level
+ - component
+ - caller
+ output: text
+ output: stderr
+ severity: INFO
+ storage:
+ audit_events_uri:
+ - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name
+ - dynamodb://my-dynamodb-table
+ - stdout://
+ audit_sessions_uri: s3://asd
+ auto_scaling: false
+ continuous_backups: false
+ region: asd
+ table_name: asd
+ type: dynamodb
+ version: v3
+uses dynamo as primary backend when configured:
+ 1: |
+ |-
+ auth_service:
+ authentication:
+ local_auth: true
+ second_factor: "on"
+ type: local
+ webauthn:
+ rp_id: teleport.example.com
+ cluster_name: teleport.example.com
+ enabled: true
+ proxy_listener_mode: separate
+ kubernetes_service:
+ enabled: true
+ kube_cluster_name: teleport.example.com
+ listen_addr: 0.0.0.0:3026
+ public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+ proxy_service:
+ enabled: false
+ ssh_service:
+ enabled: false
+ teleport:
+ auth_server: 127.0.0.1:3025
+ log:
+ format:
+ extra_fields:
+ - timestamp
+ - level
+ - component
+ - caller
+ output: text
+ output: stderr
+ severity: INFO
+ storage:
+ audit_events_uri:
+ - dynamodb://my-dynamodb-table
+ - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name
+ audit_sessions_uri: s3://asd
+ auto_scaling: false
+ continuous_backups: false
+ region: asd
+ table_name: asd
+ type: dynamodb
+ version: v3
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
index cfc3b88b19..081cbe9425 100644
--- a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
+++ b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
@@ -1,6 +1,6 @@
should add an operator side-car when operator is enabled:
1: |
- image: public.ecr.aws/gravitational/teleport-operator:14.0.1
+ image: public.ecr.aws/gravitational/teleport-operator:14.3.18
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -174,7 +174,7 @@ should set nodeSelector when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -271,7 +271,7 @@ should set resources when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -357,7 +357,7 @@ should set securityContext when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
index 3ecdcf1608..956d171ca8 100644
--- a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
+++ b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
@@ -5,7 +5,7 @@ should provision initContainer correctly when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
name: wait-auth-update
- args:
- echo test
@@ -62,7 +62,7 @@ should set nodeSelector when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -123,7 +123,7 @@ should set nodeSelector when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
name: wait-auth-update
nodeSelector:
environment: security
@@ -174,7 +174,7 @@ should set resources when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -242,7 +242,7 @@ should set resources when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
@@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -343,7 +343,7 @@ should set securityContext for initContainers when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
@@ -383,7 +383,7 @@ should set securityContext when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -451,7 +451,7 @@ should set securityContext when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
- image: public.ecr.aws/gravitational/teleport-distroless:14.0.1
+ image: public.ecr.aws/gravitational/teleport-distroless:14.3.18
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
diff --git a/examples/chart/teleport-cluster/tests/auth_clusterrole_test.yaml b/examples/chart/teleport-cluster/tests/auth_clusterrole_test.yaml
index 6e26d74d71..a3ab5d80f2 100644
--- a/examples/chart/teleport-cluster/tests/auth_clusterrole_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_clusterrole_test.yaml
@@ -17,3 +17,20 @@ tests:
- isKind:
of: ClusterRole
- matchSnapshot: {}
+ - it: sets extraLabels on ClusterRole
+ set:
+ extraLabels:
+ clusterRole:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ clusterRole:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/auth_clusterrolebinding_test.yaml b/examples/chart/teleport-cluster/tests/auth_clusterrolebinding_test.yaml
index 45117b15a6..2ac15aa667 100644
--- a/examples/chart/teleport-cluster/tests/auth_clusterrolebinding_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_clusterrolebinding_test.yaml
@@ -18,3 +18,21 @@ tests:
content:
kind: ServiceAccount
name: "helm-lint"
+
+ - it: sets extraLabels on ClusterRoleBindings
+ set:
+ extraLabels:
+ clusterRoleBinding:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ clusterRoleBinding:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/auth_config_test.yaml b/examples/chart/teleport-cluster/tests/auth_config_test.yaml
index ea2ed147cc..dfa1710835 100644
--- a/examples/chart/teleport-cluster/tests/auth_config_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_config_test.yaml
@@ -510,3 +510,158 @@ tests:
- matchRegex:
path: data.teleport\.yaml
pattern: 'billing_mode: provisioned'
+
+ - it: fails when no audit backend is configured
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ asserts:
+ - failedTemplate:
+ errorMessage: "You need an audit backend. In AWS mode, you must set at least one of `aws.auditLogTable` (Dynamo) and `aws.athenaURL` (Athena)."
