From 1174b68d0f1150c431360746e40b77b29f5e4572 Mon Sep 17 00:00:00 2001 From: Jonny Ervine Date: Wed, 10 Jan 2024 23:32:07 +0800 Subject: [PATCH] Update helm chart for teleport --- .../.lint/acme-off.yaml | 0 .../.lint/acme-on.yaml | 0 .../.lint/acme-uri-staging.yaml | 0 .../.lint/affinity.yaml | 0 .../.lint/annotations.yaml | 0 .../.lint/auth-connector-name.yaml | 0 .../.lint/auth-disable-local.yaml | 0 .../.lint/auth-locking-mode.yaml | 0 .../.lint/auth-passwordless.yaml | 0 .../.lint/auth-type-legacy.yaml | 0 .../.lint/auth-type.yaml | 0 .../.lint/auth-webauthn-legacy.yaml | 0 .../.lint/auth-webauthn.yaml | 0 .../.lint/aws-dynamodb-autoscaling.yaml | 0 .../.lint/aws-ha-acme.yaml | 0 .../.lint/aws-ha-antiaffinity.yaml | 0 .../.lint/aws-ha-log.yaml | 0 .../.lint/aws-ha.yaml | 0 .../.lint/aws.yaml | 0 .../.lint/azure.yaml | 0 .../.lint/cert-manager.yaml | 0 .../.lint/cert-secret.yaml | 0 .../.lint/example-minimal-standalone.yaml | 0 .../.lint/existing-tls-secret-with-ca.yaml | 0 .../.lint/existing-tls-secret.yaml | 0 .../.lint/extra-containers.yaml | 0 .../.lint/extra-env.yaml | 0 .../.lint/gcp-ha-acme.yaml | 0 .../.lint/gcp-ha-antiaffinity.yaml | 0 .../.lint/gcp-ha-log.yaml | 0 .../.lint/gcp-ha-workload.yaml | 0 .../.lint/gcp-ha.yaml | 0 .../.lint/gcp.yaml | 0 .../.lint/imagepullsecrets.yaml | 0 .../.lint/ingress-publicaddr.yaml | 0 .../.lint/ingress.yaml | 0 .../.lint/initcontainers.yaml | 0 .../.lint/kube-cluster-name.yaml | 0 .../.lint/log-basic.yaml | 0 .../.lint/log-extra.yaml | 0 .../.lint/log-legacy.yaml | 0 .../.lint/node-selector.yaml | 0 .../.lint/operator.yaml | 0 .../.lint/pdb.yaml | 0 .../.lint/persistence-legacy.yaml | 0 .../.lint/podmonitor.yaml | 0 .../.lint/priority-class-name.yaml | 0 .../.lint/probe-timeout-seconds.yaml | 0 .../.lint/proxy-listener-mode-multiplex.yaml | 0 .../.lint/proxy-listener-mode-separate.yaml | 0 .../.lint/public-addresses.yaml | 0 .../.lint/resources.yaml | 0 .../.lint/security-context-empty.yaml | 0 .../.lint/security-context.yaml | 0 .../.lint/separate-mongo-listener.yaml | 0 .../.lint/separate-postgres-listener.yaml | 0 .../.lint/service-account.yaml | 0 .../.lint/service.yaml | 0 .../.lint/session-recording.yaml | 0 .../standalone-custom-storage-class.yaml | 0 .../.lint/standalone-customsize.yaml | 0 .../.lint/standalone-existingpvc.yaml | 0 .../.lint/tolerations.yaml | 0 .../.lint/version-override.yaml | 0 .../.lint/volumes.yaml | 0 .../Chart.yaml | 6 +- .../README.md | 0 .../charts/teleport-operator/Chart.yaml | 4 +- ...sources.teleport.dev_githubconnectors.yaml | 0 .../resources.teleport.dev_loginrules.yaml | 0 ...resources.teleport.dev_oidcconnectors.yaml | 0 ...esources.teleport.dev_oktaimportrules.yaml | 0 ...esources.teleport.dev_provisiontokens.yaml | 26 + .../resources.teleport.dev_roles.yaml | 0 ...resources.teleport.dev_samlconnectors.yaml | 0 .../resources.teleport.dev_users.yaml | 0 .../templates/NOTES.txt | 0 .../templates/_helpers.tpl | 0 .../templates/auth/_config.aws.tpl | 0 .../templates/auth/_config.azure.tpl | 0 .../templates/auth/_config.common.tpl | 0 .../templates/auth/_config.gcp.tpl | 0 .../templates/auth/_config.scratch.tpl | 0 .../templates/auth/_config.standalone.tpl | 0 .../templates/auth/clusterrole.yaml | 0 .../templates/auth/clusterrolebinding.yaml | 0 .../templates/auth/config.yaml | 0 .../templates/auth/deployment.yaml | 0 .../templates/auth/pdb.yaml | 0 .../templates/auth/predeploy_config.yaml | 0 .../templates/auth/predeploy_job.yaml | 0 .../templates/auth/pvc.yaml | 0 .../auth/service-previous-version.yaml | 0 .../templates/auth/service.yaml | 0 .../templates/auth/serviceaccount.yaml | 0 .../templates/podmonitor.yaml | 0 .../templates/proxy/_config.aws.tpl | 0 .../templates/proxy/_config.azure.tpl | 0 .../templates/proxy/_config.common.tpl | 0 .../templates/proxy/_config.gcp.tpl | 0 .../templates/proxy/_config.scratch.tpl | 0 .../templates/proxy/_config.standalone.tpl | 0 .../templates/proxy/certificate.yaml | 0 .../templates/proxy/config.yaml | 0 .../templates/proxy/deployment.yaml | 0 .../templates/proxy/ingress.yaml | 0 .../templates/proxy/pdb.yaml | 0 .../templates/proxy/predeploy_config.yaml | 0 .../templates/proxy/predeploy_job.yaml | 0 .../templates/proxy/service.yaml | 0 .../templates/proxy/serviceaccount.yaml | 0 .../templates/psp.yaml | 0 .../tests/README.md | 0 .../auth_clusterrole_test.yaml.snap | 0 .../__snapshot__/auth_config_test.yaml.snap | 0 .../auth_deployment_test.yaml.snap | 10 +- .../tests/__snapshot__/ingress_test.yaml.snap | 0 .../__snapshot__/predeploy_test.yaml.snap | 0 .../proxy_certificate_test.yaml.snap | 0 .../__snapshot__/proxy_config_test.yaml.snap | 0 .../proxy_deployment_test.yaml.snap | 18 +- .../__snapshot__/proxy_service_test.yaml.snap | 0 .../tests/__snapshot__/psp_test.yaml.snap | 0 .../tests/auth_clusterrole_test.yaml | 0 .../tests/auth_clusterrolebinding_test.yaml | 0 .../tests/auth_config_test.yaml | 0 .../tests/auth_deployment_test.yaml | 0 .../tests/auth_pdb_test.yaml | 0 .../tests/auth_pvc_test.yaml | 0 .../tests/auth_serviceaccount_test.yaml | 0 .../tests/ingress_test.yaml | 0 .../tests/podmonitor_test.yaml | 0 .../tests/predeploy_test.yaml | 0 .../tests/proxy_certificate_test.yaml | 0 .../tests/proxy_config_test.yaml | 0 .../tests/proxy_deployment_test.yaml | 0 .../tests/proxy_pdb_test.yaml | 0 .../tests/proxy_service_test.yaml | 0 .../tests/proxy_serviceaccount_test.yaml | 0 .../tests/psp_test.yaml | 0 .../values.home.yaml | 0 .../values.schema.json | 0 .../values.yaml | 0 teleport-cluster/Chart.yaml | 6 +- .../charts/teleport-operator/Chart.yaml | 4 +- ...esources.teleport.dev_provisiontokens.yaml | 10 + .../auth_deployment_test.yaml.snap | 10 +- .../proxy_deployment_test.yaml.snap | 18 +- teleport-cluster/values.home.yaml | 654 ----------------- teleport-cluster/values.home.yaml.old | 686 ++++++++++++++++++ teleport-cluster/values.yaml | 15 +- 151 files changed, 770 insertions(+), 697 deletions(-) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/acme-off.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/acme-on.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/acme-uri-staging.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/affinity.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/annotations.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-connector-name.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-disable-local.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-locking-mode.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-passwordless.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-type-legacy.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-type.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-webauthn-legacy.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/auth-webauthn.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/aws-dynamodb-autoscaling.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/aws-ha-acme.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/aws-ha-antiaffinity.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/aws-ha-log.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/aws-ha.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/aws.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/azure.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/cert-manager.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/cert-secret.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/example-minimal-standalone.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/existing-tls-secret-with-ca.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/existing-tls-secret.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/extra-containers.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/extra-env.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/gcp-ha-acme.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/gcp-ha-antiaffinity.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/gcp-ha-log.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/gcp-ha-workload.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/gcp-ha.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/gcp.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/imagepullsecrets.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/ingress-publicaddr.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/ingress.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/initcontainers.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/kube-cluster-name.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/log-basic.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/log-extra.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/log-legacy.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/node-selector.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/operator.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/pdb.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/persistence-legacy.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/podmonitor.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/priority-class-name.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/probe-timeout-seconds.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/proxy-listener-mode-multiplex.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/proxy-listener-mode-separate.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/public-addresses.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/resources.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/security-context-empty.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/security-context.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/separate-mongo-listener.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/separate-postgres-listener.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/service-account.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/service.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/session-recording.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/standalone-custom-storage-class.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/standalone-customsize.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/standalone-existingpvc.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/tolerations.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/version-override.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/.lint/volumes.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/Chart.yaml (84%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/README.md (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/Chart.yaml (85%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml (94%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/charts/teleport-operator/templates/resources.teleport.dev_users.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/NOTES.txt (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/_helpers.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/_config.aws.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/_config.azure.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/_config.common.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/_config.gcp.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/_config.scratch.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/_config.standalone.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/clusterrole.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/clusterrolebinding.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/config.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/deployment.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/pdb.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/predeploy_config.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/predeploy_job.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/pvc.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/service-previous-version.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/service.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/auth/serviceaccount.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/podmonitor.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/_config.aws.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/_config.azure.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/_config.common.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/_config.gcp.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/_config.scratch.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/_config.standalone.tpl (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/certificate.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/config.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/deployment.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/ingress.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/pdb.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/predeploy_config.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/predeploy_job.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/service.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/proxy/serviceaccount.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/templates/psp.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/README.md (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/auth_clusterrole_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/auth_config_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/auth_deployment_test.yaml.snap (99%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/ingress_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/predeploy_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/proxy_certificate_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/proxy_config_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/proxy_deployment_test.yaml.snap (99%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/proxy_service_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/__snapshot__/psp_test.yaml.snap (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/auth_clusterrole_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/auth_clusterrolebinding_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/auth_config_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/auth_deployment_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/auth_pdb_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/auth_pvc_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/auth_serviceaccount_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/ingress_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/podmonitor_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/predeploy_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/proxy_certificate_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/proxy_config_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/proxy_deployment_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/proxy_pdb_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/proxy_service_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/proxy_serviceaccount_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/tests/psp_test.