+
+ - it: configures dynamo when dynamo is set
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ auditLogTable: my-dynamodb-table
+ asserts:
+ - matchRegex:
+ path: data.teleport\.yaml
+ pattern: '- dynamodb://my-dynamodb-table'
+
+ - it: configures athena when athenaURL is set
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+ asserts:
+ - matchRegex:
+ path: data.teleport\.yaml
+ pattern: '- athena://db.table'
+
+ - it: configures dynamo and stdout when dynamo is set and mirroring is on
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ auditLogTable: my-dynamodb-table
+ auditLogMirrorOnStdout: true
+ asserts:
+ - matchRegex:
+ path: data.teleport\.yaml
+ pattern: '- dynamodb://my-dynamodb-table'
+ - matchRegex:
+ path: data.teleport\.yaml
+ pattern: '- stdout://'
+
+ - it: fails when both athena and dynamo are set but no order is specified
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ auditLogTable: my-dynamodb-table
+ athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+ asserts:
+ - failedTemplate:
+ errorMessage: "Both Dynamo and Athena audit backends are enabled. You must specify the primary backend by setting `aws.auditLogPrimaryBackend` to either 'dynamo' or 'athena'."
+
+ - it: uses athena as primary backend when configured
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ auditLogTable: my-dynamodb-table
+ athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+ auditLogPrimaryBackend: "athena"
+ asserts:
+ - matchSnapshot:
+ path: data.teleport\.yaml
+
+ - it: uses dynamo as primary backend when configured
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ auditLogTable: my-dynamodb-table
+ athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+ auditLogPrimaryBackend: "dynamo"
+ asserts:
+ - matchSnapshot:
+ path: data.teleport\.yaml
+
+ - it: uses athena, dynamo, and stdout when everything is on
+ set:
+ chartMode: aws
+ clusterName: "teleport.example.com"
+ aws:
+ region: asd
+ backendTable: asd
+ sessionRecordingBucket: asd
+ auditLogTable: my-dynamodb-table
+ athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+ auditLogPrimaryBackend: "athena"
+ auditLogMirrorOnStdout: true
+ asserts:
+ - matchSnapshot:
+ path: data.teleport\.yaml
+
+ - it: keeps the session_recording type even when it's "off"
+ set:
+ clusterName: helm-lint
+ sessionRecording: 'off'
+ asserts:
+ - matchSnapshot:
+ path: data.teleport\.yaml
+
+ - it: keeps the second factor type even when it's "off"
+ set:
+ clusterName: helm-lint
+ authentication:
+ secondFactor: 'off'
+ asserts:
+ - matchSnapshot:
+ path: data.teleport\.yaml
+
+ - it: sets extraLabels on Configmap
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ config:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ config:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
index cc8cb581cc..bb26ae7df0 100644
--- a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
@@ -3,7 +3,7 @@ templates:
- auth/deployment.yaml
- auth/config.yaml
tests:
- - it: sets Statefulset annotations when specified
+ - it: sets Deployment annotations when specified
template: auth/deployment.yaml
values:
- ../.lint/annotations.yaml
@@ -126,6 +126,35 @@ tests:
- matchSnapshot:
path: spec.template.spec
+ - it: should set podSecurityContext when set in values
+ template: auth/deployment.yaml
+ values:
+ - ../.lint/pod-security-context.yaml
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext.fsGroup
+ value: 99
+ - equal:
+ path: spec.template.spec.securityContext.fsGroupChangePolicy
+ value: OnRootMismatch
+ - equal:
+ path: spec.template.spec.securityContext.runAsGroup
+ value: 99
+ - equal:
+ path: spec.template.spec.securityContext.runAsNonRoot
+ value: true
+ - equal:
+ path: spec.template.spec.securityContext.runAsUser
+ value: 99
+
+ - it: should not set podSecurityContext when is empty object (default value)
+ template: auth/deployment.yaml
+ values:
+ - ../.lint/pod-security-context-empty.yaml
+ asserts:
+ - isNull:
+ path: spec.template.spec.securityContext
+
- it: should set securityContext when set in values
template: auth/deployment.yaml
values:
@@ -304,6 +333,7 @@ tests:
name: my-mount
secret:
secretName: mySecret
+
- it: should set imagePullPolicy when set in values
template: auth/deployment.yaml