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/values.home.yaml (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/values.schema.json (100%) rename {teleport-cluster-14.1.5 => teleport-cluster-14.2.0}/values.yaml (100%) create mode 100644 teleport-cluster/values.home.yaml.old diff --git a/teleport-cluster-14.1.5/.lint/acme-off.yaml b/teleport-cluster-14.2.0/.lint/acme-off.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/acme-off.yaml rename to teleport-cluster-14.2.0/.lint/acme-off.yaml diff --git a/teleport-cluster-14.1.5/.lint/acme-on.yaml b/teleport-cluster-14.2.0/.lint/acme-on.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/acme-on.yaml rename to teleport-cluster-14.2.0/.lint/acme-on.yaml diff --git a/teleport-cluster-14.1.5/.lint/acme-uri-staging.yaml b/teleport-cluster-14.2.0/.lint/acme-uri-staging.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/acme-uri-staging.yaml rename to teleport-cluster-14.2.0/.lint/acme-uri-staging.yaml diff --git a/teleport-cluster-14.1.5/.lint/affinity.yaml b/teleport-cluster-14.2.0/.lint/affinity.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/affinity.yaml rename to teleport-cluster-14.2.0/.lint/affinity.yaml diff --git a/teleport-cluster-14.1.5/.lint/annotations.yaml b/teleport-cluster-14.2.0/.lint/annotations.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/annotations.yaml rename to teleport-cluster-14.2.0/.lint/annotations.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-connector-name.yaml b/teleport-cluster-14.2.0/.lint/auth-connector-name.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-connector-name.yaml rename to teleport-cluster-14.2.0/.lint/auth-connector-name.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-disable-local.yaml b/teleport-cluster-14.2.0/.lint/auth-disable-local.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-disable-local.yaml rename to teleport-cluster-14.2.0/.lint/auth-disable-local.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-locking-mode.yaml b/teleport-cluster-14.2.0/.lint/auth-locking-mode.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-locking-mode.yaml rename to teleport-cluster-14.2.0/.lint/auth-locking-mode.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-passwordless.yaml b/teleport-cluster-14.2.0/.lint/auth-passwordless.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-passwordless.yaml rename to teleport-cluster-14.2.0/.lint/auth-passwordless.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-type-legacy.yaml b/teleport-cluster-14.2.0/.lint/auth-type-legacy.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-type-legacy.yaml rename to teleport-cluster-14.2.0/.lint/auth-type-legacy.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-type.yaml b/teleport-cluster-14.2.0/.lint/auth-type.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-type.yaml rename to teleport-cluster-14.2.0/.lint/auth-type.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-webauthn-legacy.yaml b/teleport-cluster-14.2.0/.lint/auth-webauthn-legacy.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-webauthn-legacy.yaml rename to teleport-cluster-14.2.0/.lint/auth-webauthn-legacy.yaml diff --git a/teleport-cluster-14.1.5/.lint/auth-webauthn.yaml b/teleport-cluster-14.2.0/.lint/auth-webauthn.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/auth-webauthn.yaml rename to teleport-cluster-14.2.0/.lint/auth-webauthn.yaml diff --git a/teleport-cluster-14.1.5/.lint/aws-dynamodb-autoscaling.yaml b/teleport-cluster-14.2.0/.lint/aws-dynamodb-autoscaling.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/aws-dynamodb-autoscaling.yaml rename to teleport-cluster-14.2.0/.lint/aws-dynamodb-autoscaling.yaml diff --git a/teleport-cluster-14.1.5/.lint/aws-ha-acme.yaml b/teleport-cluster-14.2.0/.lint/aws-ha-acme.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/aws-ha-acme.yaml rename to teleport-cluster-14.2.0/.lint/aws-ha-acme.yaml diff --git a/teleport-cluster-14.1.5/.lint/aws-ha-antiaffinity.yaml b/teleport-cluster-14.2.0/.lint/aws-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/aws-ha-antiaffinity.yaml rename to teleport-cluster-14.2.0/.lint/aws-ha-antiaffinity.yaml diff --git a/teleport-cluster-14.1.5/.lint/aws-ha-log.yaml b/teleport-cluster-14.2.0/.lint/aws-ha-log.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/aws-ha-log.yaml rename to teleport-cluster-14.2.0/.lint/aws-ha-log.yaml diff --git a/teleport-cluster-14.1.5/.lint/aws-ha.yaml b/teleport-cluster-14.2.0/.lint/aws-ha.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/aws-ha.yaml rename to teleport-cluster-14.2.0/.lint/aws-ha.yaml diff --git a/teleport-cluster-14.1.5/.lint/aws.yaml b/teleport-cluster-14.2.0/.lint/aws.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/aws.yaml rename to teleport-cluster-14.2.0/.lint/aws.yaml diff --git a/teleport-cluster-14.1.5/.lint/azure.yaml b/teleport-cluster-14.2.0/.lint/azure.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/azure.yaml rename to teleport-cluster-14.2.0/.lint/azure.yaml diff --git a/teleport-cluster-14.1.5/.lint/cert-manager.yaml b/teleport-cluster-14.2.0/.lint/cert-manager.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/cert-manager.yaml rename to teleport-cluster-14.2.0/.lint/cert-manager.yaml diff --git a/teleport-cluster-14.1.5/.lint/cert-secret.yaml b/teleport-cluster-14.2.0/.lint/cert-secret.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/cert-secret.yaml rename to teleport-cluster-14.2.0/.lint/cert-secret.yaml diff --git a/teleport-cluster-14.1.5/.lint/example-minimal-standalone.yaml b/teleport-cluster-14.2.0/.lint/example-minimal-standalone.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/example-minimal-standalone.yaml rename to teleport-cluster-14.2.0/.lint/example-minimal-standalone.yaml diff --git a/teleport-cluster-14.1.5/.lint/existing-tls-secret-with-ca.yaml b/teleport-cluster-14.2.0/.lint/existing-tls-secret-with-ca.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/existing-tls-secret-with-ca.yaml rename to teleport-cluster-14.2.0/.lint/existing-tls-secret-with-ca.yaml diff --git a/teleport-cluster-14.1.5/.lint/existing-tls-secret.yaml b/teleport-cluster-14.2.0/.lint/existing-tls-secret.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/existing-tls-secret.yaml rename to teleport-cluster-14.2.0/.lint/existing-tls-secret.yaml diff --git a/teleport-cluster-14.1.5/.lint/extra-containers.yaml b/teleport-cluster-14.2.0/.lint/extra-containers.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/extra-containers.yaml rename to teleport-cluster-14.2.0/.lint/extra-containers.yaml diff --git a/teleport-cluster-14.1.5/.lint/extra-env.yaml b/teleport-cluster-14.2.0/.lint/extra-env.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/extra-env.yaml rename to teleport-cluster-14.2.0/.lint/extra-env.yaml diff --git a/teleport-cluster-14.1.5/.lint/gcp-ha-acme.yaml b/teleport-cluster-14.2.0/.lint/gcp-ha-acme.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/gcp-ha-acme.yaml rename to teleport-cluster-14.2.0/.lint/gcp-ha-acme.yaml diff --git a/teleport-cluster-14.1.5/.lint/gcp-ha-antiaffinity.yaml b/teleport-cluster-14.2.0/.lint/gcp-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/gcp-ha-antiaffinity.yaml rename to teleport-cluster-14.2.0/.lint/gcp-ha-antiaffinity.yaml diff --git a/teleport-cluster-14.1.5/.lint/gcp-ha-log.yaml b/teleport-cluster-14.2.0/.lint/gcp-ha-log.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/gcp-ha-log.yaml rename to teleport-cluster-14.2.0/.lint/gcp-ha-log.yaml diff --git a/teleport-cluster-14.1.5/.lint/gcp-ha-workload.yaml b/teleport-cluster-14.2.0/.lint/gcp-ha-workload.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/gcp-ha-workload.yaml rename to teleport-cluster-14.2.0/.lint/gcp-ha-workload.yaml diff --git a/teleport-cluster-14.1.5/.lint/gcp-ha.yaml b/teleport-cluster-14.2.0/.lint/gcp-ha.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/gcp-ha.yaml rename to teleport-cluster-14.2.0/.lint/gcp-ha.yaml diff --git a/teleport-cluster-14.1.5/.lint/gcp.yaml b/teleport-cluster-14.2.0/.lint/gcp.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/gcp.yaml rename to teleport-cluster-14.2.0/.lint/gcp.yaml diff --git a/teleport-cluster-14.1.5/.lint/imagepullsecrets.yaml b/teleport-cluster-14.2.0/.lint/imagepullsecrets.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/imagepullsecrets.yaml rename to teleport-cluster-14.2.0/.lint/imagepullsecrets.yaml diff --git a/teleport-cluster-14.1.5/.lint/ingress-publicaddr.yaml b/teleport-cluster-14.2.0/.lint/ingress-publicaddr.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/ingress-publicaddr.yaml rename to teleport-cluster-14.2.0/.lint/ingress-publicaddr.yaml diff --git a/teleport-cluster-14.1.5/.lint/ingress.yaml b/teleport-cluster-14.2.0/.lint/ingress.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/ingress.yaml rename to teleport-cluster-14.2.0/.lint/ingress.yaml diff --git a/teleport-cluster-14.1.5/.lint/initcontainers.yaml b/teleport-cluster-14.2.0/.lint/initcontainers.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/initcontainers.yaml rename to teleport-cluster-14.2.0/.lint/initcontainers.yaml diff --git a/teleport-cluster-14.1.5/.lint/kube-cluster-name.yaml b/teleport-cluster-14.2.0/.lint/kube-cluster-name.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/kube-cluster-name.yaml rename to teleport-cluster-14.2.0/.lint/kube-cluster-name.yaml diff --git a/teleport-cluster-14.1.5/.lint/log-basic.yaml b/teleport-cluster-14.2.0/.lint/log-basic.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/log-basic.yaml rename to teleport-cluster-14.2.0/.lint/log-basic.yaml diff --git a/teleport-cluster-14.1.5/.lint/log-extra.yaml b/teleport-cluster-14.2.0/.lint/log-extra.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/log-extra.yaml rename to teleport-cluster-14.2.0/.lint/log-extra.yaml diff --git a/teleport-cluster-14.1.5/.lint/log-legacy.yaml b/teleport-cluster-14.2.0/.lint/log-legacy.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/log-legacy.yaml rename to teleport-cluster-14.2.0/.lint/log-legacy.yaml diff --git a/teleport-cluster-14.1.5/.lint/node-selector.yaml b/teleport-cluster-14.2.0/.lint/node-selector.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/node-selector.yaml rename to teleport-cluster-14.2.0/.lint/node-selector.yaml diff --git a/teleport-cluster-14.1.5/.lint/operator.yaml b/teleport-cluster-14.2.0/.lint/operator.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/operator.yaml rename to teleport-cluster-14.2.0/.lint/operator.yaml diff --git a/teleport-cluster-14.1.5/.lint/pdb.yaml b/teleport-cluster-14.2.0/.lint/pdb.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/pdb.yaml rename to teleport-cluster-14.2.0/.lint/pdb.yaml diff --git a/teleport-cluster-14.1.5/.lint/persistence-legacy.yaml b/teleport-cluster-14.2.0/.lint/persistence-legacy.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/persistence-legacy.yaml rename to teleport-cluster-14.2.0/.lint/persistence-legacy.yaml diff --git a/teleport-cluster-14.1.5/.lint/podmonitor.yaml b/teleport-cluster-14.2.0/.lint/podmonitor.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/podmonitor.yaml rename to teleport-cluster-14.2.0/.lint/podmonitor.yaml diff --git a/teleport-cluster-14.1.5/.lint/priority-class-name.yaml b/teleport-cluster-14.2.0/.lint/priority-class-name.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/priority-class-name.yaml rename to teleport-cluster-14.2.0/.lint/priority-class-name.yaml diff --git a/teleport-cluster-14.1.5/.lint/probe-timeout-seconds.yaml b/teleport-cluster-14.2.0/.lint/probe-timeout-seconds.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/probe-timeout-seconds.yaml rename to teleport-cluster-14.2.0/.lint/probe-timeout-seconds.yaml diff --git a/teleport-cluster-14.1.5/.lint/proxy-listener-mode-multiplex.yaml b/teleport-cluster-14.2.0/.lint/proxy-listener-mode-multiplex.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/proxy-listener-mode-multiplex.yaml rename to teleport-cluster-14.2.0/.lint/proxy-listener-mode-multiplex.yaml diff --git a/teleport-cluster-14.1.5/.lint/proxy-listener-mode-separate.yaml b/teleport-cluster-14.2.0/.lint/proxy-listener-mode-separate.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/proxy-listener-mode-separate.yaml rename to teleport-cluster-14.2.0/.lint/proxy-listener-mode-separate.yaml diff --git a/teleport-cluster-14.1.5/.lint/public-addresses.yaml b/teleport-cluster-14.2.0/.lint/public-addresses.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/public-addresses.yaml rename to teleport-cluster-14.2.0/.lint/public-addresses.yaml diff --git a/teleport-cluster-14.1.5/.lint/resources.yaml b/teleport-cluster-14.2.0/.lint/resources.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/resources.yaml rename to teleport-cluster-14.2.0/.lint/resources.yaml diff --git a/teleport-cluster-14.1.5/.lint/security-context-empty.yaml b/teleport-cluster-14.2.0/.lint/security-context-empty.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/security-context-empty.yaml rename to teleport-cluster-14.2.0/.lint/security-context-empty.yaml diff --git a/teleport-cluster-14.1.5/.lint/security-context.yaml b/teleport-cluster-14.2.0/.lint/security-context.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/security-context.yaml rename to teleport-cluster-14.2.0/.lint/security-context.yaml diff --git a/teleport-cluster-14.1.5/.lint/separate-mongo-listener.yaml b/teleport-cluster-14.2.0/.lint/separate-mongo-listener.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/separate-mongo-listener.yaml rename to teleport-cluster-14.2.0/.lint/separate-mongo-listener.yaml diff --git a/teleport-cluster-14.1.5/.lint/separate-postgres-listener.yaml b/teleport-cluster-14.2.0/.lint/separate-postgres-listener.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/separate-postgres-listener.yaml rename to teleport-cluster-14.2.0/.lint/separate-postgres-listener.yaml diff --git a/teleport-cluster-14.1.5/.lint/service-account.yaml b/teleport-cluster-14.2.0/.lint/service-account.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/service-account.yaml rename to teleport-cluster-14.2.0/.lint/service-account.yaml diff --git a/teleport-cluster-14.1.5/.lint/service.yaml b/teleport-cluster-14.2.0/.lint/service.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/service.yaml rename to teleport-cluster-14.2.0/.lint/service.yaml diff --git a/teleport-cluster-14.1.5/.lint/session-recording.yaml b/teleport-cluster-14.2.0/.lint/session-recording.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/session-recording.yaml rename to teleport-cluster-14.2.0/.lint/session-recording.yaml diff --git a/teleport-cluster-14.1.5/.lint/standalone-custom-storage-class.yaml b/teleport-cluster-14.2.0/.lint/standalone-custom-storage-class.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/standalone-custom-storage-class.yaml rename to teleport-cluster-14.2.0/.lint/standalone-custom-storage-class.yaml diff --git a/teleport-cluster-14.1.5/.lint/standalone-customsize.yaml b/teleport-cluster-14.2.0/.lint/standalone-customsize.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/standalone-customsize.yaml rename to teleport-cluster-14.2.0/.lint/standalone-customsize.yaml diff --git a/teleport-cluster-14.1.5/.lint/standalone-existingpvc.yaml b/teleport-cluster-14.2.0/.lint/standalone-existingpvc.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/standalone-existingpvc.yaml rename to teleport-cluster-14.2.0/.lint/standalone-existingpvc.yaml diff --git a/teleport-cluster-14.1.5/.lint/tolerations.yaml b/teleport-cluster-14.2.0/.lint/tolerations.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/tolerations.yaml rename to teleport-cluster-14.2.0/.lint/tolerations.yaml diff --git a/teleport-cluster-14.1.5/.lint/version-override.yaml b/teleport-cluster-14.2.0/.lint/version-override.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/version-override.yaml rename to teleport-cluster-14.2.0/.lint/version-override.yaml diff --git a/teleport-cluster-14.1.5/.lint/volumes.yaml b/teleport-cluster-14.2.0/.lint/volumes.yaml similarity index 100% rename from teleport-cluster-14.1.5/.lint/volumes.yaml rename to teleport-cluster-14.2.0/.lint/volumes.yaml diff --git a/teleport-cluster-14.1.5/Chart.yaml b/teleport-cluster-14.2.0/Chart.yaml similarity index 84% rename from teleport-cluster-14.1.5/Chart.yaml rename to teleport-cluster-14.2.0/Chart.yaml index 84293b5..d8ce69d 100644 --- a/teleport-cluster-14.1.5/Chart.yaml +++ b/teleport-cluster-14.2.0/Chart.yaml @@ -1,13 +1,13 @@ apiVersion: v2 -appVersion: 14.1.5 +appVersion: 14.2.0 dependencies: - condition: installCRDs,operator.enabled name: teleport-operator repository: "" - version: 14.1.5 + version: 14.2.0 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-cluster -version: 14.1.5 +version: 14.2.0 diff --git a/teleport-cluster-14.1.5/README.md b/teleport-cluster-14.2.0/README.md similarity index 100% rename from teleport-cluster-14.1.5/README.md rename to teleport-cluster-14.2.0/README.md diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/Chart.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/Chart.yaml similarity index 85% rename from teleport-cluster-14.1.5/charts/teleport-operator/Chart.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/Chart.yaml index 31ae5ca..2d264d9 100644 --- a/teleport-cluster-14.1.5/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster-14.2.0/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 14.1.5 +appVersion: 14.2.0 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-operator -version: 14.1.5 +version: 14.2.0 diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml similarity index 100% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml similarity index 100% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml similarity index 100% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml similarity index 100% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml similarity index 94% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml index 6727759..af6aa9c 100644 --- a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml @@ -275,6 +275,32 @@ spec: type: string nullable: true type: array + spacelift: + description: Spacelift allows the configuration of options specific + to the "spacelift" join method. + nullable: true + properties: + allow: + description: Allow is a list of Rules, nodes using this token + must match one allow rule to use this token. + items: + properties: + caller_id: + type: string + caller_type: + type: string + scope: + type: string + space_id: + type: string + type: object + nullable: true + type: array + hostname: + description: Hostname is the hostname of the Spacelift tenant + that tokens will originate from. E.g `example.app.spacelift.io` + type: string + type: object suggested_agent_matcher_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml similarity index 100% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml similarity index 100% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml diff --git a/teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_users.yaml b/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml similarity index 100% rename from teleport-cluster-14.1.5/charts/teleport-operator/templates/resources.teleport.dev_users.yaml rename to teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml diff --git a/teleport-cluster-14.1.5/templates/NOTES.txt b/teleport-cluster-14.2.0/templates/NOTES.txt similarity index 100% rename from teleport-cluster-14.1.5/templates/NOTES.txt rename to teleport-cluster-14.2.0/templates/NOTES.txt diff --git a/teleport-cluster-14.1.5/templates/_helpers.tpl b/teleport-cluster-14.2.0/templates/_helpers.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/_helpers.tpl rename to teleport-cluster-14.2.0/templates/_helpers.tpl diff --git a/teleport-cluster-14.1.5/templates/auth/_config.aws.tpl b/teleport-cluster-14.2.0/templates/auth/_config.aws.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/_config.aws.tpl rename to teleport-cluster-14.2.0/templates/auth/_config.aws.tpl diff --git a/teleport-cluster-14.1.5/templates/auth/_config.azure.tpl b/teleport-cluster-14.2.0/templates/auth/_config.azure.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/_config.azure.tpl rename to teleport-cluster-14.2.0/templates/auth/_config.azure.tpl diff --git a/teleport-cluster-14.1.5/templates/auth/_config.common.tpl b/teleport-cluster-14.2.0/templates/auth/_config.common.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/_config.common.tpl rename to teleport-cluster-14.2.0/templates/auth/_config.common.tpl diff --git a/teleport-cluster-14.1.5/templates/auth/_config.gcp.tpl b/teleport-cluster-14.2.0/templates/auth/_config.gcp.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/_config.gcp.tpl rename to teleport-cluster-14.2.0/templates/auth/_config.gcp.tpl diff --git a/teleport-cluster-14.1.5/templates/auth/_config.scratch.tpl b/teleport-cluster-14.2.0/templates/auth/_config.scratch.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/_config.scratch.tpl rename to teleport-cluster-14.2.0/templates/auth/_config.scratch.tpl diff --git a/teleport-cluster-14.1.5/templates/auth/_config.standalone.tpl b/teleport-cluster-14.2.0/templates/auth/_config.standalone.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/_config.standalone.tpl rename to teleport-cluster-14.2.0/templates/auth/_config.standalone.tpl diff --git a/teleport-cluster-14.1.5/templates/auth/clusterrole.yaml b/teleport-cluster-14.2.0/templates/auth/clusterrole.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/clusterrole.yaml rename to teleport-cluster-14.2.0/templates/auth/clusterrole.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/clusterrolebinding.yaml b/teleport-cluster-14.2.0/templates/auth/clusterrolebinding.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/clusterrolebinding.yaml rename to teleport-cluster-14.2.0/templates/auth/clusterrolebinding.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/config.yaml b/teleport-cluster-14.2.0/templates/auth/config.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/config.yaml rename to teleport-cluster-14.2.0/templates/auth/config.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/deployment.yaml b/teleport-cluster-14.2.0/templates/auth/deployment.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/deployment.yaml rename to teleport-cluster-14.2.0/templates/auth/deployment.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/pdb.yaml b/teleport-cluster-14.2.0/templates/auth/pdb.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/pdb.yaml rename to teleport-cluster-14.2.0/templates/auth/pdb.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/predeploy_config.yaml b/teleport-cluster-14.2.0/templates/auth/predeploy_config.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/predeploy_config.yaml rename to teleport-cluster-14.2.0/templates/auth/predeploy_config.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/predeploy_job.yaml b/teleport-cluster-14.2.0/templates/auth/predeploy_job.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/predeploy_job.yaml rename to teleport-cluster-14.2.0/templates/auth/predeploy_job.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/pvc.yaml b/teleport-cluster-14.2.0/templates/auth/pvc.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/pvc.yaml rename to teleport-cluster-14.2.0/templates/auth/pvc.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/service-previous-version.yaml b/teleport-cluster-14.2.0/templates/auth/service-previous-version.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/service-previous-version.yaml rename to teleport-cluster-14.2.0/templates/auth/service-previous-version.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/service.yaml b/teleport-cluster-14.2.0/templates/auth/service.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/service.yaml rename to teleport-cluster-14.2.0/templates/auth/service.yaml diff --git a/teleport-cluster-14.1.5/templates/auth/serviceaccount.yaml b/teleport-cluster-14.2.0/templates/auth/serviceaccount.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/auth/serviceaccount.yaml rename to teleport-cluster-14.2.0/templates/auth/serviceaccount.yaml diff --git a/teleport-cluster-14.1.5/templates/podmonitor.yaml b/teleport-cluster-14.2.0/templates/podmonitor.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/podmonitor.yaml rename to teleport-cluster-14.2.0/templates/podmonitor.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/_config.aws.tpl b/teleport-cluster-14.2.0/templates/proxy/_config.aws.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/_config.aws.tpl rename to teleport-cluster-14.2.0/templates/proxy/_config.aws.tpl diff --git a/teleport-cluster-14.1.5/templates/proxy/_config.azure.tpl b/teleport-cluster-14.2.0/templates/proxy/_config.azure.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/_config.azure.tpl rename to teleport-cluster-14.2.0/templates/proxy/_config.azure.tpl diff --git a/teleport-cluster-14.1.5/templates/proxy/_config.common.tpl b/teleport-cluster-14.2.0/templates/proxy/_config.common.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/_config.common.tpl rename to teleport-cluster-14.2.0/templates/proxy/_config.common.tpl diff --git a/teleport-cluster-14.1.5/templates/proxy/_config.gcp.tpl b/teleport-cluster-14.2.0/templates/proxy/_config.gcp.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/_config.gcp.tpl rename to teleport-cluster-14.2.0/templates/proxy/_config.gcp.tpl diff --git a/teleport-cluster-14.1.5/templates/proxy/_config.scratch.tpl b/teleport-cluster-14.2.0/templates/proxy/_config.scratch.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/_config.scratch.tpl rename to teleport-cluster-14.2.0/templates/proxy/_config.scratch.tpl diff --git a/teleport-cluster-14.1.5/templates/proxy/_config.standalone.tpl b/teleport-cluster-14.2.0/templates/proxy/_config.standalone.tpl similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/_config.standalone.tpl rename to teleport-cluster-14.2.0/templates/proxy/_config.standalone.tpl diff --git a/teleport-cluster-14.1.5/templates/proxy/certificate.yaml b/teleport-cluster-14.2.0/templates/proxy/certificate.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/certificate.yaml rename to teleport-cluster-14.2.0/templates/proxy/certificate.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/config.yaml b/teleport-cluster-14.2.0/templates/proxy/config.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/config.yaml rename to teleport-cluster-14.2.0/templates/proxy/config.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/deployment.yaml b/teleport-cluster-14.2.0/templates/proxy/deployment.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/deployment.yaml rename to teleport-cluster-14.2.0/templates/proxy/deployment.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/ingress.yaml b/teleport-cluster-14.2.0/templates/proxy/ingress.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/ingress.yaml rename to teleport-cluster-14.2.0/templates/proxy/ingress.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/pdb.yaml b/teleport-cluster-14.2.0/templates/proxy/pdb.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/pdb.yaml rename to teleport-cluster-14.2.0/templates/proxy/pdb.