set:
@@ -314,6 +344,36 @@ tests:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
+ - it: should have only one container when no `extraContainers` is set in values
+ template: auth/deployment.yaml
+ set:
+ extraContainers: []
+ clusterName: helm-lint.example.com
+ asserts:
+ - isNotNull:
+ path: spec.template.spec.containers[0]
+ - isNull:
+ path: spec.template.spec.containers[1]
+
+ - it: should add one more container when `extraContainers` is set in values
+ template: auth/deployment.yaml
+ values:
+ - ../.lint/extra-containers.yaml
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[1]
+ value:
+ name: nscenter
+ command:
+ - /bin/bash
+ - -c
+ - sleep infinity & wait
+ image: praqma/network-multitool
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: true
+ runAsNonRoot: false
+
- it: should set environment when extraEnv set in values
template: auth/deployment.yaml
values:
@@ -824,3 +884,45 @@ tests:
- equal:
path: spec.template.metadata.labels.azure\.workload\.identity/use
value: "true"
+
+ - it: sets extraLabels on Deployment
+ template: auth/deployment.yaml
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ deployment:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ deployment:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
+
+ - it: sets extraLabels on Deployment Pods
+ template: auth/deployment.yaml
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ pod:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ pod:
+ baz: overridden
+ asserts:
+ - equal:
+ path: spec.template.metadata.labels.foo
+ value: bar
+ - equal:
+ path: spec.template.metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/auth_pdb_test.yaml b/examples/chart/teleport-cluster/tests/auth_pdb_test.yaml
index 0ef9aad75e..a424eeb082 100644
--- a/examples/chart/teleport-cluster/tests/auth_pdb_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_pdb_test.yaml
@@ -21,3 +21,23 @@ tests:
- equal:
path: spec.minAvailable
value: 2
+
+ - it: sets extraLabels on PodDisruptionBudget
+ values:
+ - ../.lint/pdb.yaml
+ set:
+ extraLabels:
+ podDisruptionBudget:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ podDisruptionBudget:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/auth_pvc_test.yaml b/examples/chart/teleport-cluster/tests/auth_pvc_test.yaml
index 3fbd87c064..2742f22b45 100644
--- a/examples/chart/teleport-cluster/tests/auth_pvc_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_pvc_test.yaml
@@ -85,3 +85,22 @@ tests:
asserts:
- hasDocuments:
count: 0
+
+ - it: sets extraLabels on PersistentVolumeClaim
+ set:
+ chartMode: standalone
+ extraLabels:
+ persistentVolumeClaim:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ persistentVolumeClaim:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml b/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml
index 532407f5ce..49e279933a 100644
--- a/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml
@@ -30,3 +30,23 @@ tests:
- equal:
path: metadata.annotations.azure\.workload\.identity/client-id
value: "1234"
+
+ - it: sets extraLabels on ServiceAccount
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ serviceAccount:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ serviceAccount:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/ingress_test.yaml b/examples/chart/teleport-cluster/tests/ingress_test.yaml
index b750167c83..c0f7756bf8 100644
--- a/examples/chart/teleport-cluster/tests/ingress_test.yaml
+++ b/examples/chart/teleport-cluster/tests/ingress_test.yaml
@@ -536,3 +536,23 @@ tests:
value: helm-lint-tls-secret
- matchSnapshot:
path: spec.tls
+
+ - it: sets extraLabels on Ingress
+ values:
+ - ../.lint/ingress.yaml
+ set:
+ extraLabels:
+ ingress:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ ingress:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/predeploy_test.yaml b/examples/chart/teleport-cluster/tests/predeploy_test.yaml
index fb32cfac79..50a1bdb5f6 100644
--- a/examples/chart/teleport-cluster/tests/predeploy_test.yaml
+++ b/examples/chart/teleport-cluster/tests/predeploy_test.yaml
@@ -109,3 +109,82 @@ tests:
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets
+
+ - it: should set extraLabels on auth predeploy job when set in values
+ template: auth/predeploy_job.yaml
+ set:
+ clusterName: helm-lint
+ extraLabels:
+ job:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ job:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
+
+ - it: should set extraLabels on auth predeploy config when set in values
+ template: auth/predeploy_config.yaml
+ set:
+ clusterName: helm-lint
+ extraLabels:
+ config:
+ foo: bar
+ baz: override-me
+ auth:
+ extraLabels:
+ config:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
+ - it: should set extraLabels on proxy predeploy job when set in values
+ template: proxy/predeploy_job.yaml
+ set:
+ clusterName: helm-lint
+ extraLabels:
+ job:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ job:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
+
+ - it: should set extraLabels on proxy predeploy config when set in values
+ template: proxy/predeploy_config.yaml
+ set:
+ clusterName: helm-lint
+ extraLabels:
+ config:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ config:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/proxy_certificate_test.yaml b/examples/chart/teleport-cluster/tests/proxy_certificate_test.yaml
index 3d504765d1..0d54f2fc03 100644
--- a/examples/chart/teleport-cluster/tests/proxy_certificate_test.yaml
+++ b/examples/chart/teleport-cluster/tests/proxy_certificate_test.yaml
@@ -192,3 +192,23 @@ tests:
- notEqual:
path: spec.dnsNames[4]
value: "teleport.test.com"
+
+ - it: sets extraLabels on Certificate Secret
+ values:
+ - ../.lint/cert-manager.yaml
+ set:
+ extraLabels:
+ certSecret:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ certSecret:
+ baz: overridden
+ asserts:
+ - equal:
+ path: spec.secretTemplate.labels.foo
+ value: bar
+ - equal:
+ path: spec.secretTemplate.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/proxy_config_test.yaml b/examples/chart/teleport-cluster/tests/proxy_config_test.yaml
index 02bc186730..eda766023c 100644
--- a/examples/chart/teleport-cluster/tests/proxy_config_test.yaml
+++ b/examples/chart/teleport-cluster/tests/proxy_config_test.yaml
@@ -256,3 +256,23 @@ tests:
- notMatchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol:'
+
+ - it: sets extraLabels on Configmap
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ config:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ config:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
index 4c4ddf4a9c..671f678f13 100644
--- a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
+++ b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
@@ -87,6 +87,18 @@ tests:
path: spec.replicas
value: 1
+ - it: should have multiple replicas by default when an ingress is terminating TLS
+ template: proxy/deployment.yaml
+ set:
+ clusterName: helm-lint.example.com
+ proxyListenerMode: multiplex
+ ingress:
+ enabled: true
+ asserts:
+ - equal:
+ path: spec.replicas
+ value: 2
+
- it: should set affinity when set in values
template: proxy/deployment.yaml
set:
@@ -152,6 +164,35 @@ tests:
- matchSnapshot:
path: spec.template.spec
+ - it: should set podSecurityContext when set in values
+ template: proxy/deployment.yaml
+ values:
+ - ../.lint/pod-security-context.yaml
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext.fsGroup
+ value: 99
+ - equal:
+ path: spec.template.spec.securityContext.fsGroupChangePolicy
+ value: OnRootMismatch
+ - equal:
+ path: spec.template.spec.securityContext.runAsGroup
+ value: 99
+ - equal:
+ path: spec.template.spec.securityContext.runAsNonRoot
+ value: true
+ - equal:
+ path: spec.template.spec.securityContext.runAsUser
+ value: 99
+
+ - it: should not set podSecurityContext when is empty object (default value)
+ template: proxy/deployment.yaml
+ values:
+ - ../.lint/pod-security-context-empty.yaml
+ asserts:
+ - isNull:
+ path: spec.template.spec.securityContext
+
- it: should set securityContext when set in values
template: proxy/deployment.yaml
values:
@@ -332,6 +373,36 @@ tests:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
+ - it: should have only one container when no `extraContainers` is set in values
+ template: proxy/deployment.yaml
+ set:
+ extraContainers: []
+ clusterName: helm-lint.example.com
+ asserts:
+ - isNotNull:
+ path: spec.template.spec.containers[0]
+ - isNull:
+ path: spec.template.spec.containers[1]
+