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/predeploy_config.yaml b/teleport-cluster-14.2.0/templates/proxy/predeploy_config.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/predeploy_config.yaml rename to teleport-cluster-14.2.0/templates/proxy/predeploy_config.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/predeploy_job.yaml b/teleport-cluster-14.2.0/templates/proxy/predeploy_job.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/predeploy_job.yaml rename to teleport-cluster-14.2.0/templates/proxy/predeploy_job.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/service.yaml b/teleport-cluster-14.2.0/templates/proxy/service.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/service.yaml rename to teleport-cluster-14.2.0/templates/proxy/service.yaml diff --git a/teleport-cluster-14.1.5/templates/proxy/serviceaccount.yaml b/teleport-cluster-14.2.0/templates/proxy/serviceaccount.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/proxy/serviceaccount.yaml rename to teleport-cluster-14.2.0/templates/proxy/serviceaccount.yaml diff --git a/teleport-cluster-14.1.5/templates/psp.yaml b/teleport-cluster-14.2.0/templates/psp.yaml similarity index 100% rename from teleport-cluster-14.1.5/templates/psp.yaml rename to teleport-cluster-14.2.0/templates/psp.yaml diff --git a/teleport-cluster-14.1.5/tests/README.md b/teleport-cluster-14.2.0/tests/README.md similarity index 100% rename from teleport-cluster-14.1.5/tests/README.md rename to teleport-cluster-14.2.0/tests/README.md diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/auth_clusterrole_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/auth_config_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/auth_config_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/auth_config_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/auth_deployment_test.yaml.snap similarity index 99% rename from teleport-cluster-14.1.5/tests/__snapshot__/auth_deployment_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/auth_deployment_test.yaml.snap index 4f85c86..14d5a57 100644 --- a/teleport-cluster-14.1.5/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster-14.2.0/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -1,6 +1,6 @@ should add an operator side-car when operator is enabled: 1: | - image: public.ecr.aws/gravitational/teleport-operator:14.1.5 + image: public.ecr.aws/gravitational/teleport-operator:14.2.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -174,7 +174,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -271,7 +271,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -357,7 +357,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/ingress_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/ingress_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/ingress_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/ingress_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/predeploy_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/predeploy_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/predeploy_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/predeploy_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/proxy_certificate_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/proxy_certificate_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/proxy_certificate_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/proxy_certificate_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/proxy_config_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/proxy_config_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/proxy_config_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/proxy_deployment_test.yaml.snap similarity index 99% rename from teleport-cluster-14.1.5/tests/__snapshot__/proxy_deployment_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/proxy_deployment_test.yaml.snap index 8a7d6d4..e8362a0 100644 --- a/teleport-cluster-14.1.5/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster-14.2.0/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -5,7 +5,7 @@ should provision initContainer correctly when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 name: wait-auth-update - args: - echo test @@ -62,7 +62,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -123,7 +123,7 @@ should set nodeSelector when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 name: wait-auth-update nodeSelector: environment: security @@ -174,7 +174,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -242,7 +242,7 @@ should set resources when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -343,7 +343,7 @@ should set securityContext for initContainers when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -383,7 +383,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -451,7 +451,7 @@ should set securityContext when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.1.5 + image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/proxy_service_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/proxy_service_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/proxy_service_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/proxy_service_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/__snapshot__/psp_test.yaml.snap b/teleport-cluster-14.2.0/tests/__snapshot__/psp_test.yaml.snap similarity index 100% rename from teleport-cluster-14.1.5/tests/__snapshot__/psp_test.yaml.snap rename to teleport-cluster-14.2.0/tests/__snapshot__/psp_test.yaml.snap diff --git a/teleport-cluster-14.1.5/tests/auth_clusterrole_test.yaml b/teleport-cluster-14.2.0/tests/auth_clusterrole_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/auth_clusterrole_test.yaml rename to teleport-cluster-14.2.0/tests/auth_clusterrole_test.yaml diff --git a/teleport-cluster-14.1.5/tests/auth_clusterrolebinding_test.yaml b/teleport-cluster-14.2.0/tests/auth_clusterrolebinding_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/auth_clusterrolebinding_test.yaml rename to teleport-cluster-14.2.0/tests/auth_clusterrolebinding_test.yaml diff --git a/teleport-cluster-14.1.5/tests/auth_config_test.yaml b/teleport-cluster-14.2.0/tests/auth_config_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/auth_config_test.yaml rename to teleport-cluster-14.2.0/tests/auth_config_test.yaml diff --git a/teleport-cluster-14.1.5/tests/auth_deployment_test.yaml b/teleport-cluster-14.2.0/tests/auth_deployment_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/auth_deployment_test.yaml rename to teleport-cluster-14.2.0/tests/auth_deployment_test.yaml diff --git a/teleport-cluster-14.1.5/tests/auth_pdb_test.yaml b/teleport-cluster-14.2.0/tests/auth_pdb_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/auth_pdb_test.yaml rename to teleport-cluster-14.2.0/tests/auth_pdb_test.yaml diff --git a/teleport-cluster-14.1.5/tests/auth_pvc_test.yaml b/teleport-cluster-14.2.0/tests/auth_pvc_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/auth_pvc_test.yaml rename to teleport-cluster-14.2.0/tests/auth_pvc_test.yaml diff --git a/teleport-cluster-14.1.5/tests/auth_serviceaccount_test.yaml b/teleport-cluster-14.2.0/tests/auth_serviceaccount_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/auth_serviceaccount_test.yaml rename to teleport-cluster-14.2.0/tests/auth_serviceaccount_test.yaml diff --git a/teleport-cluster-14.1.5/tests/ingress_test.yaml b/teleport-cluster-14.2.0/tests/ingress_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/ingress_test.yaml rename to teleport-cluster-14.2.0/tests/ingress_test.yaml diff --git a/teleport-cluster-14.1.5/tests/podmonitor_test.yaml b/teleport-cluster-14.2.0/tests/podmonitor_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/podmonitor_test.yaml rename to teleport-cluster-14.2.0/tests/podmonitor_test.yaml diff --git a/teleport-cluster-14.1.5/tests/predeploy_test.yaml b/teleport-cluster-14.2.0/tests/predeploy_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/predeploy_test.yaml rename to teleport-cluster-14.2.0/tests/predeploy_test.yaml diff --git a/teleport-cluster-14.1.5/tests/proxy_certificate_test.yaml b/teleport-cluster-14.2.0/tests/proxy_certificate_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/proxy_certificate_test.yaml rename to teleport-cluster-14.2.0/tests/proxy_certificate_test.yaml diff --git a/teleport-cluster-14.1.5/tests/proxy_config_test.yaml b/teleport-cluster-14.2.0/tests/proxy_config_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/proxy_config_test.yaml rename to teleport-cluster-14.2.0/tests/proxy_config_test.yaml diff --git a/teleport-cluster-14.1.5/tests/proxy_deployment_test.yaml b/teleport-cluster-14.2.0/tests/proxy_deployment_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/proxy_deployment_test.yaml rename to teleport-cluster-14.2.0/tests/proxy_deployment_test.yaml diff --git a/teleport-cluster-14.1.5/tests/proxy_pdb_test.yaml b/teleport-cluster-14.2.0/tests/proxy_pdb_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/proxy_pdb_test.yaml rename to teleport-cluster-14.2.0/tests/proxy_pdb_test.yaml diff --git a/teleport-cluster-14.1.5/tests/proxy_service_test.yaml b/teleport-cluster-14.2.0/tests/proxy_service_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/proxy_service_test.yaml rename to teleport-cluster-14.2.0/tests/proxy_service_test.yaml diff --git a/teleport-cluster-14.1.5/tests/proxy_serviceaccount_test.yaml b/teleport-cluster-14.2.0/tests/proxy_serviceaccount_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/proxy_serviceaccount_test.yaml rename to teleport-cluster-14.2.0/tests/proxy_serviceaccount_test.yaml diff --git a/teleport-cluster-14.1.5/tests/psp_test.yaml b/teleport-cluster-14.2.0/tests/psp_test.yaml similarity index 100% rename from teleport-cluster-14.1.5/tests/psp_test.yaml rename to teleport-cluster-14.2.0/tests/psp_test.yaml diff --git a/teleport-cluster-14.1.5/values.home.yaml b/teleport-cluster-14.2.0/values.home.yaml similarity index 100% rename from teleport-cluster-14.1.5/values.home.yaml rename to teleport-cluster-14.2.0/values.home.yaml diff --git a/teleport-cluster-14.1.5/values.schema.json b/teleport-cluster-14.2.0/values.schema.json similarity index 100% rename from teleport-cluster-14.1.5/values.schema.json rename to teleport-cluster-14.2.0/values.schema.json diff --git a/teleport-cluster-14.1.5/values.yaml b/teleport-cluster-14.2.0/values.yaml similarity index 100% rename from teleport-cluster-14.1.5/values.yaml rename to teleport-cluster-14.2.0/values.yaml diff --git a/teleport-cluster/Chart.yaml b/teleport-cluster/Chart.yaml index d8ce69d..d215736 100644 --- a/teleport-cluster/Chart.yaml +++ b/teleport-cluster/Chart.yaml @@ -1,13 +1,13 @@ apiVersion: v2 -appVersion: 14.2.0 +appVersion: 14.3.0 dependencies: - condition: installCRDs,operator.enabled name: teleport-operator repository: "" - version: 14.2.0 + version: 14.3.0 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-cluster -version: 14.2.0 +version: 14.3.0 diff --git a/teleport-cluster/charts/teleport-operator/Chart.yaml b/teleport-cluster/charts/teleport-operator/Chart.yaml index 2d264d9..08584e1 100644 --- a/teleport-cluster/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 14.2.0 +appVersion: 14.3.0 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-operator -version: 14.2.0 +version: 14.3.0 diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml index af6aa9c..dda4dd5 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml @@ -181,6 +181,16 @@ spec: must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server. type: string + enterprise_slug: + description: EnterpriseSlug allows the slug of a GitHub Enterprise + organisation to be included in the expected issuer of the OIDC + tokens. This is for compatibility with the `include_enterprise_slug` + option in GHE. This field should be set to the slug of your + enterprise if this is enabled. If this is not enabled, then + this field must be left empty. This field cannot be specified + if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise + for more information about customised issuer values. + type: string type: object gitlab: description: GitLab allows the configuration of options specific to diff --git a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap index 14d5a57..d7b1104 100644 --- a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -1,6 +1,6 @@ should add an operator side-car when operator is enabled: 1: | - image: public.ecr.aws/gravitational/teleport-operator:14.2.0 + image: public.ecr.aws/gravitational/teleport-operator:14.3.