+ - it: should add one more container when `extraContainers` is set in values
+ template: proxy/deployment.yaml
+ values:
+ - ../.lint/extra-containers.yaml
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[1]
+ value:
+ name: nscenter
+ command:
+ - /bin/bash
+ - -c
+ - sleep infinity & wait
+ image: praqma/network-multitool
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: true
+ runAsNonRoot: false
+
- it: should set environment when extraEnv set in values
template: proxy/deployment.yaml
values:
@@ -897,3 +968,45 @@ tests:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
+
+ - it: sets extraLabels on Deployment
+ template: proxy/deployment.yaml
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ deployment:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ deployment:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
+
+ - it: sets extraLabels on Deployment Pods
+ template: proxy/deployment.yaml
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ pod:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ pod:
+ baz: overridden
+ asserts:
+ - equal:
+ path: spec.template.metadata.labels.foo
+ value: bar
+ - equal:
+ path: spec.template.metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/proxy_pdb_test.yaml b/examples/chart/teleport-cluster/tests/proxy_pdb_test.yaml
index 851a0a7511..e324504e09 100644
--- a/examples/chart/teleport-cluster/tests/proxy_pdb_test.yaml
+++ b/examples/chart/teleport-cluster/tests/proxy_pdb_test.yaml
@@ -21,3 +21,23 @@ tests:
- equal:
path: spec.minAvailable
value: 2
+
+ - it: sets extraLabels on PodDisruptionBudget
+ values:
+ - ../.lint/pdb.yaml
+ set:
+ extraLabels:
+ podDisruptionBudget:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ podDisruptionBudget:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/proxy_service_test.yaml b/examples/chart/teleport-cluster/tests/proxy_service_test.yaml
index 29ed54755e..2ef67c7c4e 100644
--- a/examples/chart/teleport-cluster/tests/proxy_service_test.yaml
+++ b/examples/chart/teleport-cluster/tests/proxy_service_test.yaml
@@ -379,3 +379,23 @@ tests:
asserts:
- matchSnapshot:
path: spec.ports
+
+ - it: sets extraLabels on Service
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ service:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ service:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml b/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml
index 14ec87f31e..70198bd939 100644
--- a/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml
+++ b/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml
@@ -20,3 +20,23 @@ tests:
- equal:
path: metadata.name
value: "helm-lint-proxy"
+
+ - it: sets extraLabels on ServiceAccount
+ values:
+ - ../.lint/annotations.yaml
+ set:
+ extraLabels:
+ serviceAccount:
+ foo: bar
+ baz: override-me
+ proxy:
+ extraLabels:
+ serviceAccount:
+ baz: overridden
+ asserts:
+ - equal:
+ path: metadata.labels.foo
+ value: bar
+ - equal:
+ path: metadata.labels.baz
+ value: overridden
diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json
index 8317874974..657ae941d5 100644
--- a/examples/chart/teleport-cluster/values.schema.json
+++ b/examples/chart/teleport-cluster/values.schema.json
@@ -19,6 +19,7 @@
"affinity",
"nodeSelector",
"annotations",
+ "extraContainers",
"extraVolumes",
"extraVolumeMounts",
"imagePullPolicy",
@@ -888,6 +889,11 @@
"type": "array",
"default": []
},
+ "extraContainers": {
+ "$id": "#/properties/extraContainers",
+ "type": "array",
+ "default": []
+ },
"extraVolumes": {
"$id": "#/properties/extraVolumes",
"type": "array",
@@ -937,6 +943,11 @@
"type": "object",
"default": {}
},
+ "podSecurityContext": {
+ "$id": "#/properties/podSecurityContext",
+ "type": "object",
+ "default": {}
+ },
"securityContext": {
"$id": "#/properties/securityContext",
"type": "object",
diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml
index d52430669e..ca1264eaf8 100644
--- a/examples/chart/teleport-cluster/values.yaml
+++ b/examples/chart/teleport-cluster/values.yaml
@@ -55,9 +55,10 @@ teleportVersionOverride: ""
# proxyProtocol: on
# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
-# `auth` contains values specific for the auth pods. You can use it to
-# set specific values for auth pods, taking precedence over chart-scoped values.