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -174,7 +174,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -271,7 +271,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -357,7 +357,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap index e8362a0..26489d6 100644 --- a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -5,7 +5,7 @@ should provision initContainer correctly when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update - args: - echo test @@ -62,7 +62,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -123,7 +123,7 @@ should set nodeSelector when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update nodeSelector: environment: security @@ -174,7 +174,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -242,7 +242,7 @@ should set resources when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -343,7 +343,7 @@ should set securityContext for initContainers when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -383,7 +383,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -451,7 +451,7 @@ should set securityContext when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster/values.home.yaml b/teleport-cluster/values.home.yaml index 32e3a02..c94313d 100644 --- a/teleport-cluster/values.home.yaml +++ b/teleport-cluster/values.home.yaml @@ -1,566 +1,22 @@ -################################################## -# Values that must always be provided by the user. -################################################## - -# `clusterName` controls the name used to refer to the Teleport cluster, along with -# the externally-facing public address to use to access it. In most setups this must -# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is -# used as the cluster's public address by default. -# -# Note: When using a fully qualified domain name as your `clusterName`, you will also -# need to configure the DNS provider for this domain to point to the external -# load balancer address of your Teleport cluster. -# -# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan. -# If you need to change it, you must redeploy a completely new cluster. clusterName: "teleport.ervine.cloud" - -# Name for this kubernetes cluster to be used by teleport users. kubeClusterName: "homeK8s" - -################################################## -# Values that you may need to change. -################################################## - -# Version of teleport image, if different from chart version in Chart.yaml. -# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. -# This chart is designed to run a specific teleport version (see Chart.yaml). -# You will face compatibility issues trying to run a different Teleport version with it. -# -# If you want to run Teleport version X, you should use `helm --version X` instead. -teleportVersionOverride: "" - -# The `proxyProtocol` value controls whether the Proxy pods will -# accept PROXY lines with the client's IP address when they are -# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol -# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is -# required to ensure that Teleport can properly audit the client's IP address. -# -# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this -# value should be set to "off" to prevent Teleport from accepting PROXY headers -# from untrusted sources. -# Possible values are "on" and "off". -# - "on" will enable the PROXY protocol for all connections and will require the -# L4 LB to send a PROXY header. -# - "off" will disable the PROXY protocol for all connections and denies all -# connections prefixed with a PROXY header. -# -# If proxyProtocol is unspecified, Teleport does not require PROXY header for the -# connection, but will accept it if present. This mode is considered insecure -# and should only be used for testing purposes. -# -# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/ -# for more information. -# -# proxyProtocol: on - -# The `teleport-cluster` charts deploys two sets of pods: auth and proxy. -# `auth` contains values specific for the auth pods. You can use it to -# set specific values for auth pods, taking precedence over chart-scoped values. -# For example, to override the [`postStart`](#postStart) value only for auth pods: -# -# auth: -# postStart: ["curl", "http://hook"] -# imagePullPolicy: Always -auth: - # auth.teleportConfig contains YAML teleport configuration for auth pods - # The configuration will be merged with the chart-generated configuration - # and will take precedence in case of conflict. - # - # See the Teleport Configuration Reference for the list of supported fields: - # https://goteleport.com/docs/reference/config/ - # - # teleportConfig: - # teleport: - # cache: - # enabled: false - # auth_service: - # client_idle_timeout: 2h - # client_idle_timeout_message: "Connection closed after 2hours without activity" - teleportConfig: {} - -# proxy contains values specific for the proxy pods -# You can override chart-scoped values, for example -# proxy: -# postStart: ["curl", "http://hook"] -# imagePullPolicy: Always -proxy: - # proxy.teleportConfig contains YAML teleport configuration for proxy pods - # The configuration will be merged with the chart-generated configuration - # and will take precedence in case of conflict - # - # See the Teleport Configuration Reference for the list of supported fields: - # https://goteleport.com/docs/reference/config/ - # - # teleportConfig: - # teleport: - # cache: - # enabled: false - # proxy_service: - # https_keypairs: - # - key_file: /my-custom-mount/key.pem - # cert_file: /my-custom-mount/cert.pem - teleportConfig: {} - -authentication: - # Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise. - type: local - - # Sets the authenticator connector for SSO or the default connector for "local" authentication. - # See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/). - # See Passwordless for local - # (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default). - # Defaults to "local". - connectorName: "" - - # Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`. - # Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/. - localAuth: true - - # Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ? - # Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort". - # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes. - lockingMode: "" - - # Second factor requirements for users of the Teleport cluster. - # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`. - # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'. - # - # WARNING: - # If you set `publicAddr` for users to access the cluster under a domain different - # to clusterName you must manually set the webauthn Relying - # Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier - # If you don't, RP ID will default to `clusterName` and users will fail - # to register second factors. - # - # You can do this by setting the value - # `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. - # - # RP ID must be both a valid domain, and part of the full domain users are connecting to. - # For example, if users are accessing the cluster with the domain - # "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". - # - # Changing the RP ID will invalidate all already registered webauthn second factors. - secondFactor: "on" - - # (Optional) When using webauthn this allows to restrict which vendor and key models can be used. - # webauthn: - # attestationAllowedCas: - # - /path/to/allowed_ca.pem - # - | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # attestationDeniedCas: - # - /path/to/denied_ca.pem - # - | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - -# Deprecated way to set the authentication type, `authentication.type` should be preferred. -# authenticationType: local - -# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred. -# authenticationSecondFactor: -# secondFactor: "otp" - -# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port. -# Default mode will not utilize TLS routing and operate in backwards-compatibility mode. -# -# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP -# -# Possible values are 'separate' and 'multiplex' proxyListenerMode: "multiplex" - -# Optional setting for configuring session recording. -# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml -sessionRecording: "" - -# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443) -# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB) -# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM) -# These settings will not apply if proxyListenerMode is set to "multiplex". -separatePostgresListener: false -separateMongoListener: false - -# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default. -# -# WARNING: -# If you set `publicAddr` for users to access the cluster under a domain different -# to clusterName, you must manually set the webauthn Relying -# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier -# If you don't, RP ID will default to `clusterName` and users will fail -# to register second factors. -# -# You can do this by setting the value -# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. -# -# RP ID must be both a valid domain, and part of the full domain users are connecting to. -# For example, if users are accessing the cluster with the domain -# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". -# -# Changing the RP ID will invalidate all already registered webauthn second factors. -# -# Public cluster addresses, including port (e.g. teleport.example.com:443) -# Defaults to `clusterName` on port 443. -publicAddr: [] -# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026. -# Only used when `proxyListenerMode` is not 'multiplex'. -kubePublicAddr: [] -# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017. -# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true. -mongoPublicAddr: [] -# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036. -# Only used when `proxyListenerMode` is not 'multiplex'. -mysqlPublicAddr: [] -# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432. -# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true. -postgresPublicAddr: [] -# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023. -# Only used when `proxyListenerMode` is not 'multiplex'. -sshPublicAddr: [] -# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024. -# Only used when `proxyListenerMode` is not 'multiplex'. -tunnelPublicAddr: [] - -# ACME is a protocol for getting Web X.509 certificates -# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations. -# For HA configurations, see either the "highAvailability.certManager" or "tls" values. -# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt. -# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI. -# This section is mutually exclusive with the "tls" value below. -acme: false -# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement) -acmeEmail: "" -# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server. -acmeURI: "" - -# Set enterprise to true to use enterprise image -# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this: -# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem -enterprise: false - -# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation -# when deploying multiple releases in the same cluster. -# installCRDs: - -# Configuration of the optional Teleport operator operator: - # Set enabled to true to add the Kubernetes Teleport Operator enabled: true - # Kubernetes Teleport Operator image - image: public.ecr.aws/gravitational/teleport-operator - # Resources to request for the operator container - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # requests: - # cpu: "0.5" - # memory: "1Gi" - # limits: - # memory: "1Gi" - -# If true, create & use Pod Security Policy resources -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. -# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ podSecurityPolicy: enabled: false - -# Labels is a map of key-value pairs about this cluster -labels: {} - -# Mode to deploy the chart in. The default is "standalone". Options: -# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage. -# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1) -# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2) -# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3) -# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4) -# (1) To use "aws" mode, you must also configure the "aws" section below. -# (2) To use "gcp" mode, you must also configure the "gcp" section below. -# (3) To use "azure" mode, you must also configure the "azure" section below. -# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig. -# `scratch` usage is strongly discouraged, this is a last resort option and -# everything should be doable with `standalone` mode + overrides through -# `auth.teleportConfig` and `proxy.teleportConfig`. -chartMode: standalone - -# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify -# if the teleport.yaml configuration is valid and will block the deployment if it is not -validateConfigOnDeploy: true - -# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster. -# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the -# Helm chart user is responsible for configuring working join_params on the proxy. -createProxyToken: true - -# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) -# This CRD is managed by the prometheus-operator and allows workload to -# get monitored. To use this value, you need to run a `prometheus-operator` -# in the cluster for this value to take effect. -# See https://prometheus-operator.dev/docs/prologue/introduction/ podMonitor: - # Whether the chart should deploy a PodMonitor. - # Disabled by default as it requires the PodMonitor CRD to be installed. enabled: true - # additionalLabels to put on the PodMonitor. - # This is used to be selected by a specific prometheus instance. - # Defaults to {prometheus: default} which seems to be the common default prometheus selector additionalLabels: prometheus: k8s - # interval is the interval between two metrics scrapes. Defaults to 30s - interval: 30s - -###################################################################### -# Persistence settings (only used in "standalone" and "scratch" modes) -# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters -# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details. -# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23. -###################################################################### -persistence: - # Enable persistence using a PersistentVolumeClaim - enabled: true - # Leave blank to automatically create a PersistentVolumeClaim for Teleport storage. - # If you would like to use a pre-existing PersistentVolumeClaim, put its name here. - existingClaimName: "" - # Size of persistent volume to request when created by Teleport. - # Ignored if existingClaimName is provided. - volumeSize: 10Gi - -################################################## -# AWS-specific settings (only used in "aws" mode) -################################################## -aws: - # The AWS region where the DynamoDB tables are located. - region: "" - # The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. - backendTable: "" - # The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. - # This MUST NOT be the same table name as used for 'backendTable' as the schemas are different. - auditLogTable: "" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets. - sessionRecordingBucket: "" - # Whether or not to turn on DynamoDB backups - backups: false - - # Whether Teleport should configure DynamoDB's autoscaling. - # Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling. - # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling - dynamoAutoScaling: false - - # DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`. - # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling - readMinCapacity: null # Integer - readMaxCapacity: null # Integer - readTargetValue: null # Float - writeMinCapacity: null # Integer - writeMaxCapacity: null # Integer - writeTargetValue: null # Float - -################################################## -# GCP-specific settings (only used in "gcp" mode) -################################################## -gcp: - # The project name being used for the GCP account where Teleport is running. - # See https://support.google.com/googleapi/answer/7014113?hl=en - projectId: "" - # The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist. - # Either of the following must be true: - # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections - # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. - backendTable: "" - # The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist. - # Either of the following must be true: - # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections - # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. - # This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different. - auditLogTable: "" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used. - sessionRecordingBucket: "" - # The name of the Kubernetes secret used to store the Google credentials. - # You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use. - # You can override this to a blank value if the worker node running Teleport already has a service account which grants access. - credentialSecretName: teleport-gcp-credentials - -##################################################### -# Azure-specific settings (only used in "azure" mode) -##################################################### -azure: - # The fully qualified hostname of the Postgres database cluster hosted in Azure. - # It should follow the format ".postgres.database.azure.com". - databaseHost: "" - # The Postgres user Teleport must use to connect to the backend and audit - # databases. - databaseUser: "" - # The Postgres database to use for backend storage. - backendDatabase: "teleport_backend" - # The Postgres database to use for audit log storage. - # This MUST NOT be the same database as used for 'backendDatabase'. - auditLogDatabase: "teleport_audit" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The fully qualified domain name of the Azure Blob Storage account to use for - # recorded session storage. This account must already exist. - # It should follow the format ".blob.core.windows.net" - sessionRecordingStorageAccount: "" - # Azure client ID is used by the Kubernetes Service Account to know which - # Application it should impersonate. This can be unset only if the clientID is - # passed through other means (e.g. environment variable) - clientID: "" - # Controls the `pool_max_conns` setting passed to PostgreSQL. This is the - # max amount of connections Teleport can open to the database. This can affect - # performance on large clusters and depends on various factors like the - # database size, the number of CPU cores available for Teleport, GOMAXPROCS - # and the database latency. - # This only applies to the core backend connections, not the audit log ones. - # 0 means the parameter is not set and the client's default is used (recommended) - databasePoolMaxConnections: 0 - -# `highAvailability` contains settings controlling how Teleport pods are -# replicated and scheduled. This allows Teleport to run in a highly-available -# fashion: Teleport should sustain the crash/loss of a machine without interrupting -# the service. -# -# For auth pods: -# When using "standalone" or "scratch" mode, you must use highly-available storage -# (etcd, DynamoDB or Firestore) for multiple replicas to be supported. -# Manually configuring NFS-based storage or ReadWriteMany volume claims -# is NOT supported and will result in errors. Using Teleport's built-in -# ACME client (as opposed to using cert-manager or passing certs through a secret) -# is not supported with multiple replicas. -# For proxy pods: -# Proxy pods need to be provided a certificate to be replicated (either via -# `tls.existingSecretName` or via `highAvailability.certManager`). -# If proxy pods are replicable, they will default to 2 replicas, -# even if `highAvailability.replicaCount` is 1. To force a single proxy replica, -# set `proxy.highAvailability.replicaCount: 1`. highAvailability: - # Controls the amount of pod replicas. The `highAvailability` comment describes - # the replication requirements. - # - # WARNING: You **must** meet the replication criteria, - # else the deployment will result in errors and inconsistent data. - replicaCount: 1 - # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the - # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. - # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. - # This setting only has any effect when replicaCount is greater than 1. - requireAntiAffinity: false - # If enabled will create a Pod Disruption Budget - # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # Settings for cert-manager (can be used for provisioning TLS certs in HA mode) - # These settings are mutually exclusive with the "tls" value below. certManager: - # If set to true, use cert-manager to get certificates for Teleport to use for TLS termination enabled: true - # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs. addCommonName: false - # If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request. - # This setting is not enabled by default to preserve backward compatibility. addPublicAddrs: false - # Name of the Issuer/ClusterIssuer to use for certs - # NOTE: You will always need to create this yourself when certManager.enabled is true. issuerName: "letsencrypt-prod" - # Kind of Issuer that cert-manager should look for. - # This defaults to 'Issuer' to keep everything contained within the teleport namespace. issuerKind: ClusterIssuer - # Group of Issuer that cert-manager should look for. - # This defaults to 'cert-manager.io' which is the default Issuer group. - issuerGroup: cert-manager.io - # Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time - # See https://github.com/gravitational/teleport/issues/13129 - minReadySeconds: 15 - -# Settings for mounting your own TLS keypair to secure Teleport's web UI. -# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above. -tls: - # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml. - # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file` - # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information. - existingSecretName: "" - # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. - # Useful for building trust when using intermediate certificate authorities. - # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. - # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem - # The filename inside the secret is important - it _must_ be ca.pem - existingCASecretName: "" - -################################################## -# Values that you shouldn't need to change. -################################################## - -# Container image for the cluster. -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport`. Those images will be -# removed with teleport 14. -image: public.ecr.aws/gravitational/teleport-distroless -# Enterprise version of the image -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport-ent`. Those images will be -# removed with teleport 14. -enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless -# Optional array of imagePullSecrets, to use when pulling from a private registry -imagePullSecrets: [] -# Teleport logging configuration -log: - # Log level for the Teleport process. - # Available log levels are: DEBUG, INFO, WARNING, ERROR. - # The default is INFO, which is recommended in production. - # DEBUG is useful during first-time setup or to see more detailed logs for debugging. - level: INFO - # Log output - # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' - # Other supported values: 'stdout', 'stderr' and 'syslog' - output: stderr - # Log format configuration - # Possible output values are 'json' and 'text' (default). - format: text - # Possible extra_fields values include: timestamp, component, caller, and level. - # All extra fields are included by default. - extraFields: ["timestamp", "level", "component", "caller"] - -################################## -# Extra Kubernetes configuration # -################################## - -# nodeSelector to apply for pod assignment -# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector -nodeSelector: {} - -# Affinity for pod assignment -# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other. -affinity: {} - -# Kubernetes annotations to apply -# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ annotations: - # Annotations for the ConfigMap - config: {} - # Annotations for the Deployment - deployment: {} - # Annotations for each Pod in the Deployment - pod: {} - # Annotations for the Service object - service: {} - # Annotations for the ServiceAccount object - serviceAccount: {} - # Annotations for the certificate secret generated by cert-manager v1.5+ when - # highAvailability.certManager.enabled is true - certSecret: {} - # Annotations for the Ingress object ingress: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/backend-protocol: HTTPS @@ -570,117 +26,7 @@ annotations: nginx.ingress.kubernetes.io/session-cookie-name: "http-cookie" nginx.ingress.kubernetes.io/session-cookie-expires: "172800" nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" - -# Kubernetes service account to create/use. -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If not set and serviceAccount.create is true, the name is generated using the release name. - # If create is false, the name will be used to reference an existing service account. - name: "" - # To set annotations on the service account, use the annotations.serviceAccount value. - -# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. -rbac: - # Specifies whether a ClusterRole and ClusterRoleBinding should be created. - # Set to false if your cluster level resources are managed separately. - create: true - -# Options for the Teleport proxy service -# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP. -# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed. -# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true service: type: ClusterIP - # Additional entries here will be added to the service spec. - spec: {} - # loadBalancerIP: "1.2.3.4" - -# Options for ingress -# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent -# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer. -# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport. -# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details. ingress: enabled: true - # Setting suppressAutomaticWildcards to true will not automatically add *. as a hostname served - # by the Ingress. This may be desirable if you don't use Teleport Application Access. - suppressAutomaticWildcards: false - # Additional entries here will be added to the ingress spec. - spec: {} - # ingressClassName: nginx - -# Extra arguments to pass to 'teleport start' for the main Teleport pod -extraArgs: [] - -# Extra environment to be configured on the Teleport pod -extraEnv: [] - -# Extra containers to be added to the Teleport pod -extraContainers: [] -# - name: nscenter -# command: -# - /bin/bash -# - -c -# - sleep infinity & wait -# image: praqma/network-multitool -# imagePullPolicy: IfNotPresent -# securityContext: -# privileged: true -# runAsNonRoot: false - -# Extra volumes to mount into the Teleport pods -# https://kubernetes.io/docs/concepts/storage/volumes/ -extraVolumes: [] -# - name: myvolume -# secret: -# secretName: testSecret - -# Extra volume mounts corresponding to the volumes mounted above -extraVolumeMounts: [] -# - name: myvolume -# mountPath: /path/on/host - -# Allow the imagePullPolicy to be overridden -imagePullPolicy: IfNotPresent - -# A list of initContainers to run before each Teleport pod starts -# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ -initContainers: [] -# - name: "teleport-init" -# image: "alpine" -# args: ["echo test"] - -# If set, will run the command as a postStart handler -# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ -postStart: - command: [] - -# Resources to request for the teleport container -# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -resources: {} -# requests: -# cpu: "1" -# memory: "2Gi" - -# Security context to add to the container -securityContext: {} - # runAsUser: 99 - -# Priority class name to add to the deployment -priorityClassName: "" - -# Tolerations for pod assignment -# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] - -# Timeouts for the readiness and liveness probes -# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ -probeTimeoutSeconds: 1 - -# Kubernetes termination grace period -# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution -# -# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook. -terminationGracePeriodSeconds: 60 diff --git a/teleport-cluster/values.home.yaml.old b/teleport-cluster/values.home.yaml.old new file mode 100644 index 0000000..32e3a02 --- /dev/null +++ b/teleport-cluster/values.home.yaml.old @@ -0,0 +1,686 @@ +################################################## +# Values that must always be provided by the user. +################################################## + +# `clusterName` controls the name used to refer to the Teleport cluster, along with +# the externally-facing public address to use to access it. In most setups this must +# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is +# used as the cluster's public address by default. +# +# Note: When using a fully qualified domain name as your `clusterName`, you will also +# need to configure the DNS provider for this domain to point to the external +# load balancer address of your Teleport cluster. +# +# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan. +# If you need to change it, you must redeploy a completely new cluster. +clusterName: "teleport.ervine.cloud" + +# Name for this kubernetes cluster to be used by teleport users. +kubeClusterName: "homeK8s" + +################################################## +# Values that you may need to change. +################################################## + +# Version of teleport image, if different from chart version in Chart.yaml. +# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. +# This chart is designed to run a specific teleport version (see Chart.yaml). +# You will face compatibility issues trying to run a different Teleport version with it. +# +# If you want to run Teleport version X, you should use `helm --version X` instead. +teleportVersionOverride: "" + +# The `proxyProtocol` value controls whether the Proxy pods will +# accept PROXY lines with the client's IP address when they are +# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol +# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is +# required to ensure that Teleport can properly audit the client's IP address. +# +# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this +# value should be set to "off" to prevent Teleport from accepting PROXY headers +# from untrusted sources. +# Possible values are "on" and "off". +# - "on" will enable the PROXY protocol for all connections and will require the +# L4 LB to send a PROXY header. +# - "off" will disable the PROXY protocol for all connections and denies all +# connections prefixed with a PROXY header. +# +# If proxyProtocol is unspecified, Teleport does not require PROXY header for the +# connection, but will accept it if present. This mode is considered insecure +# and should only be used for testing purposes. +# +# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/ +# for more information. +# +# proxyProtocol: on + +# The `teleport-cluster` charts deploys two sets of pods: auth and proxy. +# `auth` contains values specific for the auth pods. You can use it to +# set specific values for auth pods, taking precedence over chart-scoped values. +# For example, to override the [`postStart`](#postStart) value only for auth pods: +# +# auth: +# postStart: ["curl", "http://hook"] +# imagePullPolicy: Always +auth: + # auth.teleportConfig contains YAML teleport configuration for auth pods + # The configuration will be merged with the chart-generated configuration + # and will take precedence in case of conflict. + # + # See the Teleport Configuration Reference for the list of supported fields: + # https://goteleport.com/docs/reference/config/ + # + # teleportConfig: + # teleport: + # cache: + # enabled: false + # auth_service: + # client_idle_timeout: 2h + # client_idle_timeout_message: "Connection closed after 2hours without activity" + teleportConfig: {} + +# proxy contains values specific for the proxy pods +# You can override chart-scoped values, for example +# proxy: +# postStart: ["curl", "http://hook"] +# imagePullPolicy: Always +proxy: + # proxy.teleportConfig contains YAML teleport configuration for proxy pods + # The configuration will be merged with the chart-generated configuration + # and will take precedence in case of conflict + # + # See the Teleport Configuration Reference for the list of supported fields: + # https://goteleport.com/docs/reference/config/ + # + # teleportConfig: + # teleport: + # cache: + # enabled: false + # proxy_service: + # https_keypairs: + # - key_file: /my-custom-mount/key.pem + # cert_file: /my-custom-mount/cert.pem + teleportConfig: {} + +authentication: + # Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise. + type: local + + # Sets the authenticator connector for SSO or the default connector for "local" authentication. + # See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/). + # See Passwordless for local + # (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default). + # Defaults to "local". + connectorName: "" + + # Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`. + # Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/. + localAuth: true + + # Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ? + # Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort". + # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes. + lockingMode: "" + + # Second factor requirements for users of the Teleport cluster. + # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`. + # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'. + # + # WARNING: + # If you set `publicAddr` for users to access the cluster under a domain different + # to clusterName you must manually set the webauthn Relying + # Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier + # If you don't, RP ID will default to `clusterName` and users will fail + # to register second factors. + # + # You can do this by setting the value + # `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. + # + # RP ID must be both a valid domain, and part of the full domain users are connecting to. + # For example, if users are accessing the cluster with the domain + # "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". + # + # Changing the RP ID will invalidate all already registered webauthn second factors. + secondFactor: "on" + + # (Optional) When using webauthn this allows to restrict which vendor and key models can be used. + # webauthn: + # attestationAllowedCas: + # - /path/to/allowed_ca.pem + # - | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # attestationDeniedCas: + # - /path/to/denied_ca.pem + # - | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + +# Deprecated way to set the authentication type, `authentication.type` should be preferred. +# authenticationType: local + +# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred. +# authenticationSecondFactor: +# secondFactor: "otp" + +# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port. +# Default mode will not utilize TLS routing and operate in backwards-compatibility mode. +# +# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP +# +# Possible values are 'separate' and 'multiplex' +proxyListenerMode: "multiplex" + +# Optional setting for configuring session recording. +# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml +sessionRecording: "" + +# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443) +# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB) +# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM) +# These settings will not apply if proxyListenerMode is set to "multiplex". +separatePostgresListener: false +separateMongoListener: false + +# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default. +# +# WARNING: +# If you set `publicAddr` for users to access the cluster under a domain different +# to clusterName, you must manually set the webauthn Relying +# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier +# If you don't, RP ID will default to `clusterName` and users will fail +# to register second factors. +# +# You can do this by setting the value +# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. +# +# RP ID must be both a valid domain, and part of the full domain users are connecting to. +# For example, if users are accessing the cluster with the domain +# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". +# +# Changing the RP ID will invalidate all already registered webauthn second factors. +# +# Public cluster addresses, including port (e.g. teleport.example.com:443) +# Defaults to `clusterName` on port 443. +publicAddr: [] +# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026. +# Only used when `proxyListenerMode` is not 'multiplex'. +kubePublicAddr: [] +# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017. +# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true. +mongoPublicAddr: [] +# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036. +# Only used when `proxyListenerMode` is not 'multiplex'. +mysqlPublicAddr: [] +# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432. +# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true. +postgresPublicAddr: [] +# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023. +# Only used when `proxyListenerMode` is not 'multiplex'. +sshPublicAddr: [] +# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024. +# Only used when `proxyListenerMode` is not 'multiplex'. +tunnelPublicAddr: [] + +# ACME is a protocol for getting Web X.509 certificates +# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations. +# For HA configurations, see either the "highAvailability.certManager" or "tls" values. +# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt. +# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI. +# This section is mutually exclusive with the "tls" value below. +acme: false +# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement) +acmeEmail: "" +# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server. +acmeURI: "" + +# Set enterprise to true to use enterprise image +# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this: +# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem +enterprise: false + +# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation +# when deploying multiple releases in the same cluster. +# installCRDs: + +# Configuration of the optional Teleport operator +operator: + # Set enabled to true to add the Kubernetes Teleport Operator + enabled: true + # Kubernetes Teleport Operator image + image: public.ecr.aws/gravitational/teleport-operator + # Resources to request for the operator container + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + # requests: + # cpu: "0.5" + # memory: "1Gi" + # limits: + # memory: "1Gi" + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. +# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ +podSecurityPolicy: + enabled: false + +# Labels is a map of key-value pairs about this cluster +labels: {} + +# Mode to deploy the chart in. The default is "standalone". Options: +# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage. +# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1) +# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2) +# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3) +# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4) +# (1) To use "aws" mode, you must also configure the "aws" section below. +# (2) To use "gcp" mode, you must also configure the "gcp" section below. +# (3) To use "azure" mode, you must also configure the "azure" section below. +# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig. +# `scratch` usage is strongly discouraged, this is a last resort option and +# everything should be doable with `standalone` mode + overrides through +# `auth.teleportConfig` and `proxy.teleportConfig`. +chartMode: standalone + +# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify +# if the teleport.yaml configuration is valid and will block the deployment if it is not +validateConfigOnDeploy: true + +# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster. +# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the +# Helm chart user is responsible for configuring working join_params on the proxy. +createProxyToken: true + +# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) +# This CRD is managed by the prometheus-operator and allows workload to +# get monitored. To use this value, you need to run a `prometheus-operator` +# in the cluster for this value to take effect. +# See https://prometheus-operator.dev/docs/prologue/introduction/ +podMonitor: + # Whether the chart should deploy a PodMonitor. + # Disabled by default as it requires the PodMonitor CRD to be installed. + enabled: true + # additionalLabels to put on the PodMonitor. + # This is used to be selected by a specific prometheus instance. + # Defaults to {prometheus: default} which seems to be the common default prometheus selector + additionalLabels: + prometheus: k8s + # interval is the interval between two metrics scrapes. Defaults to 30s + interval: 30s + +###################################################################### +# Persistence settings (only used in "standalone" and "scratch" modes) +# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters +# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details. +# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23. +###################################################################### +persistence: + # Enable persistence using a PersistentVolumeClaim + enabled: true + # Leave blank to automatically create a PersistentVolumeClaim for Teleport storage. + # If you would like to use a pre-existing PersistentVolumeClaim, put its name here. + existingClaimName: "" + # Size of persistent volume to request when created by Teleport. + # Ignored if existingClaimName is provided. + volumeSize: 10Gi + +################################################## +# AWS-specific settings (only used in "aws" mode) +################################################## +aws: + # The AWS region where the DynamoDB tables are located. + region: "" + # The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist. + # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. + backendTable: "" + # The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist. + # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. + # This MUST NOT be the same table name as used for 'backendTable' as the schemas are different. + auditLogTable: "" + # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) + auditLogMirrorOnStdout: false + # The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist. + # The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets. + sessionRecordingBucket: "" + # Whether or not to turn on DynamoDB backups + backups: false + + # Whether Teleport should configure DynamoDB's autoscaling. + # Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling. + # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling + dynamoAutoScaling: false + + # DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`. + # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling + readMinCapacity: null # Integer + readMaxCapacity: null # Integer + readTargetValue: null # Float + writeMinCapacity: null # Integer + writeMaxCapacity: null # Integer + writeTargetValue: null # Float + +################################################## +# GCP-specific settings (only used in "gcp" mode) +################################################## +gcp: + # The project name being used for the GCP account where Teleport is running. + # See https://support.google.com/googleapi/answer/7014113?hl=en + projectId: "" + # The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist. + # Either of the following must be true: + # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections + # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. + backendTable: "" + # The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist. + # Either of the following must be true: + # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections + # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. + # This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different. + auditLogTable: "" + # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) + auditLogMirrorOnStdout: false + # The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used. + sessionRecordingBucket: "" + # The name of the Kubernetes secret used to store the Google credentials. + # You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use. + # You can override this to a blank value if the worker node running Teleport already has a service account which grants access. + credentialSecretName: teleport-gcp-credentials + +##################################################### +# Azure-specific settings (only used in "azure" mode) +##################################################### +azure: + # The fully qualified hostname of the Postgres database cluster hosted in Azure. + # It should follow the format ".postgres.database.azure.com". + databaseHost: "" + # The Postgres user Teleport must use to connect to the backend and audit + # databases. + databaseUser: "" + # The Postgres database to use for backend storage. + backendDatabase: "teleport_backend" + # The Postgres database to use for audit log storage. + # This MUST NOT be the same database as used for 'backendDatabase'. + auditLogDatabase: "teleport_audit" + # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) + auditLogMirrorOnStdout: false + # The fully qualified domain name of the Azure Blob Storage account to use for + # recorded session storage. This account must already exist. + # It should follow the format ".blob.core.windows.net" + sessionRecordingStorageAccount: "" + # Azure client ID is used by the Kubernetes Service Account to know which + # Application it should impersonate. This can be unset only if the clientID is + # passed through other means (e.g. environment variable) + clientID: "" + # Controls the `pool_max_conns` setting passed to PostgreSQL. This is the + # max amount of connections Teleport can open to the database. This can affect + # performance on large clusters and depends on various factors like the + # database size, the number of CPU cores available for Teleport, GOMAXPROCS + # and the database latency. + # This only applies to the core backend connections, not the audit log ones. + # 0 means the parameter is not set and the client's default is used (recommended) + databasePoolMaxConnections: 0 + +# `highAvailability` contains settings controlling how Teleport pods are +# replicated and scheduled. This allows Teleport to run in a highly-available +# fashion: Teleport should sustain the crash/loss of a machine without interrupting +# the service. +# +# For auth pods: +# When using "standalone" or "scratch" mode, you must use highly-available storage +# (etcd, DynamoDB or Firestore) for multiple replicas to be supported. +# Manually configuring NFS-based storage or ReadWriteMany volume claims +# is NOT supported and will result in errors. Using Teleport's built-in +# ACME client (as opposed to using cert-manager or passing certs through a secret) +# is not supported with multiple replicas. +# For proxy pods: +# Proxy pods need to be provided a certificate to be replicated (either via +# `tls.existingSecretName` or via `highAvailability.certManager`). +# If proxy pods are replicable, they will default to 2 replicas, +# even if `highAvailability.replicaCount` is 1. To force a single proxy replica, +# set `proxy.highAvailability.replicaCount: 1`. +highAvailability: + # Controls the amount of pod replicas. The `highAvailability` comment describes + # the replication requirements. + # + # WARNING: You **must** meet the replication criteria, + # else the deployment will result in errors and inconsistent data. + replicaCount: 1 + # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the + # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. + # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. + # This setting only has any effect when replicaCount is greater than 1. + requireAntiAffinity: false + # If enabled will create a Pod Disruption Budget + # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + # Settings for cert-manager (can be used for provisioning TLS certs in HA mode) + # These settings are mutually exclusive with the "tls" value below. + certManager: + # If set to true, use cert-manager to get certificates for Teleport to use for TLS termination + enabled: true + # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs. + addCommonName: false + # If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request. + # This setting is not enabled by default to preserve backward compatibility. + addPublicAddrs: false + # Name of the Issuer/ClusterIssuer to use for certs + # NOTE: You will always need to create this yourself when certManager.enabled is true. + issuerName: "letsencrypt-prod" + # Kind of Issuer that cert-manager should look for. + # This defaults to 'Issuer' to keep everything contained within the teleport namespace. + issuerKind: ClusterIssuer + # Group of Issuer that cert-manager should look for. + # This defaults to 'cert-manager.io' which is the default Issuer group. + issuerGroup: cert-manager.io + # Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time + # See https://github.com/gravitational/teleport/issues/13129 + minReadySeconds: 15 + +# Settings for mounting your own TLS keypair to secure Teleport's web UI. +# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above. +tls: + # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml. + # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file` + # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information. + existingSecretName: "" + # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. + # Useful for building trust when using intermediate certificate authorities. + # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. + # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem + # The filename inside the secret is important - it _must_ be ca.pem + existingCASecretName: "" + +################################################## +# Values that you shouldn't need to change. +################################################## + +# Container image for the cluster. +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport`. Those images will be +# removed with teleport 14. +image: public.ecr.aws/gravitational/teleport-distroless +# Enterprise version of the image +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport-ent`. Those images will be +# removed with teleport 14. +enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless +# Optional array of imagePullSecrets, to use when pulling from a private registry +imagePullSecrets: [] +# Teleport logging configuration +log: + # Log level for the Teleport process. + # Available log levels are: DEBUG, INFO, WARNING, ERROR. + # The default is INFO, which is recommended in production. + # DEBUG is useful during first-time setup or to see more detailed logs for debugging. + level: INFO + # Log output + # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' + # Other supported values: 'stdout', 'stderr' and 'syslog' + output: stderr + # Log format configuration + # Possible output values are 'json' and 'text' (default). + format: text + # Possible extra_fields values include: timestamp, component, caller, and level. + # All extra fields are included by default. + extraFields: ["timestamp", "level", "component", "caller"] + +################################## +# Extra Kubernetes configuration # +################################## + +# nodeSelector to apply for pod assignment +# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector +nodeSelector: {} + +# Affinity for pod assignment +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other. +affinity: {} + +# Kubernetes annotations to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +annotations: + # Annotations for the ConfigMap + config: {} + # Annotations for the Deployment + deployment: {} + # Annotations for each Pod in the Deployment + pod: {} + # Annotations for the Service object + service: {} + # Annotations for the ServiceAccount object + serviceAccount: {} + # Annotations for the certificate secret generated by cert-manager v1.5+ when + # highAvailability.certManager.enabled is true + certSecret: {} + # Annotations for the Ingress object + ingress: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-name: "http-cookie" + nginx.ingress.kubernetes.io/session-cookie-expires: "172800" + nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" + +# Kubernetes service account to create/use. +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and serviceAccount.create is true, the name is generated using the release name. + # If create is false, the name will be used to reference an existing service account. + name: "" + # To set annotations on the service account, use the annotations.serviceAccount value. + +# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. +rbac: + # Specifies whether a ClusterRole and ClusterRoleBinding should be created. + # Set to false if your cluster level resources are managed separately. + create: true + +# Options for the Teleport proxy service +# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP. +# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed. +# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true +service: + type: ClusterIP + # Additional entries here will be added to the service spec. + spec: {} + # loadBalancerIP: "1.2.3.4" + +# Options for ingress +# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent +# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer. +# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport. +# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details. +ingress: + enabled: true + # Setting suppressAutomaticWildcards to true will not automatically add *. as a hostname served + # by the Ingress. This may be desirable if you don't use Teleport Application Access. + suppressAutomaticWildcards: false + # Additional entries here will be added to the ingress spec. + spec: {} + # ingressClassName: nginx + +# Extra arguments to pass to 'teleport start' for the main Teleport pod +extraArgs: [] + +# Extra environment to be configured on the Teleport pod +extraEnv: [] + +# Extra containers to be added to the Teleport pod +extraContainers: [] +# - name: nscenter +# command: +# - /bin/bash +# - -c +# - sleep infinity & wait +# image: praqma/network-multitool +# imagePullPolicy: IfNotPresent +# securityContext: +# privileged: true +# runAsNonRoot: false + +# Extra volumes to mount into the Teleport pods +# https://kubernetes.io/docs/concepts/storage/volumes/ +extraVolumes: [] +# - name: myvolume +# secret: +# secretName: testSecret + +# Extra volume mounts corresponding to the volumes mounted above +extraVolumeMounts: [] +# - name: myvolume +# mountPath: /path/on/host + +# Allow the imagePullPolicy to be overridden +imagePullPolicy: IfNotPresent + +# A list of initContainers to run before each Teleport pod starts +# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +initContainers: [] +# - name: "teleport-init" +# image: "alpine" +# args: ["echo test"] + +# If set, will run the command as a postStart handler +# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ +postStart: + command: [] + +# Resources to request for the teleport container +# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +resources: {} +# requests: +# cpu: "1" +# memory: "2Gi" + +# Security context to add to the container +securityContext: {} + # runAsUser: 99 + +# Priority class name to add to the deployment +priorityClassName: "" + +# Tolerations for pod assignment +# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Timeouts for the readiness and liveness probes +# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +probeTimeoutSeconds: 1 + +# Kubernetes termination grace period +# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution +# +# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook. +terminationGracePeriodSeconds: 60 diff --git a/teleport-cluster/values.yaml b/teleport-cluster/values.yaml index 1a11af3..045802f 100644 --- a/teleport-cluster/values.yaml +++ b/teleport-cluster/values.yaml @@ -55,9 +55,10 @@ teleportVersionOverride: "" # proxyProtocol: on # The `teleport-cluster` charts deploys two sets of pods: auth and proxy. -# `auth` contains values specific for the auth pods. You can use it to -# set specific values for auth pods, taking precedence over chart-scoped values. -# For example, to override the [`postStart`](#postStart) value only for auth pods: +# +# `auth` allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service. +# This is merged with chart-scoped values and takes precedence in case of conflict. +# For example: # # auth: # postStart: ["curl", "http://hook"] @@ -79,11 +80,15 @@ auth: # client_idle_timeout_message: "Connection closed after 2hours without activity" teleportConfig: {} -# proxy contains values specific for the proxy pods -# You can override chart-scoped values, for example +# `proxy` allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service. +# This is merged with chart-scoped values and takes precedence in case of conflict. +# For example: # proxy: # postStart: ["curl", "http://hook"] # imagePullPolicy: Always +# annotations: +# service: +# external-dns.alpha.kubernetes.io/hostname: "teleport.example.com" proxy: # proxy.teleportConfig contains YAML teleport configuration for proxy pods # The configuration will be merged with the chart-generated configuration