-# For example, to override the [`postStart`](#postStart) value only for auth pods:
+#
+# `auth` allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service.
+# This is merged with chart-scoped values and takes precedence in case of conflict.
+# For example:
#
# auth:
# postStart: ["curl", "http://hook"]
@@ -79,11 +80,15 @@ auth:
# client_idle_timeout_message: "Connection closed after 2hours without activity"
teleportConfig: {}
-# proxy contains values specific for the proxy pods
-# You can override chart-scoped values, for example
+# `proxy` allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service.
+# This is merged with chart-scoped values and takes precedence in case of conflict.
+# For example:
# proxy:
# postStart: ["curl", "http://hook"]
# imagePullPolicy: Always
+# annotations:
+# service:
+# external-dns.alpha.kubernetes.io/hostname: "teleport.example.com"
proxy:
# proxy.teleportConfig contains YAML teleport configuration for proxy pods
# The configuration will be merged with the chart-generated configuration
@@ -267,7 +272,10 @@ operator:
podSecurityPolicy:
enabled: true
-# Labels is a map of key-value pairs about this cluster
+# Labels is a map of key-value pairs about this cluster. Those labels are used
+# in Teleport to access the Kuebrnetes cluster. They must not be confused with
+# `extraLabels` which are additional labels to add on Kubernetes resources
+# created by the Helm chart.
labels: {}
# Mode to deploy the chart in. The default is "standalone". Options:
@@ -339,9 +347,34 @@ aws:
# The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
# This MUST NOT be the same table name as used for 'backendTable' as the schemas are different.
+ #
+ # If you are using the Athena backend, you don't need to set this value.
+ # If you set this value, audit logs will be sent both to the Athena and DynamoDB
+ # backends, this is useful when migrating backends.
+ # If both `aws.athenaURL` and `aws.auditLogTable` (DynamoDB) are set, the
+ # `aws.auditLogPrimaryBackend` value configures which backend is used for querying.
+ # Teleport queries the audit backend to display the audit log in the web UI, export events
+ # using the audit log collector, or perform any action that needs to inspect past audit events.
auditLogTable: ""
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
+ # auditLogPrimaryBackend controls which backend is used for queries when multiple
+ # audit backends are enabled. This setting has no effect when a single audit
+ # log backend is enabled.This setting is used when migrating from DynamoDB to
+ # Athena.
+ #
+ # Possible values are `dynamo` and `athena`.
+ auditLogPrimaryBackend: ""
+ # athenaURL contains the Athena audit log backend configuration
+ # When this value is set, Teleport will export events to the Athena audit backend.
+ #
+ # To use the Athena audit backend, you must set up the required infrastructure
+ # (S3 buckets, SQS queue, AthenaDB, IAM roles and permissions, ...).
+ # The requirements are described in the documentation: https://goteleport.com/docs/reference/backends/#athena
+ #
+ # If both `aws.athenaURL` and `aws.auditLogTable` (DynamoDB) are set, the
+ # `aws.auditLogPrimaryBackend` value configures which backend is used for querying.
+ athenaURL: ""
# The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.
sessionRecordingBucket: ""
@@ -349,6 +382,10 @@ aws:
backups: false
# Whether Teleport should configure DynamoDB's autoscaling.
+ #
+ # WARNING: DynamoDB autoscaling is no longer recommended. Teleport now
+ # defaults to "on demand" DynamoDB billing, which has more reliable performance.
+ #
# Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling.
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
dynamoAutoScaling: false
@@ -437,7 +474,8 @@ azure:
# is not supported with multiple replicas.
# For proxy pods:
# Proxy pods need to be provided a certificate to be replicated (either via
-# `tls.existingSecretName` or via `highAvailability.certManager`).
+# `tls.existingSecretName` or via `highAvailability.certManager`) or be exposed
+# via an ingress (`ingress.enabled`).
# If proxy pods are replicable, they will default to 2 replicas,
# even if `highAvailability.replicaCount` is 1. To force a single proxy replica,
# set `proxy.highAvailability.replicaCount: 1`.
@@ -563,6 +601,44 @@ annotations:
# Annotations for the Ingress object
ingress: {}
+# extraLabels -- contains additional Kubernetes labels to apply on the resources
+# created by the chart.
+# See [the Kubernetes label documentation
+# ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+# for more information.
+#
+# Note: for PodMonitor labels, see `podMonitor.additionalLabels` instead.
+extraLabels:
+ # extraLabels.certSecret(object) -- are labels to set on the certificate secret
+ # generated by cert-manager v1.5+ when `highAvailability.certManager.enabled`
+ # is true.
+ certSecret: {}
+ # extraLabels.clusterRole(object) -- are labels to set on the ClusterRole.
+ clusterRole: {}
+ # extraLabels.clusterRoleBinding(object) -- are labels to set on the ClusterRoleBinding.
+ clusterRoleBinding: {}
+ # extraLabels.role(object) -- are labels to set on the Role.
+ config: {}
+ # extraLabels.deployment(object) -- are labels to set on the Deployment.
+ deployment: {}
+ # extraLabels.ingress(object) -- are labels to set on the Ingress.
+ ingress: {}
+ # extraLabels.job(object) -- are labels to set on the Job run by the Helm hook.
+ job: {}
+ # extraLabels.persistentVolumeClaim(object) -- are labels to set on the PersistentVolumeClaim.
+ persistentVolumeClaim: {}
+ # extraLabels.pod(object) -- are labels to set on the Pods created by the
+ # Deployment.
+ pod: {}
+ # extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget.
+ podDisruptionBudget: {}
+ # extraLabels.secret(object) -- are labels to set on the Secret.
+ secret: {}
+ # extraLabels.service(object) -- are labels to set on the Service.
+ service: {}
+ # extraLabels.serviceAccount(object) -- are labels to set on the ServiceAccount.
+ serviceAccount: {}
+
# Kubernetes service account to create/use.
serviceAccount:
# Specifies whether a ServiceAccount should be created
@@ -609,6 +685,19 @@ extraArgs: []
# Extra environment to be configured on the Teleport pod
extraEnv: []
+# Extra containers to be added to the Teleport pod
+extraContainers: []
+# - name: nscenter
+# command:
+# - /bin/bash
+# - -c
+# - sleep infinity & wait
+# image: praqma/network-multitool
+# imagePullPolicy: IfNotPresent
+# securityContext:
+# privileged: true
+# runAsNonRoot: false
+
# Extra volumes to mount into the Teleport pods
# https://kubernetes.io/docs/concepts/storage/volumes/
extraVolumes: []
@@ -638,10 +727,24 @@ postStart:
# Resources to request for the teleport container
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+#
+# DANGER: Setting CPU limits is an anti-pattern and harmful in most cases.
+# Unless you enabled [the Static CPU management policy](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy),
+# a multithreaded workload with CPU limits will very likely not behave the way
+# you expect when approaching its CPU limit.
+#
+# Teleport will become unstable once throttling starts. We recommend not to set CPU limits.
+# See [the GitHub PR](https://github.com/gravitational/teleport/pull/36251) for technical details.
resources: {}
# requests:
# cpu: "1"
# memory: "2Gi"
+# limits:
+# memory: "2Gi"
+
+# Pod security context for any pods created by the chart
+podSecurityContext: {}
+ # fsGroup: 65532
# Security context to add to the container
securityContext: {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment