jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Bump teleport to version 16.4.x

Browse Source
This commit is contained in:
Jonny Ervine 2024-10-30 17:45:12 +08:00
parent 3892f5af72
commit 1633d8e3dd
535 changed files with 390 additions and 41541 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
teleport-cluster-15.0.1/Chart.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v2
appVersion: 15.0.1
dependencies:
- alias: operator
condition: installCRDs,operator.enabled
name: teleport-operator
repository: ""
version: 15.0.1
description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-cluster
version: 15.0.1

8
teleport-cluster-15.0.1/charts/teleport-operator/Chart.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v2
appVersion: 15.0.1
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-operator
version: 15.0.1

77
teleport-cluster-15.0.1/charts/teleport-operator/templates/_helpers.tpl
View File

@ -1,77 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "teleport-cluster.operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
This is a modified version of the default fully qualified app name helper.
We diverge by always honouring "nameOverride" when it's set, as opposed to the
default behaviour of shortening if `nameOverride` is included in chart name.
This is done to avoid naming conflicts when including th chart in `teleport-cluster`
*/}}
{{- define "teleport-cluster.operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- if .Values.nameOverride }}
{{- printf "%s-%s" .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- if contains .Chart.Name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
*/}}
{{- define "teleport-cluster.operator.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name (include "teleport-cluster.operator.fullname" .) -}}
{{- end -}}
{{- define "teleport-cluster.version" -}}
{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
{{- end -}}
{{- define "teleport-cluster.majorVersion" -}}
{{- (semver (include "teleport-cluster.version" .)).Major -}}
{{- end -}}
{{/* Operator selector labels */}}
{{- define "teleport-cluster.operator.selectorLabels" -}}
app.kubernetes.io/name: '{{ include "teleport-cluster.operator.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'operator'
{{- end -}}
{{/* Operator all labels */}}
{{- define "teleport-cluster.operator.labels" -}}
{{ include "teleport-cluster.operator.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* Teleport auth or proxy address */}}
{{- define "teleport-cluster.operator.teleportAddress" -}}
{{- $clusterAddr := include "teleport-cluster.auth.serviceFQDN" . -}}
{{- if empty $clusterAddr -}}
{{- required "The `teleportAddress` value is mandatory when deploying a standalone operator." .Values.teleportAddress -}}
{{- if and (eq .Values.joinMethod "kubernetes") (empty .Values.teleportClusterName) (not (hasSuffix ":3025" .Values.teleportAddress)) -}}
{{- fail "When joining using the Kubernetes JWKS join method, you must set the value `teleportClusterName`" -}}
{{- end -}}
{{- else -}}
{{- $clusterAddr | printf "%s:3025" -}}
{{- end -}}
{{- end -}}
{{- /* This template is a placeholder.
If we are imported by the main chart "teleport-cluster" it is overridden*/ -}}
{{- define "teleport-cluster.auth.serviceFQDN" -}}{{- end }}

291
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml
View File

@ -1,291 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportaccesslists.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportAccessList
listKind: TeleportAccessListList
plural: teleportaccesslists
shortNames:
- accesslist
- accesslists
singular: teleportaccesslist
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: AccessList is the Schema for the accesslists API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AccessList resource definition v1 from Teleport
properties:
audit:
description: audit describes the frequency that this access list must
be audited.
nullable: true
properties:
next_audit_date:
description: next_audit_date is when the next audit date should
be done by.
format: date-time
type: string
notifications:
description: notifications is the configuration for notifying
users.
nullable: true
properties:
start:
description: start specifies when to start notifying users
that the next audit date is coming up.
format: duration
type: string
type: object
recurrence:
description: recurrence is the recurrence definition
nullable: true
properties:
day_of_month:
description: day_of_month is the day of month that reviews
will be scheduled on.
x-kubernetes-int-or-string: true
frequency:
description: frequency is the frequency of reviews.
x-kubernetes-int-or-string: true
type: object
type: object
description:
description: description is an optional plaintext description of the
access list.
type: string
grants:
description: grants describes the access granted by membership to
this access list.
nullable: true
properties:
roles:
description: roles are the roles that are granted to users who
are members of the access list.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that are granted to users who
are members of the access list.
type: object
type: object
membership:
description: 'membership defines how list membership is applied. There
are two possible values: `explicit` (default): To be considered
ag member of the access list, a user must both meet the `membership_requires`
conditions AND be explicitly added to the list. `implicit`: Any
user meeting the `membership_requires` conditions will automatically
be cosidered a member of this list.'
type: string
membership_requires:
description: membership_requires describes the requirements for a
user to be a member of the access list. For a membership to an access
list to be effective, the user must meet the requirements of Membership_requires
and must be in the members list.
nullable: true
properties:
roles:
description: roles are the user roles that must be present for
the user to obtain access.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that must be present for the
user to obtain access.
type: object
type: object
owner_grants:
description: owner_grants describes the access granted by owners to
this access list.
nullable: true
properties:
roles:
description: roles are the roles that are granted to users who
are members of the access list.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that are granted to users who
are members of the access list.
type: object
type: object
owners:
description: owners is a list of owners of the access list.
items:
properties:
description:
description: description is the plaintext description of the
owner and why they are an owner.
type: string
ineligible_status:
description: ineligible_status describes if this owner is eligible
or not and if not, describes how they're lacking eligibility.
x-kubernetes-int-or-string: true
name:
description: name is the username of the owner.
type: string
type: object
nullable: true
type: array
ownership:
description: 'ownership defines how list ownership of this list is
determined. There are two possible values: `explicit` (default):
To be considered an owner of the access list, a user must both meet
the `ownership_requires` conditions AND be explicitly added to the
list. `implicit`: Any user meeting the `ownership_requires` conditions
will automatically be considered an owner of this list.'
type: string
ownership_requires:
description: ownership_requires describes the requirements for a user
to be an owner of the access list. For ownership of an access list
to be effective, the user must meet the requirements of ownership_requires
and must be in the owners list.
nullable: true
properties:
roles:
description: roles are the user roles that must be present for
the user to obtain access.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that must be present for the
user to obtain access.
type: object
type: object
title:
description: title is a plaintext short description of the access
list.
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

168
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml
View File

@ -1,168 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportgithubconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportGithubConnector
listKind: TeleportGithubConnectorList
plural: teleportgithubconnectors
shortNames:
- githubconnector
- githubconnectors
singular: teleportgithubconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: GithubConnector is the Schema for the githubconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GithubConnector resource definition v3 from Teleport
properties:
api_endpoint_url:
description: APIEndpointURL is the URL of the API endpoint of the
Github instance this connector is for.
type: string
client_id:
description: ClientID is the Github OAuth app client ID.
type: string
client_secret:
description: ClientSecret is the Github OAuth app client secret.
type: string
display:
description: Display is the connector display name.
type: string
endpoint_url:
description: EndpointURL is the URL of the GitHub instance this connector
is for.
type: string
redirect_url:
description: RedirectURL is the authorization callback URL.
type: string
teams_to_roles:
description: TeamsToRoles maps Github team memberships onto allowed
roles.
items:
properties:
organization:
description: Organization is a Github organization a user belongs
to.
type: string
roles:
description: Roles is a list of allowed logins for this org/team.
items:
type: string
nullable: true
type: array
team:
description: Team is a team within the organization a user belongs
to.
type: string
type: object
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

213
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml
View File

@ -1,213 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportoidcconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOIDCConnector
listKind: TeleportOIDCConnectorList
plural: teleportoidcconnectors
shortNames:
- oidcconnector
- oidcconnectors
singular: teleportoidcconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: OIDCConnector is the Schema for the oidcconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OIDCConnector resource definition v3 from Teleport
properties:
acr_values:
description: ACR is an Authentication Context Class Reference value.
The meaning of the ACR value is context-specific and varies for
identity providers.
type: string
allow_unverified_email:
description: AllowUnverifiedEmail tells the connector to accept OIDC
users with unverified emails.
type: boolean
claims_to_roles:
description: ClaimsToRoles specifies a dynamic mapping from claims
to roles.
items:
properties:
claim:
description: Claim is a claim name.
type: string
roles:
description: Roles is a list of static teleport roles to match.
items:
type: string
nullable: true
type: array
value:
description: Value is a claim value to match.
type: string
type: object
type: array
client_id:
description: ClientID is the id of the authentication client (Teleport
Auth server).
type: string
client_secret:
description: ClientSecret is used to authenticate the client.
type: string
display:
description: Display is the friendly name for this provider.
type: string
google_admin_email:
description: GoogleAdminEmail is the email of a google admin to impersonate.
type: string
google_service_account:
description: GoogleServiceAccount is a string containing google service
account credentials.
type: string
google_service_account_uri:
description: GoogleServiceAccountURI is a path to a google service
account uri.
type: string
issuer_url:
description: IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
type: string
max_age:
description: MaxAge is the amount of time that user logins are valid
for. If a user logs in, but then does not login again within this
time period, they will be forced to re-authenticate.
format: duration
type: string
prompt:
description: Prompt is an optional OIDC prompt. An empty string omits
prompt. If not specified, it defaults to select_account for backwards
compatibility.
type: string
provider:
description: Provider is the external identity provider.
type: string
redirect_url:
description: RedirectURLs is a list of callback URLs which the identity
provider can use to redirect the client back to the Teleport Proxy
to complete authentication. This list should match the URLs on the
provider's side. The URL used for a given auth request will be chosen
to match the requesting Proxy's public address. If there is no match,
the first url in the list will be used.
items:
type: string
type: array
scope:
description: Scope specifies additional scopes set by provider.
items:
type: string
nullable: true
type: array
username_claim:
description: UsernameClaim specifies the name of the claim from the
OIDC connector to be used as the user's username.
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

420
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
View File

@ -1,420 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportprovisiontokens.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportProvisionToken
listKind: TeleportProvisionTokenList
plural: teleportprovisiontokens
shortNames:
- provisiontoken
- provisiontokens
singular: teleportprovisiontoken
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: ProvisionToken is the Schema for the provisiontokens API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ProvisionToken resource definition v2 from Teleport
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
aws_account:
description: AWSAccount is the AWS account ID.
type: string
aws_arn:
description: AWSARN is used for the IAM join method, the AWS
identity of joining nodes must match this ARN. Supports wildcards
"*" and "?".
type: string
aws_regions:
description: AWSRegions is used for the EC2 join method and
is a list of AWS regions a node is allowed to join from.
items:
type: string
nullable: true
type: array
aws_role:
description: AWSRole is used for the EC2 join method and is
the the ARN of the AWS role that the auth server will assume
in order to call the ec2 API.
type: string
type: object
nullable: true
type: array
aws_iid_ttl:
description: AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity
Documents used to join the cluster with this token.
format: duration
type: string
azure:
description: Azure allows the configuration of options specific to
the "azure" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
resource_groups:
items:
type: string
nullable: true
type: array
subscription:
type: string
type: object
nullable: true
type: array
type: object
bot_name:
description: BotName is the name of the bot this token grants access
to, if any
type: string
circleci:
description: CircleCI allows the configuration of options specific
to the "circleci" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
context_id:
type: string
project_id:
type: string
type: object
nullable: true
type: array
organization_id:
type: string
type: object
gcp:
description: GCP allows the configuration of options specific to the
"gcp" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
locations:
items:
type: string
nullable: true
type: array
project_ids:
items:
type: string
nullable: true
type: array
service_accounts:
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
github:
description: GitHub allows the configuration of options specific to
the "github" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
actor:
type: string
environment:
type: string
ref:
type: string
ref_type:
type: string
repository:
type: string
repository_owner:
type: string
sub:
type: string
workflow:
type: string
type: object
nullable: true
type: array
enterprise_server_host:
description: EnterpriseServerHost allows joining from runners
associated with a GitHub Enterprise Server instance. When unconfigured,
tokens will be validated against github.com, but when configured
to the host of a GHES instance, then the tokens will be validated
against host. This value should be the hostname of the GHES
instance, and should not include the scheme or a path. The instance
must be accessible over HTTPS at this hostname and the certificate
must be trusted by the Auth Server.
type: string
enterprise_slug:
description: EnterpriseSlug allows the slug of a GitHub Enterprise
organisation to be included in the expected issuer of the OIDC
tokens. This is for compatibility with the `include_enterprise_slug`
option in GHE. This field should be set to the slug of your
enterprise if this is enabled. If this is not enabled, then
this field must be left empty. This field cannot be specified
if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise
for more information about customised issuer values.
type: string
type: object
gitlab:
description: GitLab allows the configuration of options specific to
the "gitlab" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
ci_config_ref_uri:
type: string
ci_config_sha:
type: string
deployment_tier:
type: string
environment:
type: string
environment_protected:
type: boolean
namespace_path:
type: string
pipeline_source:
type: string
project_path:
type: string
project_visibility:
type: string
ref:
type: string
ref_protected:
type: boolean
ref_type:
type: string
sub:
type: string
user_email:
type: string
user_id:
type: string
user_login:
type: string
type: object
nullable: true
type: array
domain:
description: Domain is the domain of your GitLab instance. This
will default to `gitlab.com` - but can be set to the domain
of your self-hosted GitLab e.g `gitlab.example.com`.
type: string
type: object
join_method:
description: JoinMethod is the joining method required in order to
use this token. Supported joining methods include "token", "ec2",
and "iam".
type: string
kubernetes:
description: Kubernetes allows the configuration of options specific
to the "kubernetes" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
service_account:
type: string
type: object
nullable: true
type: array
static_jwks:
description: StaticJWKS is the configuration specific to the `static_jwks`
type.
nullable: true
properties:
jwks:
type: string
type: object
type:
description: 'Type controls which behavior should be used for
validating the Kubernetes Service Account token. Support values:
- `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
type: string
type: object
roles:
description: Roles is a list of roles associated with the token, that
will be converted to metadata in the SSH and X509 certificates issued
to the user of the token
items:
type: string
nullable: true
type: array
spacelift:
description: Spacelift allows the configuration of options specific
to the "spacelift" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
caller_id:
type: string
caller_type:
type: string
scope:
type: string
space_id:
type: string
type: object
nullable: true
type: array
hostname:
description: Hostname is the hostname of the Spacelift tenant
that tokens will originate from. E.g `example.app.spacelift.io`
type: string
type: object
suggested_agent_matcher_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedAgentMatcherLabels is a set of labels to be
used by agents to match on resources. When an agent uses this token,
the agent should monitor resources that match those labels. For
databases, this means adding the labels to `db_service.resources.labels`.
Currently, only node-join scripts create a configuration according
to the suggestion.
type: object
suggested_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedLabels is a set of labels that resources should
set when using this token to enroll themselves in the cluster. Currently,
only node-join scripts create a configuration according to the suggestion.
type: object
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

2416
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
View File

File diff suppressed because it is too large Load Diff

1221
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml
View File

File diff suppressed because it is too large Load Diff

1221
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml
View File

File diff suppressed because it is too large Load Diff

210
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml
View File

@ -1,210 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportsamlconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportSAMLConnector
listKind: TeleportSAMLConnectorList
plural: teleportsamlconnectors
shortNames:
- samlconnector
- samlconnectors
singular: teleportsamlconnector
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: SAMLConnector is the Schema for the samlconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SAMLConnector resource definition v2 from Teleport
properties:
acs:
description: AssertionConsumerService is a URL for assertion consumer
service on the service provider (Teleport's side).
type: string
allow_idp_initiated:
description: AllowIDPInitiated is a flag that indicates if the connector
can be used for IdP-initiated logins.
type: boolean
assertion_key_pair:
description: EncryptionKeyPair is a key pair used for decrypting SAML
assertions.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
attributes_to_roles:
description: AttributesToRoles is a list of mappings of attribute
statements to roles.
items:
properties:
name:
description: Name is an attribute statement name.
type: string
roles:
description: Roles is a list of static teleport roles to map
to.
items:
type: string
nullable: true
type: array
value:
description: Value is an attribute statement value to match.
type: string
type: object
type: array
audience:
description: Audience uniquely identifies our service provider.
type: string
cert:
description: Cert is the identity provider certificate PEM. IDP signs
<Response> responses using this certificate.
type: string
display:
description: Display controls how this connector is displayed.
type: string
entity_descriptor:
description: EntityDescriptor is XML with descriptor. It can be used
to supply configuration parameters in one XML file rather than supplying
them in the individual elements.
type: string
entity_descriptor_url:
description: EntityDescriptorURL is a URL that supplies a configuration
XML.
type: string
issuer:
description: Issuer is the identity provider issuer.
type: string
provider:
description: Provider is the external identity provider.
type: string
service_provider_issuer:
description: ServiceProviderIssuer is the issuer of the service provider
(Teleport).
type: string
signing_key_pair:
description: SigningKeyPair is an x509 key pair used to sign AuthnRequest.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
sso:
description: SSO is the URL of the identity provider's SSO service.
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

196
teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_users.yaml
View File

@ -1,196 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportusers.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportUser
listKind: TeleportUserList
plural: teleportusers
shortNames:
- user
- users
singular: teleportuser
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: User is the Schema for the users API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: User resource definition v2 from Teleport
properties:
github_identities:
description: GithubIdentities list associated Github OAuth2 identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
oidc_identities:
description: OIDCIdentities lists associated OpenID Connect identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
roles:
description: Roles is a list of roles assigned to user
items:
type: string
nullable: true
type: array
saml_identities:
description: SAMLIdentities lists associated SAML identities that
let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: Traits are key/value pairs received from an identity
provider (through OIDC claims or SAML assertions) or from a system
administrator for local accounts. Traits are used to populate role
variables.
type: object
trusted_device_ids:
description: TrustedDeviceIDs contains the IDs of trusted devices
enrolled by the user. Managed by the Device Trust subsystem, avoid
manual edits.
items:
type: string
nullable: true
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

55
teleport-cluster-15.0.1/charts/teleport-operator/templates/role.yaml
View File

@ -1,55 +0,0 @@
{{- if .Values.enabled }}
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "teleport-cluster.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- "resources.teleport.dev"
resources:
- teleportroles
- teleportroles/status
- teleportrolesv6
- teleportrolesv6/status
- teleportrolesv7
- teleportrolesv7/status
- teleportusers
- teleportusers/status
- teleportgithubconnectors
- teleportgithubconnectors/status
- teleportoidcconnectors
- teleportoidcconnectors/status
- teleportsamlconnectors
- teleportsamlconnectors/status
- teleportloginrules
- teleportloginrules/status
- teleportprovisiontokens
- teleportprovisiontokens/status
- teleportoktaimportrules
- teleportoktaimportrules/status
- teleportaccesslists
- teleportaccesslists/status
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
{{- end -}}
{{- end -}}

201
teleport-cluster-15.0.1/charts/teleport-operator/values.yaml
View File

@ -1,201 +0,0 @@
# enabled(bool) -- controls if the operator should be enabled and deployed.
#
# - When `true`, the chart creates both the `CustomResourceDefinition` and operator `Deployment` Kubernetes resources.
# - When `false`, the chart creates the `CustomResourceDefinition` resources without the operator `Deployment`.
enabled: true
# teleportAddress(string) -- is the address of the Teleport cluster whose resources
# are managed by the operator. The address must contain both the domain name and
# the port of the Teleport cluster. It can be either the address of the Auth Service
# or the Proxy Service.
#
# For example:
# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
# - joining an Auth: `teleport-auth.example.com:3025`
# - joining a Cloud-hosted Teleport: `example.teleport.sh:443`
teleportAddress: ""
# caPins(list[string]) -- is a list of Teleport CA fingerprints that is used by the operator to
# validate the identity of the Teleport Auth server. This is only used when joining
# an Auth server directly (on port `3025`) and is ignored when joining through a Proxy
# (port `443` or `3080`).
caPins: []
# joinMethod(string) -- describes how the Teleport Kubernetes Operator joins the Teleport cluster.
# The operator does not store its Teleport-issued identity, it must be able to join the
# cluster again on each pod restart. To achieve this, it needs to use a delegated join
# method. `kubernetes` is the most common one.
joinMethod: "kubernetes"
# teleportClusterName(string) -- is the name of the joined Teleport cluster.
# Setting this value is required when joining via the
# [Kubernetes JWKS](../../join-methods.mdx#kubernetes-jwks) join method.
teleportClusterName: ""
# token(string) -- is the name of the token used by the operator to join the Teleport cluster.
token: ""
# teleportVersionOverride(string) -- controls the Teleport Kubernetes Operator
# image version deployed by the chart.
#
# Normally, the version of the Teleport Kubernetes Operator matches the
# version of the chart. If you install chart version 15.0.0, you'll use
# Teleport Kubernetes Operator version 15.0.0. Upgrading the operator is
# done by upgrading the chart.
#
# <Admonition type="warning">
# `teleportVersionOverride` is intended for development and MUST NOT be
# used to control the Teleport version in a typical deployment. This
# chart is designed to run a specific Teleport version. You will face
# compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version `X.Y.Z`, you should use
# `helm install --version X.Y.Z` instead.
#
# </Admonition>
teleportVersionOverride: ""
nameOverride: ""
fullNameOverride: ""
# image(string) -- sets the container image used for Teleport Kubernetes Operator
# pods run by the chart.
#
# You can override this to use your own Teleport Kubernetes Operator
# image rather than a Teleport-published image.
image: public.ecr.aws/gravitational/teleport-operator
# annotations --
annotations:
# annotations.deployment(object) -- contains the Kubernetes annotations
# put on the `Deployment` resource created by the chart.
deployment: {}
# annotations.pod(object) -- contains the Kubernetes annotations
# put on the `Pod` resources created by the chart.
pod: {}
# annotations.serviceAccount(object) -- contains the Kubernetes annotations
# put on the `Deployment` resource created by the chart.
serviceAccount: {}
# serviceAccount --
serviceAccount:
# serviceAccount.create(bool) -- controls if the chart should create the Kubernetes
# `ServiceAccount` resource for the operator.
#
# - When `true`, the chart creates a `ServiceAccount` resource for the operator.
# - When `false`, the chart does not create the `ServiceAccount` resource.
# The user is responsible for deploying and maintaining it separately.
#
# This value can be set to `false` when deploying in constrained environments
# where the user deploying the operator is not allowed to edit `ServiceAccount`
# resources.
create: true
# serviceAccount.name(string) -- controls the name of the operator Kubernetes `ServiceAccount`.
# The operator pods use by default a `ServiceAccount` named after the Helm chart release.
# This value overrides this behaviour, this is useful when `serviceAccount.create`
# is false and the operator must use an existing `ServiceAccount`.
name: ""
# rbac --
rbac:
# rbac.create(bool) -- controls if the chart should create RBAC Kubernetes resources.
#
# - When `true`, the chart creates both `Role` and `RoleBinding` resources for the operator.
# - When `false`, the chart does not create the `Role` and `RoleBinding` resources.
# The user is responsible for deploying and maintaining them separately.
#
# This value can be set to `false` when deploying in constrained environments
# where the user deploying the operator is not allowed to edit RBAC resources.
create: true
# imagePullPolicy(string) -- sets the pull policy for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images)
# for more details.
imagePullPolicy: IfNotPresent
# resources(object) -- sets the resource requests/limits for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
# for more details.
resources: {}
# priorityClassName(string) -- sets the priority class used by any pods created by the chart.
# The user is responsible for creating the `PriorityClass` resource before deploying the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
# for more details.
priorityClassName: ""
# tolerations(list) -- sets the tolerations for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
# for more details.
tolerations: []
# nodeSelector(object) -- sets the node selector for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
# for more details.
nodeSelector: {}
# affinity(object) -- sets the affinities for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for more details.
affinity: {}
# imagePullSecrets(list) -- sets the image pull secrets for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod)
# for more details.
imagePullSecrets: []
# highAvailability --
highAvailability:
# highAvailability.replicaCount(int) -- controls the amount of operator pod replicas deployed
# by the chart.
#
# When multiple pods are running, all pods join the Teleport cluster on
# startup but a single pod actively reconciles resources.
#
# The operator replicas elect a replica leader using
# [Kubernetes leases](https://kubernetes.io/docs/concepts/architecture/leases/).
# If the leader fails, its lease will expire and another replica will start
# reconciling resources.
replicaCount: 1
# tls --
tls:
# tls.existingCASecretName(string) -- makes the operator pods trust an additional CA certificate.
# This is used to trust Proxy certificates if they're signed by a private CA. The operator
# trusts by default CAs part of Mozilla's Web PKI (the `ca-certificates` package).
#
# To use this value, you must create a Kubernetes `Secret` containing the CA
# certs in the same namespace as the Teleport Kubernetes Operator using a
# command such as:
#
# ```shell
# $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
# ```
existingCASecretName: ""
# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# for more details.
#
# The default value supports running under the `restricted`
# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
podSecurityContext:
seccompProfile:
type: RuntimeDefault
runAsUser: 65532
runAsGroup: 65532
fsGroup: 65532
runAsNonRoot: true
# securityContext(object) -- sets the container security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
# for more details.
#
# The default value supports running under the `restricted`
# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true

115
teleport-cluster-15.0.1/templates/_helpers.tpl
View File

@ -1,115 +0,0 @@
{{/*
Create the name of the service account to use
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
*/}}
{{- define "teleport-cluster.auth.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Release.Name -}}
{{- end -}}
{{- define "teleport-cluster.proxy.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Release.Name -}}-proxy
{{- end -}}
{{- define "teleport-cluster.version" -}}
{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
{{- end -}}
{{- define "teleport-cluster.majorVersion" -}}
{{- (semver (include "teleport-cluster.version" .)).Major -}}
{{- end -}}
{{- define "teleport-cluster.previousMajorVersion" -}}
{{- sub (include "teleport-cluster.majorVersion" . | atoi ) 1 -}}
{{- end -}}
{{/* Proxy selector labels */}}
{{- define "teleport-cluster.proxy.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'proxy'
{{- end -}}
{{/* Proxy all labels */}}
{{- define "teleport-cluster.proxy.labels" -}}
{{ include "teleport-cluster.proxy.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* Auth pods selector labels */}}
{{- define "teleport-cluster.auth.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'auth'
{{- end -}}
{{/* All pods all labels */}}
{{- define "teleport-cluster.labels" -}}
{{ include "teleport-cluster.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* All pods selector labels */}}
{{- define "teleport-cluster.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
{{- end -}}
{{/* Auth pods all labels */}}
{{- define "teleport-cluster.auth.labels" -}}
{{ include "teleport-cluster.auth.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* ServiceNames are limited to 63 characters, we might have to truncate the ReleaseName
to make sure the auth serviceName won't exceed this limit */}}
{{- define "teleport-cluster.auth.serviceName" -}}
{{- .Release.Name | trunc 58 | trimSuffix "-" -}}-auth
{{- end -}}
{{- define "teleport-cluster.auth.currentVersionServiceName" -}}
{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.majorVersion" . }}
{{- end -}}
{{- define "teleport-cluster.auth.previousVersionServiceName" -}}
{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.previousMajorVersion" . }}
{{- end -}}
{{/* In most places we want to use the FQDN instead of relying on Kubernetes ndots behaviour
for performance reasons */}}
{{- define "teleport-cluster.auth.serviceFQDN" -}}
{{ include "teleport-cluster.auth.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end -}}
{{/* Matches the operator template "teleport-cluster.operator.fullname" but can be
evaluated in a "teleport-cluster" context. */}}
{{- define "teleport-cluster.auth.operatorFullName" -}}
{{- if .Values.operator.fullnameOverride }}
{{- .Values.operator.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- if .Values.operator.nameOverride }}
{{- printf "%s-%s" .Release.Name .Values.operator.nameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- if contains "teleport-operator" .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name "teleport-operator" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
{{/* Matches the operator template "teleport-cluster.operator.serviceAccountName"
but can be evaluated in a "teleport-cluster" context. */}}
{{- define "teleport-cluster.auth.operatorServiceAccountName" -}}
{{- coalesce .Values.operator.serviceAccount.name (include "teleport-cluster.auth.operatorFullName" .) -}}
{{- end -}}

26
teleport-cluster-15.0.1/templates/auth/_config.aws.tpl
View File

@ -1,26 +0,0 @@
{{- define "teleport-cluster.auth.config.aws" -}}
{{ include "teleport-cluster.auth.config.common" . }}
storage:
type: dynamodb
region: {{ required "aws.region is required in chart values" .Values.aws.region }}
table_name: {{ required "aws.backendTable is required in chart values" .Values.aws.backendTable }}
{{- if .Values.aws.auditLogMirrorOnStdout }}
audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}', 'stdout://']
{{- else }}
audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}']
{{- end }}
audit_sessions_uri: s3://{{ required "aws.sessionRecordingBucket is required in chart values" .Values.aws.sessionRecordingBucket }}
continuous_backups: {{ required "aws.backups is required in chart values" .Values.aws.backups }}
{{- if .Values.aws.dynamoAutoScaling }}
auto_scaling: true
billing_mode: provisioned
read_min_capacity: {{ required "aws.readMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMinCapacity }}
read_max_capacity: {{ required "aws.readMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMaxCapacity }}
read_target_value: {{ required "aws.readTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.readTargetValue }}
write_min_capacity: {{ required "aws.writeMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMinCapacity }}
write_max_capacity: {{ required "aws.writeMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMaxCapacity }}
write_target_value: {{ required "aws.writeTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.writeTargetValue }}
{{- else }}
auto_scaling: false
{{- end }}
{{- end -}}

65
teleport-cluster-15.0.1/templates/auth/_config.common.tpl
View File

@ -1,65 +0,0 @@
{{- define "teleport-cluster.auth.config.common" -}}
{{- $authentication := mustMergeOverwrite .Values.authentication (default dict .Values.authenticationSecondFactor) -}}
{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}}
version: v3
kubernetes_service:
enabled: true
listen_addr: 0.0.0.0:3026
public_addr: "{{ include "teleport-cluster.auth.serviceFQDN" . }}:3026"
{{- if .Values.kubeClusterName }}
kube_cluster_name: {{ .Values.kubeClusterName }}
{{- else }}
kube_cluster_name: {{ .Values.clusterName }}
{{- end }}
{{- if .Values.labels }}
labels: {{- toYaml .Values.labels | nindent 8 }}
{{- end }}
proxy_service:
enabled: false
ssh_service:
enabled: false
auth_service:
enabled: true
cluster_name: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if .Values.enterprise }}
license_file: '/var/lib/license/license.pem'
{{- end }}
authentication:
type: "{{ required "authentication.type is required in chart values" (coalesce .Values.authenticationType $authentication.type) }}"
local_auth: {{ $authentication.localAuth }}
{{- if $authentication.connectorName }}
connector_name: "{{ $authentication.connectorName }}"
{{- end }}
{{- if $authentication.lockingMode }}
locking_mode: "{{ $authentication.lockingMode }}"
{{- end }}
{{- if $authentication.secondFactor }}
second_factor: "{{ $authentication.secondFactor }}"
{{- if not (or (eq $authentication.secondFactor "off") (eq $authentication.secondFactor "otp")) }}
webauthn:
rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if $authentication.webauthn }}
{{- if $authentication.webauthn.attestationAllowedCas }}
attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }}
{{- end }}
{{- if $authentication.webauthn.attestationDeniedCas }}
attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.sessionRecording }}
session_recording: {{ .Values.sessionRecording }}
{{- end }}
{{- if .Values.proxyListenerMode }}
proxy_listener_mode: {{ .Values.proxyListenerMode }}
{{- end }}
teleport:
auth_server: 127.0.0.1:3025
log:
severity: {{ $logLevel }}
output: {{ .Values.log.output }}
format:
output: {{ .Values.log.format }}
extra_fields: {{ .Values.log.extraFields | toJson }}
{{- end -}}

27
teleport-cluster-15.0.1/templates/auth/clusterrole.yaml
View File

@ -1,27 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}
rules:
- apiGroups:
- ""
resources:
- users
- groups
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- "authorization.k8s.io"
resources:
- selfsubjectaccessreviews
verbs:
- create
{{- end -}}

31
teleport-cluster-15.0.1/templates/auth/clusterrolebinding.yaml
View File

@ -1,31 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Namespace }}-{{ .Release.Name }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
# This ClusterRoleBinding allows the auth service-account to validate Kubernetes tokens
# This is required for proxies to join using their Kubernetes tokens
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Namespace}}-{{ .Release.Name }}-auth
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

139
teleport-cluster-15.0.1/templates/auth/config.yaml
View File

@ -1,139 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
{{- if $auth.annotations.config }}
annotations: {{- toYaml $auth.annotations.config | nindent 4 }}
{{- end }}
data:
{{- if or $auth.createProxyToken .Values.operator.enabled }}
apply-on-startup.yaml: |2
{{- if $auth.createProxyToken }}
---
kind: token
version: v2
metadata:
name: {{ .Release.Name }}-proxy
expires: "2050-01-01T00:00:00Z"
spec:
roles: [Proxy]
join_method: kubernetes
kubernetes:
allow:
- service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}"
{{- end }}
{{- if .Values.operator.enabled }}
---
kind: role
metadata:
description: Automatically generated role for bot operator
labels:
teleport.internal/bot: operator
name: bot-operator
spec:
allow:
impersonate:
roles:
- operator
rules:
- resources:
- cert_authority
verbs:
- readnosecrets
deny: {}
version: v7
---
kind: user
metadata:
labels:
teleport.internal/bot: operator
name: bot-operator
spec:
roles:
- bot-operator
version: v2
---
kind: role
metadata:
name: operator
spec:
allow:
rules:
- resources:
- role
verbs:
- list
- create
- read
- update
- delete
- resources:
- user
verbs:
- list
- create
- read
- update
- delete
- resources:
- auth_connector
verbs:
- list
- create
- read
- update
- delete
- resources:
- login_rule
verbs:
- list
- create
- read
- update
- delete
- resources:
- token
verbs:
- list
- create
- read
- update
- delete
- resources:
- okta_import_rule
verbs:
- list
- create
- read
- update
- delete
- resources:
- access_list
verbs:
- list
- create
- read
- update
- delete
deny: {}
version: v7
---
kind: token
version: v2
metadata:
name: "{{ .Values.operator.token }}"
spec:
roles: [Bot]
join_method: kubernetes
bot_name: operator
kubernetes:
allow:
- service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.auth.operatorServiceAccountName" . }}"
{{- end }}
{{- end }}
teleport.yaml: |2
{{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}}

292
teleport-cluster-15.0.1/templates/auth/deployment.yaml
View File

@ -1,292 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- $replicated := gt (int $auth.highAvailability.replicaCount) 1 -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
labels:
{{- include "teleport-cluster.auth.labels" . | nindent 4 }}
app: {{ .Release.Name }}
{{- if $auth.annotations.deployment }}
annotations: {{- toYaml $auth.annotations.deployment | nindent 4 }}
{{- end }}
spec:
replicas: {{ $auth.highAvailability.replicaCount }}
{{- if and $replicated $auth.highAvailability.minReadySeconds }}
minReadySeconds: {{ $auth.highAvailability.minReadySeconds }}
{{- end }}
strategy:
{{- if $replicated }}
# some backends support a maximum amount of auth pods (e.g. DynamoDB),
# we don't want to exceed this during a rollout.
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
{{- else }}
# using a single replica can be because of a non-replicable storage or when applying upgrade migrations.
# In those cases, we don't want a rolling update.
type: Recreate
{{- end }}
selector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
# ConfigMap checksum, to recreate the pod on config changes.
checksum/config: {{ include (print $.Template.BasePath "/auth/config.yaml") . | sha256sum }}
{{- if $auth.annotations.pod }}
{{- toYaml $auth.annotations.pod | nindent 8 }}
{{- end }}
labels:
{{- include "teleport-cluster.auth.labels" . | nindent 8 }}
app: {{ .Release.Name }}
{{- if eq $auth.chartMode "azure"}}
azure.workload.identity/use: "true"
{{- end }}
spec:
{{- if $auth.nodeSelector }}
nodeSelector: {{- toYaml $auth.nodeSelector | nindent 8 }}
{{- end }}
affinity:
{{- if $auth.affinity }}
{{- if $auth.highAvailability.requireAntiAffinity }}
{{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }}
{{- end }}
{{- toYaml $auth.affinity | nindent 8 }}
{{- else }}
podAntiAffinity:
{{- if $auth.highAvailability.requireAntiAffinity }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- auth
topologyKey: "kubernetes.io/hostname"
{{- else if $replicated }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- auth
topologyKey: "kubernetes.io/hostname"
{{- end }}
{{- end }}
{{- if $auth.tolerations }}
tolerations: {{- toYaml $auth.tolerations | nindent 6 }}
{{- end }}
{{- if $auth.imagePullSecrets }}
imagePullSecrets:
{{- toYaml $auth.imagePullSecrets | nindent 6 }}
{{- end }}
{{- if $auth.initContainers }}
initContainers:
{{- range $initContainer := $auth.initContainers }}
{{- if and (not $initContainer.resources) $auth.resources }}
{{- $_ := set $initContainer "resources" $auth.resources }}
{{- end }}
{{- list $initContainer | toYaml | nindent 8 }}
{{- /* Note: this will break if the user sets volumeMounts to its initContainer */}}
volumeMounts:
{{- if $auth.enterprise }}
- mountPath: /var/lib/license
name: "license"
readOnly: true
{{- end }}
{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
- mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $projectedServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
{{- end }}
{{- if $auth.extraVolumeMounts }}
{{- toYaml $auth.extraVolumeMounts | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
containers:
- name: "teleport"
image: '{{ if $auth.enterprise }}{{ $auth.enterpriseImage }}{{ else }}{{ $auth.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ $auth.imagePullPolicy }}
{{- if or $auth.extraEnv $auth.tls.existingCASecretName }}
env:
{{- if (gt (len $auth.extraEnv) 0) }}
{{- toYaml $auth.extraEnv | nindent 8 }}
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- end }}
args:
- "--diag-addr=0.0.0.0:3000"
{{- if $auth.insecureSkipProxyTLSVerify }}
- "--insecure"
{{- end }}
{{- if $auth.createProxyToken }}
- "--apply-on-startup=/etc/teleport/apply-on-startup.yaml"
{{- end }}
{{- if $auth.extraArgs }}
{{- toYaml $auth.extraArgs | nindent 8 }}
{{- end }}
ports:
- name: diag
containerPort: 3000
protocol: TCP
- name: auth
containerPort: 3025
protocol: TCP
- name: kube
containerPort: 3026
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to start
periodSeconds: 5 # poll health every 5s
failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
timeoutSeconds: {{ .Values.probeTimeoutSeconds }}
readinessProbe:
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to register
periodSeconds: 5 # poll health every 5s
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s)
timeoutSeconds: {{ .Values.probeTimeoutSeconds }}
lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod
# on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
{{- if $auth.postStart.command }}
postStart:
exec:
command: {{ toYaml $auth.postStart.command | nindent 14 }}
{{- end }}
{{- if $auth.resources }}
resources:
{{- toYaml $auth.resources | nindent 10 }}
{{- end }}
{{- if $auth.securityContext }}
securityContext: {{- toYaml $auth.securityContext | nindent 10 }}
{{- end }}
volumeMounts:
{{- if $auth.enterprise }}
- mountPath: /var/lib/license
name: "license"
readOnly: true
{{- end }}
{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
- mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $projectedServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
{{- end }}
{{- if $auth.extraVolumeMounts }}
{{- toYaml $auth.extraVolumeMounts | nindent 8 }}
{{- end }}
{{- if $auth.extraContainers }}
{{- toYaml $auth.extraContainers | nindent 6 }}
{{- end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
volumes:
{{- if $projectedServiceAccountToken }}
# This projected token volume mimics the `automountServiceAccountToken`
# behaviour but defaults to a 1h TTL instead of 1y.
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
{{- end }}
{{- if $auth.enterprise }}
- name: license
secret:
secretName: "license"
{{- end }}
{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
- name: gcp-credentials
secret:
secretName: {{ $auth.gcp.credentialSecretName | quote }}
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ $auth.tls.existingCASecretName }}
{{- end }}
- name: "config"
configMap:
name: {{ .Release.Name }}-auth
- name: "data"
{{- if and ($auth.persistence.enabled) ( and (not (eq $auth.chartMode "gcp")) (not (eq $auth.chartMode "aws")) (not (eq $auth.chartMode "azure"))) }}
persistentVolumeClaim:
claimName: {{ if $auth.persistence.existingClaimName }}{{ $auth.persistence.existingClaimName }}{{ else }}{{ .Release.Name }}{{ end }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if $auth.extraVolumes }}
{{- toYaml $auth.extraVolumes | nindent 6 }}
{{- end }}
{{- if $auth.priorityClassName }}
priorityClassName: {{ $auth.priorityClassName }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.auth.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ $auth.terminationGracePeriodSeconds }}

17
teleport-cluster-15.0.1/templates/auth/pdb.yaml
View File

@ -1,17 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.highAvailability.podDisruptionBudget.enabled }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
minAvailable: {{ $auth.highAvailability.podDisruptionBudget.minAvailable }}
selector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 6 }}
{{- end }}

31
teleport-cluster-15.0.1/templates/auth/predeploy_config.yaml
View File

@ -1,31 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.validateConfigOnDeploy }}
{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-auth-test
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
data:
{{- if $auth.createProxyToken }}
apply-on-startup.yaml: |2
kind: token
version: v2
metadata:
name: {{ .Release.Name }}-proxy
expires: "3000-01-01T00:00:00Z"
spec:
roles: [Proxy]
join_method: kubernetes
kubernetes:
allow:
- service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}"
{{- end }}
teleport.yaml: |2
{{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}}
{{- end }}

103
teleport-cluster-15.0.1/templates/auth/predeploy_job.yaml
View File

@ -1,103 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.validateConfigOnDeploy }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-auth-test
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 1
template:
spec:
{{- if $auth.affinity }}
affinity: {{- toYaml $auth.affinity | nindent 8 }}
{{- end }}
{{- if $auth.tolerations }}
tolerations: {{- toYaml $auth.tolerations | nindent 6 }}
{{- end }}
{{- if $auth.imagePullSecrets }}
imagePullSecrets:
{{- toYaml $auth.imagePullSecrets | nindent 6 }}
{{- end }}
restartPolicy: Never
containers:
- name: "teleport-config-check"
image: '{{ if $auth.enterprise }}{{ $auth.enterpriseImage }}{{ else }}{{ $auth.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ $auth.imagePullPolicy }}
{{- if $auth.resources }}
resources:
{{- toYaml $auth.resources | nindent 10 }}
{{- end }}
{{- if or $auth.extraEnv $auth.tls.existingCASecretName }}
env:
{{- if (gt (len $auth.extraEnv) 0) }}
{{- toYaml $auth.extraEnv | nindent 8 }}
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- end }}
command:
- "teleport"
- "configure"
args:
- "--test"
- "/etc/teleport/teleport.yaml"
{{- if .Values.securityContext }}
securityContext: {{- toYaml .Values.securityContext | nindent 10 }}
{{- end }}
volumeMounts:
{{- if .Values.enterprise }}
- mountPath: /var/lib/license
name: "license"
readOnly: true
{{- end }}
{{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }}
- mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.enterprise }}
- name: license
secret:
secretName: "license"
{{- end }}
{{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }}
- name: gcp-credentials
secret:
secretName: {{ .Values.gcp.credentialSecretName | quote }}
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ .Values.tls.existingCASecretName }}
{{- end }}
- name: "config"
configMap:
name: {{ .Release.Name }}-auth-test
- name: "data"
emptyDir: {}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 6 }}
{{- end }}
{{- end }}

24
teleport-cluster-15.0.1/templates/auth/pvc.yaml
View File

@ -1,24 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.persistence.enabled }}
{{/* Disable persistence for cloud modes */}}
{{- if and (not (eq $auth.chartMode "aws")) (not (eq $auth.chartMode "gcp")) (not (eq $auth.chartMode "azure")) }}
{{/* No need to create a PVC if we reuse an existing claim */}}
{{- if not $auth.persistence.existingClaimName }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
accessModes:
- ReadWriteOnce
{{- if $auth.persistence.storageClassName }}
storageClassName: {{ $auth.persistence.storageClassName }}
{{- end }}
resources:
requests:
storage: {{ required "persistence.volumeSize is required in chart values" $auth.persistence.volumeSize }}
{{- end }}
{{- end }}
{{- end }}

31
teleport-cluster-15.0.1/templates/auth/service-previous-version.yaml
View File

@ -1,31 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "teleport-cluster.auth.previousVersionServiceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
# This is a headless service. Resolving it will return the list of all auth pods running the previous major version
# Proxies should not connect to auth pods from the previous major version
# Proxy rollout should be held until this headLessService does not match pods anymore.
clusterIP: "None"
# Publishing not ready addresses ensures that unhealthy or terminating pods are still accounted for
publishNotReadyAddresses: true
selector:
{{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}
teleport.dev/majorVersion: {{ include "teleport-cluster.previousMajorVersion" . | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "teleport-cluster.auth.currentVersionServiceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
# This is a headless service. Resolving it will return the list of all auth pods running the current major version
clusterIP: "None"
# Publishing not ready addresses ensures that unhealthy or terminating pods are still accounted for
publishNotReadyAddresses: true
selector:
{{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}
teleport.dev/majorVersion: {{ include "teleport-cluster.majorVersion" . | quote }}

21
teleport-cluster-15.0.1/templates/auth/service.yaml
View File

@ -1,21 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "teleport-cluster.auth.serviceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
{{- if $auth.annotations.service }}
annotations: {{- toYaml $auth.annotations.service | nindent 4 }}
{{- end }}
spec:
ports:
- name: auth
port: 3025
targetPort: 3025
protocol: TCP
- name: kube
port: 3026
targetPort: 3026
protocol: TCP
selector: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}

17
teleport-cluster-15.0.1/templates/auth/serviceaccount.yaml
View File

@ -1,17 +0,0 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "teleport-cluster.auth.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
annotations:
{{- if $auth.annotations.serviceAccount }}
{{- toYaml $auth.annotations.serviceAccount | nindent 4 }}
{{- end }}
{{- if $auth.azure.clientID }}
azure.workload.identity/client-id: "{{ $auth.azure.clientID }}"
{{- end }}
{{- end -}}
{{- end }}

43
teleport-cluster-15.0.1/templates/proxy/certificate.yaml
View File

@ -1,43 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- if $proxy.highAvailability.certManager.enabled -}}
{{- /* Append clusterName and wildcard version to list of dnsNames on certificate request (original functionality) */ -}}
{{- $domainList := list (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName) -}}
{{- $domainList := append $domainList (printf "*.%s" (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName)) -}}
{{- /* If the config option is enabled and at least one publicAddr is set, append all public addresses to the list of dnsNames */ -}}
{{- if and $proxy.highAvailability.certManager.addPublicAddrs (gt (len .Values.publicAddr) 0) -}}
{{- /* Trim ports from all public addresses if present */ -}}
{{- range .Values.publicAddr -}}
{{- $address := . -}}
{{- if (contains ":" $address) -}}
{{- $split := split ":" $address -}}
{{- $address = $split._0 -}}
{{- end -}}
{{- $domainList = append (mustWithout $domainList .) $address -}}
{{- end -}}
{{- end -}}
{{- /* Finally, remove any duplicate entries from the list of domains */ -}}
{{- $domainList := mustUniq $domainList -}}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
spec:
secretName: teleport-tls
{{- if $proxy.highAvailability.certManager.addCommonName }}
commonName: {{ quote $proxy.clusterName }}
{{- end }}
dnsNames:
{{- range $domainList }}
- {{ quote . }}
{{- end }}
issuerRef:
name: {{ required "highAvailability.certManager.issuerName is required in chart values" $proxy.highAvailability.certManager.issuerName }}
kind: {{ required "highAvailability.certManager.issuerKind is required in chart values" $proxy.highAvailability.certManager.issuerKind }}
group: {{ required "highAvailability.certManager.issuerGroup is required in chart values" $proxy.highAvailability.certManager.issuerGroup }}
{{- with $proxy.annotations.certSecret }}
secretTemplate:
annotations: {{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

16
teleport-cluster-15.0.1/templates/proxy/config.yaml
View File

@ -1,16 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $configTemplate := printf "teleport-cluster.proxy.config.%s" $proxy.chartMode -}}
{{- if (contains ":" $proxy.clusterName) -}}
{{- fail "clusterName must not contain a colon, you can override the cluster's public address with publicAddr" -}}
{{- end -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
{{- if $proxy.annotations.config }}
annotations: {{- toYaml $proxy.annotations.config | nindent 4 }}
{{- end }}
data:
teleport.yaml: |2
{{- mustMergeOverwrite (include $configTemplate . | fromYaml) $proxy.teleportConfig | toYaml | nindent 4 -}}

310
teleport-cluster-15.0.1/templates/proxy/deployment.yaml
View File

@ -1,310 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
# Deployment is {{ if not $replicable }}not {{end}}replicable
{{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
{{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }}
{{- end }}
{{- if and $proxy.acme $proxy.tls.existingSecretName }}
{{- fail "Cannot set both acme.enabled and tls.existingSecretName, choose one or the other" }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
{{- if $proxy.annotations.deployment }}
annotations: {{- toYaml $proxy.annotations.deployment | nindent 4 }}
{{- end }}
spec:
{{- /*
If proxies cannot be replicated we use a single replica.
By default we want to upgrade all users to at least 2 replicas, if they had a higher replica count we take it.
If a user wants to force a single proxy, they can use the `proxy` specific override.
$proxySpecificHA is a hack to avoid .Values.proxy.highAvailability to be nil, which would cause a fail when
accessing .Values.proxy.highAvailability.replicaCount.
*/}}
{{- if $replicable }}
{{- $proxySpecificHA := default (dict) .Values.proxy.highAvailability }}
{{- if $proxySpecificHA.replicaCount }}
replicas: {{ $proxySpecificHA.replicaCount }}
{{- else }}
replicas: {{ max .Values.highAvailability.replicaCount 2 }}
{{- end }}
{{- if $proxy.highAvailability.minReadySeconds }}
minReadySeconds: {{ $proxy.highAvailability.minReadySeconds }}
{{- end }}
{{- else }}
replicas: 1
{{- end }}
selector:
matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
# ConfigMap checksum, to recreate the pod on config changes.
checksum/config: {{ include (print $.Template.BasePath "/proxy/config.yaml") . | sha256sum }}
{{- if $proxy.annotations.pod }}
{{- toYaml $proxy.annotations.pod | nindent 8 }}
{{- end }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 8 }}
spec:
{{- if $proxy.nodeSelector }}
nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }}
{{- end }}
affinity:
{{- if $proxy.affinity }}
{{- if $proxy.highAvailability.requireAntiAffinity }}
{{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }}
{{- end }}
{{- toYaml $proxy.affinity | nindent 8 }}
{{- else }}
podAntiAffinity:
{{- if $proxy.highAvailability.requireAntiAffinity }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- proxy
topologyKey: "kubernetes.io/hostname"
{{- else if gt (int $proxy.highAvailability.replicaCount) 1 }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- proxy
topologyKey: "kubernetes.io/hostname"
{{- end }}
{{- end }}
{{- if $proxy.tolerations }}
tolerations: {{- toYaml $proxy.tolerations | nindent 6 }}
{{- end }}
{{- if $proxy.imagePullSecrets }}
imagePullSecrets:
{{- toYaml $proxy.imagePullSecrets | nindent 6 }}
{{- end }}
initContainers:
# wait-auth-update is responsible for holding off the proxy rollout until all auths are running the
# next major version in case of major upgrade.
- name: wait-auth-update
image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
command:
- teleport
- wait
- no-resolve
- '{{ include "teleport-cluster.auth.previousVersionServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local'
{{- if $proxy.securityContext }}
securityContext: {{- toYaml $proxy.securityContext | nindent 12 }}
{{- end }}
{{- if $proxy.initContainers }}
{{- range $initContainer := $proxy.initContainers }}
{{- if and (not $initContainer.resources) $proxy.resources }}
{{- $_ := set $initContainer "resources" $proxy.resources }}
{{- end }}
{{- list $initContainer | toYaml | nindent 8 }}
{{- /* Note: this will break if the user sets volumeMounts to its initContainer */}}
volumeMounts:
{{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
- mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $proxy.extraVolumeMounts }}
{{- toYaml $proxy.extraVolumeMounts | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
containers:
- name: "teleport"
image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ $proxy.imagePullPolicy }}
{{- if or $proxy.extraEnv $proxy.tls.existingCASecretName }}
env:
{{- if (gt (len $proxy.extraEnv) 0) }}
{{- toYaml $proxy.extraEnv | nindent 8 }}
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- end }}
args:
- "--diag-addr=0.0.0.0:3000"
{{- if $proxy.insecureSkipProxyTLSVerify }}
- "--insecure"
{{- end }}
{{- if $proxy.extraArgs }}
{{- toYaml $proxy.extraArgs | nindent 8 }}
{{- end }}
ports:
- name: tls
containerPort: 3080
protocol: TCP
{{- if $proxy.enterprise }}
- name: proxypeering
containerPort: 3021
protocol: TCP
{{- end }}
{{- if ne $proxy.proxyListenerMode "multiplex" }}
- name: sshproxy
containerPort: 3023
protocol: TCP
- name: sshtun
containerPort: 3024
protocol: TCP
- name: kube
containerPort: 3026
protocol: TCP
- name: mysql
containerPort: 3036
protocol: TCP
{{- if $proxy.separatePostgresListener }}
- name: postgres
containerPort: 5432
protocol: TCP
{{- end }}
{{- if $proxy.separateMongoListener }}
- name: mongo
containerPort: 27017
protocol: TCP
{{- end }}
{{- end }}
- name: diag
containerPort: 3000
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to start
periodSeconds: 5 # poll health every 5s
failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
readinessProbe:
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to register
periodSeconds: 5 # poll health every 5s
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s)
timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod
# on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
{{- if $proxy.postStart.command }}
postStart:
exec:
command: {{ toYaml $proxy.postStart.command | nindent 14 }}
{{- end }}
{{- if $proxy.resources }}
resources:
{{- toYaml $proxy.resources | nindent 10 }}
{{- end }}
{{- if $proxy.securityContext }}
securityContext: {{- toYaml $proxy.securityContext | nindent 10 }}
{{- end }}
volumeMounts:
{{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
- mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $projectedServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
{{- end }}
{{- if $proxy.extraVolumeMounts }}
{{- toYaml $proxy.extraVolumeMounts | nindent 8 }}
{{- end }}
{{- if $proxy.extraContainers }}
{{- toYaml $proxy.extraContainers | nindent 6 }}
{{- end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
volumes:
{{- if $projectedServiceAccountToken }}
# This projected token volume mimics the `automountServiceAccountToken`
# behaviour but defaults to a 1h TTL instead of 1y.
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
{{- end }}
{{- if $proxy.highAvailability.certManager.enabled }}
- name: teleport-tls
secret:
secretName: teleport-tls
{{- else if $proxy.tls.existingSecretName }}
- name: teleport-tls
secret:
secretName: {{ $proxy.tls.existingSecretName }}
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ $proxy.tls.existingCASecretName }}
{{- end }}
- name: "config"
configMap:
name: {{ .Release.Name }}-proxy
- name: "data"
emptyDir: {}
{{- if $proxy.extraVolumes }}
{{- toYaml $proxy.extraVolumes | nindent 6 }}
{{- end }}
{{- if $proxy.priorityClassName }}
priorityClassName: {{ $proxy.priorityClassName }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ $proxy.terminationGracePeriodSeconds }}

57
teleport-cluster-15.0.1/templates/proxy/ingress.yaml
View File

@ -1,57 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- if .Values.ingress.enabled -}}
{{- if (not (eq .Values.proxyListenerMode "multiplex")) -}}
{{- fail "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/" -}}
{{- end -}}
{{- $publicAddr := coalesce .Values.publicAddr (list .Values.clusterName) -}}
{{- /* Trim ports from all public addresses if present */ -}}
{{- range $publicAddr -}}
{{- $address := . -}}
{{- if (contains ":" $address) -}}
{{- $split := split ":" $address -}}
{{- $address = $split._0 -}}
{{- $publicAddr = append (mustWithout $publicAddr .) $address -}}
{{- end -}}
{{- $wildcard := printf "*.%s" $address -}}
{{- /* Add wildcard versions of all public addresses to ingress, unless 1) suppressed or 2) wildcard version already exists */ -}}
{{- if and (not $.Values.ingress.suppressAutomaticWildcards) (not (hasPrefix "*." $address)) (not (has $wildcard $publicAddr)) -}}
{{- $publicAddr = append $publicAddr (printf "*.%s" $address) -}}
{{- end -}}
{{- end -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
{{- if $proxy.annotations.ingress }}
annotations: {{- toYaml $proxy.annotations.ingress | nindent 4 }}
{{- end }}
spec:
{{- with $proxy.ingress.spec }}
{{- toYaml . | nindent 2 }}
{{- end }}
tls:
- hosts:
{{- range $publicAddr }}
- {{ quote . }}
{{- end }}
{{- if $proxy.highAvailability.certManager.enabled }}
secretName: teleport-tls
{{- else if $proxy.tls.existingSecretName }}
secretName: {{ $proxy.tls.existingSecretName }}
{{- end }}
rules:
{{- range $publicAddr }}
- host: {{ quote . }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ $.Release.Name }}
port:
number: 443
{{- end }}
{{- end }}

17
teleport-cluster-15.0.1/templates/proxy/pdb.yaml
View File

@ -1,17 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- if $proxy.highAvailability.podDisruptionBudget.enabled }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
spec:
minAvailable: {{ $proxy.highAvailability.podDisruptionBudget.minAvailable }}
selector:
matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 6 }}
{{- end }}

16
teleport-cluster-15.0.1/templates/proxy/predeploy_config.yaml
View File

@ -1,16 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- if $proxy.validateConfigOnDeploy }}
{{- $configTemplate := printf "teleport-cluster.proxy.config.%s" $proxy.chartMode -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-proxy-test
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
data:
teleport.yaml: |2
{{- mustMergeOverwrite (include $configTemplate . | fromYaml) $proxy.teleportConfig | toYaml | nindent 4 -}}
{{- end }}

99
teleport-cluster-15.0.1/templates/proxy/predeploy_job.yaml
View File

@ -1,99 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- if $proxy.validateConfigOnDeploy }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-proxy-test
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 1
template:
spec:
{{- if $proxy.affinity }}
affinity: {{- toYaml $proxy.affinity | nindent 8 }}
{{- end }}
{{- if $proxy.tolerations }}
tolerations: {{- toYaml $proxy.tolerations | nindent 6 }}
{{- end }}
{{- if $proxy.imagePullSecrets }}
imagePullSecrets:
{{- toYaml $proxy.imagePullSecrets | nindent 6 }}
{{- end }}
restartPolicy: Never
containers:
- name: "teleport"
image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ $proxy.imagePullPolicy }}
{{- if $proxy.resources }}
resources:
{{- toYaml $proxy.resources | nindent 10 }}
{{- end }}
{{- if or $proxy.extraEnv $proxy.tls.existingCASecretName }}
env:
{{- if (gt (len $proxy.extraEnv) 0) }}
{{- toYaml $proxy.extraEnv | nindent 8 }}
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- end }}
command:
- "teleport"
- "configure"
args:
- "--test"
- "/etc/teleport/teleport.yaml"
{{- if $proxy.securityContext }}
securityContext: {{- toYaml $proxy.securityContext | nindent 10 }}
{{- end }}
volumeMounts:
{{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
- mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $proxy.extraVolumeMounts }}
{{- toYaml $proxy.extraVolumeMounts | nindent 8 }}
{{- end }}
volumes:
{{- if $proxy.highAvailability.certManager.enabled }}
- name: teleport-tls
secret:
secretName: teleport-tls
# this avoids deadlock during initial setup
optional: true
{{- else if $proxy.tls.existingSecretName }}
- name: teleport-tls
secret:
secretName: {{ $proxy.tls.existingSecretName }}
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ $proxy.tls.existingCASecretName }}
{{- end }}
- name: "config"
configMap:
name: {{ .Release.Name }}-proxy-test
- name: "data"
emptyDir: {}
{{- if $proxy.extraVolumes }}
{{- toYaml $proxy.extraVolumes | nindent 6 }}
{{- end }}
{{- end }}

66
teleport-cluster-15.0.1/templates/proxy/service-int.yaml
View File

@ -1,66 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $backendProtocol := ternary "ssl" "tcp" (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-ssl-cert") -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-lb
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
{{- if (or ($proxy.annotations.service) (eq $proxy.chartMode "aws")) }}
annotations:
{{- if and (eq $proxy.chartMode "aws") (not $proxy.ingress.enabled) }}
{{- if not (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-backend-protocol")}}
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: {{ $backendProtocol }}
{{- end }}
{{- if not (or (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled") (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-attributes"))}}
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
{{- end }}
{{- if not (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-type")}}
service.beta.kubernetes.io/aws-load-balancer-type: nlb
{{- end }}
{{- end }}
{{- if $proxy.annotations.service }}
{{- toYaml $proxy.annotations.service | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: "LoadBalancer"
{{- with $proxy.service.spec }}
{{- toYaml . | nindent 2 }}
{{- end }}
ports:
- name: tls
port: 443
targetPort: 3080
protocol: TCP
{{- if ne $proxy.proxyListenerMode "multiplex" }}
- name: sshproxy
port: 3023
targetPort: 3023
protocol: TCP
- name: k8s
port: 3026
targetPort: 3026
protocol: TCP
- name: sshtun
port: 3024
targetPort: 3024
protocol: TCP
- name: mysql
port: 3036
targetPort: 3036
protocol: TCP
{{- if $proxy.separatePostgresListener }}
- name: postgres
port: 5432
targetPort: 5432
protocol: TCP
{{- end }}
{{- if $proxy.separateMongoListener }}
- name: mongo
port: 27017
targetPort: 27017
protocol: TCP
{{- end }}
{{- end }}
selector: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 4 }}

70
teleport-cluster-15.0.1/templates/proxy/service.yaml
View File

@ -1,70 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $backendProtocol := ternary "ssl" "tcp" (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-ssl-cert") -}}
{{- /* Fail early if proxy service type is set to LoadBalancer when ingress.enabled=true */ -}}
{{- if and $proxy.ingress.enabled (eq $proxy.service.type "LoadBalancer") -}}
{{- fail "proxy.service.type must not be LoadBalancer when using an ingress - any load balancer should be provisioned by your ingress controller. Set proxy.service.type=ClusterIP instead" -}}
{{- end -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
{{- if (or ($proxy.annotations.service) (eq $proxy.chartMode "aws")) }}
annotations:
{{- if and (eq $proxy.chartMode "aws") (not $proxy.ingress.enabled) }}
{{- if not (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-backend-protocol")}}
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: {{ $backendProtocol }}
{{- end }}
{{- if not (or (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled") (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-attributes"))}}
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
{{- end }}
{{- if not (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-type")}}
service.beta.kubernetes.io/aws-load-balancer-type: nlb
{{- end }}
{{- end }}
{{- if $proxy.annotations.service }}
{{- toYaml $proxy.annotations.service | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ default "LoadBalancer" $proxy.service.type }}
{{- with $proxy.service.spec }}
{{- toYaml . | nindent 2 }}
{{- end }}
ports:
- name: tls
port: 443
targetPort: 3080
protocol: TCP
{{- if ne $proxy.proxyListenerMode "multiplex" }}
- name: sshproxy
port: 3023
targetPort: 3023
protocol: TCP
- name: k8s
port: 3026
targetPort: 3026
protocol: TCP
- name: sshtun
port: 3024
targetPort: 3024
protocol: TCP
- name: mysql
port: 3036
targetPort: 3036
protocol: TCP
{{- if $proxy.separatePostgresListener }}
- name: postgres
port: 5432
targetPort: 5432
protocol: TCP
{{- end }}
{{- if $proxy.separateMongoListener }}
- name: mongo
port: 27017
targetPort: 27017
protocol: TCP
{{- end }}
{{- end }}
selector: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 4 }}

11
teleport-cluster-15.0.1/templates/proxy/serviceaccount.yaml
View File

@ -1,11 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- if $proxy.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if $proxy.annotations.serviceAccount }}
annotations: {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }}
{{- end -}}
{{- end }}

27
teleport-cluster-15.0.1/tests/__snapshot__/auth_clusterrole_test.yaml.snap
View File

@ -1,27 +0,0 @@
adds operator permissions to ClusterRole:
1: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: RELEASE-NAME
rules:
- apiGroups:
- ""
resources:
- users
- groups
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
verbs:
- create

1675
teleport-cluster-15.0.1/tests/__snapshot__/auth_config_test.yaml.snap
View File

File diff suppressed because it is too large Load Diff

492
teleport-cluster-15.0.1/tests/__snapshot__/auth_deployment_test.yaml.snap
View File

@ -1,492 +0,0 @@
? should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName
is set and persistence.enabled is false
: 1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- emptyDir: {}
name: data
should provision initContainer correctly when set in values:
1: |
- args:
- echo test
image: alpine
name: teleport-init
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- args:
- echo test2
image: alpine
name: teleport-init2
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
should set affinity when set in values:
1: |
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
should set imagePullSecrets when set in values:
1: |
- name: myRegistryKeySecretName
should set nodeSelector when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
nodeSelector:
environment: security
role: bastion
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
should set required affinity when highAvailability.requireAntiAffinity is set:
1: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- RELEASE-NAME
- key: app.kubernetes.io/component
operator: In
values:
- auth
topologyKey: kubernetes.io/hostname
should set resources when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
should set securityContext when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
should set tolerations when set in values:
1: |
- effect: NoExecute
key: dedicated
operator: Equal
value: teleport
- effect: NoSchedule
key: dedicated
operator: Equal
value: teleport
should use OSS image and not mount license when enterprise is not set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:12.2.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME

530
teleport-cluster-15.0.1/tests/__snapshot__/proxy_config_test.yaml.snap
View File

@ -1,530 +0,0 @@
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: helm-test.example.com:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
public_addr: helm-test.example.com:443
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: helm-test.example.com:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
generates a config with a clusterName containing a regular string:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: helm-test.example.com:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
generates a config with proxy_service.trust_x_forwarded_for=true when version = 14.0.0-rc.1 and ingress.enabled=true:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
public_addr: helm-test.example.com:443
trust_x_forwarded_for: true
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
public_addr: helm-test.example.com:443
trust_x_forwarded_for: true
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for acme-on.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
acme:
email: test@email.com
enabled: true
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: test-acme-cluster:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for acme-uri-staging.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
acme:
email: test@email.com
enabled: true
uri: https://acme-staging-v02.api.letsencrypt.org/directory
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: test-acme-cluster:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for aws-ha-acme.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
https_keypairs:
- cert_file: /etc/teleport-tls/tls.crt
key_file: /etc/teleport-tls/tls.key
https_keypairs_reload_interval: 12h
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: test-aws-cluster:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for existing-tls-secret.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
https_keypairs:
- cert_file: /etc/teleport-tls/tls.crt
key_file: /etc/teleport-tls/tls.key
https_keypairs_reload_interval: 12h
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: test-cluster-name:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for log-basic.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: test-log-cluster:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: json
output: stderr
severity: INFO
version: v3
matches snapshot for log-extra.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: test-log-cluster:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- level
- timestamp
- component
- caller
output: json
output: /var/lib/teleport/test.log
severity: DEBUG
version: v3
matches snapshot for proxy-listener-mode-multiplex.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
public_addr: test-proxy-listener-mode:443
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for proxy-listener-mode-separate.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
public_addr: test-proxy-listener-mode:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for public-addresses.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
kube_public_addr:
- loadbalancer.example.com:3026
listen_addr: 0.0.0.0:3023
mongo_listen_addr: 0.0.0.0:27017
mongo_public_addr:
- loadbalancer.example.com:27017
mysql_listen_addr: 0.0.0.0:3036
mysql_public_addr:
- loadbalancer.example.com:3036
postgres_listen_addr: 0.0.0.0:5432
postgres_public_addr:
- loadbalancer.example.com:5432
public_addr:
- loadbalancer.example.com:443
ssh_public_addr:
- loadbalancer.example.com:3023
tunnel_listen_addr: 0.0.0.0:3024
tunnel_public_addr:
- loadbalancer.example.com:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for separate-mongo-listener.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mongo_listen_addr: 0.0.0.0:27017
mongo_public_addr: helm-lint:27017
mysql_listen_addr: 0.0.0.0:3036
public_addr: helm-lint:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for separate-postgres-listener.yaml:
1: |
|-
auth_service:
enabled: false
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
listen_addr: 0.0.0.0:3023
mysql_listen_addr: 0.0.0.0:3036
postgres_listen_addr: 0.0.0.0:5432
postgres_public_addr: helm-lint:5432
public_addr: helm-lint:443
tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
enabled: false
teleport:
auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
join_params:
method: kubernetes
token_name: RELEASE-NAME-proxy
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3

495
teleport-cluster-15.0.1/tests/__snapshot__/proxy_deployment_test.yaml.snap
View File

@ -1,495 +0,0 @@
should provision initContainer correctly when set in values:
1: |
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
name: wait-auth-update
- args:
- echo test
image: alpine
name: teleport-init
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- args:
- echo test2
image: alpine
name: teleport-init2
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
should set affinity when set in values:
1: |
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
should set imagePullSecrets when set in values:
1: |
- name: myRegistryKeySecretName
should set nodeSelector when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
name: wait-auth-update
nodeSelector:
environment: security
role: bastion
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set required affinity when highAvailability.requireAntiAffinity is set:
1: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- RELEASE-NAME
- key: app.kubernetes.io/component
operator: In
values:
- proxy
topologyKey: kubernetes.io/hostname
should set resources when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set securityContext for initContainers when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set securityContext when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:15.0.1
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set tolerations when set in values:
1: |
- effect: NoExecute
key: dedicated
operator: Equal
value: teleport
- effect: NoSchedule
key: dedicated
operator: Equal
value: teleport

19
teleport-cluster-15.0.1/tests/auth_clusterrole_test.yaml
View File

@ -1,19 +0,0 @@
suite: Auth ClusterRole
templates:
- auth/clusterrole.yaml
tests:
- it: creates a ClusterRole
asserts:
- hasDocuments:
count: 1
- isKind:
of: ClusterRole
- it: adds operator permissions to ClusterRole
values:
- ../.lint/operator.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ClusterRole
- matchSnapshot: {}

20
teleport-cluster-15.0.1/tests/auth_clusterrolebinding_test.yaml
View File

@ -1,20 +0,0 @@
suite: Auth ClusterRoleBinding
templates:
- auth/clusterrolebinding.yaml
tests:
- it: creates a ClusterRoleBinding
asserts:
- hasDocuments:
count: 2
- isKind:
of: ClusterRoleBinding
- it: uses the provided serviceAccount name
values:
- ../.lint/service-account.yaml
asserts:
- contains:
path: subjects
any: true
content:
kind: ServiceAccount
name: "helm-lint"

512
teleport-cluster-15.0.1/tests/auth_config_test.yaml
View File

@ -1,512 +0,0 @@
suite: ConfigMap
templates:
- auth/config.yaml
tests:
- it: matches snapshot for acme-off.yaml
values:
- ../.lint/acme-off.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for acme-on.yaml
values:
- ../.lint/acme-on.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for acme-uri-staging.yaml
values:
- ../.lint/acme-on.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: wears annotations (annotations.yaml)
values:
- ../.lint/annotations.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- equal:
path: metadata.annotations.kubernetes\.io/config
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/config-different
value: 2
- it: matches snapshot for auth-connector-name.yaml
values:
- ../.lint/auth-connector-name.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-disable-local.yaml
values:
- ../.lint/auth-disable-local.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-locking-mode.yaml
values:
- ../.lint/auth-locking-mode.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-passwordless.yaml
values:
- ../.lint/auth-passwordless.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-type.yaml
values:
- ../.lint/auth-type.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-type-legacy.yaml
values:
- ../.lint/auth-type-legacy.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-webauthn.yaml
values:
- ../.lint/auth-webauthn.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-webauthn-legacy.yaml
values:
- ../.lint/auth-webauthn-legacy.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for aws.yaml
values:
- ../.lint/aws.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for aws-dynamodb-autoscaling.yaml
values:
- ../.lint/aws-dynamodb-autoscaling.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for aws-ha.yaml
values:
- ../.lint/aws-ha.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for aws-ha-acme.yaml
values:
- ../.lint/aws-ha-acme.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for aws-ha-antiaffinity.yaml
values:
- ../.lint/aws-ha-antiaffinity.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for aws-ha-log.yaml
values:
- ../.lint/aws-ha-log.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for existing-tls-secret.yaml
values:
- ../.lint/existing-tls-secret.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for existing-tls-secret-with-ca.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for gcp-ha-acme.yaml
values:
- ../.lint/gcp-ha-acme.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for gcp-ha-antiaffinity.yaml
values:
- ../.lint/gcp-ha-antiaffinity.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for gcp-ha-log.yaml
values:
- ../.lint/gcp-ha-log.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for gcp.yaml
values:
- ../.lint/gcp.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for initcontainers.yaml
values:
- ../.lint/initcontainers.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for kube-cluster-name.yaml
values:
- ../.lint/kube-cluster-name.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for log-basic.yaml
values:
- ../.lint/log-basic.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for log-extra.yaml
values:
- ../.lint/log-extra.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for log-legacy.yaml
values:
- ../.lint/log-legacy.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for priority-class-name.yaml
values:
- ../.lint/priority-class-name.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for proxy-listener-mode-multiplex.yaml
values:
- ../.lint/proxy-listener-mode-multiplex.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for proxy-listener-mode-separate.yaml
values:
- ../.lint/proxy-listener-mode-separate.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for service.yaml
values:
- ../.lint/service.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for separate-mongo-listener.yaml
values:
- ../.lint/separate-mongo-listener.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for separate-postgres-listener.yaml
values:
- ../.lint/separate-postgres-listener.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for public-addresses.yaml
values:
- ../.lint/public-addresses.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for session-recording.yaml
values:
- ../.lint/session-recording.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for standalone-customsize.yaml
values:
- ../.lint/standalone-customsize.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for standalone-existingpvc.yaml
values:
- ../.lint/standalone-existingpvc.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for tolerations.yaml
values:
- ../.lint/tolerations.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for version-override.yaml
values:
- ../.lint/version-override.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for volumes.yaml
values:
- ../.lint/volumes.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: adds a proxy token by default
set:
clusterName: teleport.example.com
asserts:
- notEqual:
path: data.apply-on-startup\.yaml
value: null
- matchSnapshot:
path: data.apply-on-startup\.yaml
- it: matches snapshot for azure.yaml
values:
- ../.lint/azure.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for azure.yaml without pool_max_conn
values:
- ../.lint/azure.yaml
set:
azure:
databasePoolMaxConnections: 0
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: sets "provisioned" billing mode when autoscaling is enabled
values:
- ../.lint/aws-dynamodb-autoscaling.yaml
asserts:
- matchRegex:
path: data.teleport\.yaml
pattern: 'billing_mode: provisioned'

830
teleport-cluster-15.0.1/tests/auth_deployment_test.yaml
View File

@ -1,830 +0,0 @@
suite: Auth Deployment
templates:
- auth/deployment.yaml
- auth/config.yaml
tests:
- it: sets Statefulset annotations when specified
template: auth/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/deployment
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/deployment-different
value: 3
- it: sets Pod annotations when specified
template: auth/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod
value: test-annotation
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod-different
value: 4
- it: should not have more than one replica in standalone mode
template: auth/deployment.yaml
set:
chartMode: standalone
clusterName: helm-lint.example.com
asserts:
- equal:
path: spec.replicas
value: 1
- it: should have multiple replicas when replicaCount is set
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
asserts:
- equal:
path: spec.replicas
value: 3
- it: should set affinity when set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
asserts:
- isNotNull:
path: spec.template.spec.affinity
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set nodeSelector when set in values
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
nodeSelector:
role: bastion
environment: security
asserts:
- isNotNull:
path: spec.template.spec.nodeSelector
- matchSnapshot:
path: spec.template.spec
- it: should set required affinity when highAvailability.requireAntiAffinity is set
template: auth/deployment.yaml
values:
- ../.lint/aws-ha-antiaffinity.yaml
asserts:
- isNotNull:
path: spec.template.spec.affinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set tolerations when set in values
template: auth/deployment.yaml
values:
- ../.lint/tolerations.yaml
asserts:
- isNotNull:
path: spec.template.spec.tolerations
- matchSnapshot:
path: spec.template.spec.tolerations
- it: should set resources when set in values
template: auth/deployment.yaml
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec
- it: should set securityContext when set in values
template: auth/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.containers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.containers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext when is empty object (default value)
template: auth/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.containers[0].securityContext
# we can't use the dynamic chart version or appVersion as a variable in the tests,
# so we override it manually and check that gets set instead
# this saves us having to update the test every time we cut a new release
- it: should use enterprise image and mount license when enterprise is set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/lib/license
name: "license"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: license
secret:
secretName: license
- it: should use OSS image and not mount license when enterprise is not set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/lib/license
name: "license"
readOnly: true
- notContains:
path: spec.template.spec.volumes
content:
name: license
secret:
secretName: license
- matchSnapshot:
path: spec.template.spec
- it: should mount GCP credentials in GCP mode
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- it: should not mount secret when credentialSecretName is blank in values
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha-workload.yaml
asserts:
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
- notContains:
path: spec.template.spec.volumes
content:
name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- it: should mount GCP credentials for initContainer in GCP mode
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[0].volumeMounts
content:
mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
- it: should mount ConfigMap containing Teleport config
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport
name: "config"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: config
configMap:
name: RELEASE-NAME-auth
- it: should mount extraVolumes and extraVolumeMounts on container and initContainers
template: auth/deployment.yaml
values:
- ../.lint/volumes.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[0].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.volumes
content:
name: my-mount
secret:
secretName: mySecret
- it: should set imagePullPolicy when set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
imagePullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should have only one container when no `extraContainers` is set in values
template: auth/deployment.yaml
set:
extraContainers: []
clusterName: helm-lint.example.com
asserts:
- isNotNull:
path: spec.template.spec.containers[0]
- isNull:
path: spec.template.spec.containers[1]
- it: should add one more container when `extraContainers` is set in values
template: auth/deployment.yaml
values:
- ../.lint/extra-containers.yaml
asserts:
- equal:
path: spec.template.spec.containers[1]
value:
name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false
- it: should set environment when extraEnv set in values
template: auth/deployment.yaml
values:
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"
- it: should set imagePullSecrets when set in values
template: auth/deployment.yaml
values:
- ../.lint/imagepullsecrets.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets
- it: should provision initContainer correctly when set in values
template: auth/deployment.yaml
values:
- ../.lint/initcontainers.yaml
- ../.lint/resources.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[0].args
content: "echo test"
- equal:
path: spec.template.spec.initContainers[0].name
value: "teleport-init"
- equal:
path: spec.template.spec.initContainers[0].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[0].resources.requests.memory
value: 2Gi
- contains:
path: spec.template.spec.initContainers[1].args
content: "echo test2"
- equal:
path: spec.template.spec.initContainers[1].name
value: "teleport-init2"
- equal:
path: spec.template.spec.initContainers[1].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[1].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[1].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[1].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[1].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec.initContainers
- it: should add insecureSkipProxyTLSVerify to args when set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
insecureSkipProxyTLSVerify: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--insecure"
- it: should expose diag port
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: diag
containerPort: 3000
protocol: TCP
- it: should expose auth port
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: auth
containerPort: 3025
protocol: TCP
- it: should expose kube port
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should set postStart command if set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
postStart:
command: ["/bin/echo", "test"]
asserts:
- equal:
path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
value: ["/bin/echo", "test"]
- it: should add PersistentVolumeClaim as volume when in standalone mode and persistence.enabled is true
template: auth/deployment.yaml
set:
chartMode: standalone
clusterName: helm-lint.example.com
persistence:
enabled: true
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should not add PersistentVolumeClaim as volume when in standalone mode and persistence.enabled is false
template: auth/deployment.yaml
set:
chartMode: standalone
clusterName: helm-lint.example.com
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should add PersistentVolumeClaim as volume when in scratch mode and persistence.enabled is true
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
persistence:
enabled: true
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should not add PersistentVolumeClaim as volume when in scratch mode and persistence.enabled is false
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set and persistence.enabled is true
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- it: should not add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set but persistence.enabled is false
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
set:
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- it: should add named PersistentVolumeClaim as volume when in scratch mode and persistence.existingClaimName is set
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- it: should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName is set and persistence.enabled is false
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
set:
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- matchSnapshot:
path: spec.template.spec
- it: should add emptyDir for data in AWS mode
template: auth/deployment.yaml
values:
- ../.lint/aws-ha.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: should add emptyDir for data in GCP mode
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: should set priorityClassName when set in values
template: auth/deployment.yaml
values:
- ../.lint/priority-class-name.yaml
asserts:
- equal:
path: spec.template.spec.priorityClassName
value: system-cluster-critical
- it: should set probeTimeoutSeconds when set in values
template: auth/deployment.yaml
values:
- ../.lint/probe-timeout-seconds.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
value: 5
- equal:
path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
value: 5
- it: should mount tls.existingCASecretName and set environment when set in values
template: auth/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- it: should mount tls.existingCASecretName and set extra environment when set in values
template: auth/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: some-value
- it: should set minReadySeconds when replicaCount > 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
minReadySeconds: 60
replicaCount: 3
asserts:
- equal:
path: spec.minReadySeconds
value: 60
- it: should not set minReadySeconds when replicaCount = 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
minReadySeconds: 60
replicaCount: 1
asserts:
- equal:
path: spec.minReadySeconds
value: null
- it: should use Recreate strategy when replicaCount = 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
replicaCount: 1
asserts:
- equal:
path: spec.strategy.type
value: Recreate
- it: should not set strategy when replicaCount > 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
replicaCount: 2
asserts:
- equal:
path: spec.strategy.type
value: RollingUpdate
- it: should not perform surge rolling updates when replicaCount > 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
replicaCount: 2
asserts:
- equal:
path: spec.strategy.rollingUpdate.maxSurge
value: 0
- equal:
path: spec.strategy.rollingUpdate.maxUnavailable
value: 1
- it: mounts regular tokens on older Kubernetes versions
template: auth/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- notEqual:
path: spec.template.spec.automountServiceAccountToken
value: false
- notContains:
path: spec.template.spec.volumes
content:
name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- it: mounts tokens through projected volumes on newer Kubernetes versions
template: auth/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 21
asserts:
- equal:
path: spec.template.spec.automountServiceAccountToken
value: false
- contains:
path: spec.template.spec.volumes
content:
name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- it: should add the azure workload identity label to auth pods in azure mode
template: auth/deployment.yaml
set:
chartMode: azure
clusterName: teleport.example.com
asserts:
- equal:
path: spec.template.metadata.labels.azure\.workload\.identity/use
value: "true"

23
teleport-cluster-15.0.1/tests/auth_pdb_test.yaml
View File

@ -1,23 +0,0 @@
suite: Auth PodDisruptionBudget
templates:
- auth/pdb.yaml
tests:
- it: not should create a PDB when disabled in values
set:
highAvailability:
podDisruptionBudget:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: should create a PDB when enabled in values (pdb.yaml)
values:
- ../.lint/pdb.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: PodDisruptionBudget
- equal:
path: spec.minAvailable
value: 2

87
teleport-cluster-15.0.1/tests/auth_pvc_test.yaml
View File

@ -1,87 +0,0 @@
suite: Auth PersistentVolumeClaim
templates:
- auth/pvc.yaml
tests:
- it: creates a PersistentVolumeClaim when chartMode=standalone with default size
set:
chartMode: standalone
asserts:
- hasDocuments:
count: 1
- isKind:
of: PersistentVolumeClaim
- equal:
path: spec.resources.requests.storage
value: "10Gi"
- it: creates a PersistentVolumeClaim when chartMode=scratch
set:
chartMode: scratch
asserts:
- hasDocuments:
count: 1
- isKind:
of: PersistentVolumeClaim
- it: uses a custom size when set
values:
- ../.lint/standalone-customsize.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: PersistentVolumeClaim
- equal:
path: spec.resources.requests.storage
value: 50Gi
- it: uses a custom storage class when set
values:
- ../.lint/standalone-custom-storage-class.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: PersistentVolumeClaim
- equal:
path: spec.storageClassName
value: ebs-ssd
- it: does not create a PersistentVolumeClaim when chartMode=standalone and existingClaimName is not blank
set:
chartMode: standalone
persistence:
existingClaimName: test-claim
asserts:
- hasDocuments:
count: 0
- it: does not create a PersistentVolumeClaim when chartMode=scratch and existingClaimName is not blank
set:
chartMode: scratch
persistence:
existingClaimName: test-claim
asserts:
- hasDocuments:
count: 0
- it: does not create a PersistentVolumeClaim when chartMode=aws
set:
chartMode: aws
asserts:
- hasDocuments:
count: 0
- it: does not create a PersistentVolumeClaim when chartMode=gcp
set:
chartMode: gcp
asserts:
- hasDocuments:
count: 0
- it: does not create a PersistentVolumeClaim when chartMode=azure
set:
chartMode: azure
asserts:
- hasDocuments:
count: 0

32
teleport-cluster-15.0.1/tests/auth_serviceaccount_test.yaml
View File

@ -1,32 +0,0 @@
suite: Auth ServiceAccount
templates:
- auth/serviceaccount.yaml
tests:
- it: sets ServiceAccount annotations when specified
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/serviceaccount
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/serviceaccount-different
value: 6
- it: changes ServiceAccount name when specified
values:
- ../.lint/service-account.yaml
asserts:
- equal:
path: metadata.name
value: "helm-lint"
- it: sets Azure client ID when set
set:
chartMode: azure
azure:
clientID: "1234"
asserts:
- equal:
path: metadata.annotations.azure\.workload\.identity/client-id
value: "1234"

538
teleport-cluster-15.0.1/tests/ingress_test.yaml
View File

@ -1,538 +0,0 @@
suite: Proxy Ingress
templates:
- proxy/ingress.yaml
tests:
- it: does not create an Ingress by default
set:
clusterName: teleport.example.com
asserts:
- hasDocuments:
count: 0
- it: creates an Ingress when ingress.enabled=true and proxyListenerMode=multiplex
values:
- ../.lint/ingress.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: Ingress
- it: fails to deploy an Ingress when ingress.enabled=true and proxyListenerMode is not set
values:
- ../.lint/ingress.yaml
set:
proxyListenerMode: ""
asserts:
- failedTemplate:
errorMessage: "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/"
- it: fails to deploy an Ingress when ingress.enabled=true and proxyListenerMode=separate
values:
- ../.lint/ingress.yaml
set:
proxyListenerMode: separate
asserts:
- failedTemplate:
errorMessage: "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/"
- it: wears annotations when set
values:
- ../.lint/ingress.yaml
set:
annotations:
ingress:
test-annotation: test-annotation-value
another-annotation: some-other-value
asserts:
- hasDocuments:
count: 1
- isKind:
of: Ingress
- equal:
path: metadata.annotations.test-annotation
value: test-annotation-value
- equal:
path: metadata.annotations.another-annotation
value: some-other-value
- it: sets the clusterName and wildcard of clusterName as hostnames when Ingress is enabled
values:
- ../.lint/ingress.yaml
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "teleport.example.com"
- contains:
path: spec.tls
content:
hosts:
- "teleport.example.com"
- "*.teleport.example.com"
- equal:
path: spec.rules[0].host
value: "teleport.example.com"
- contains:
path: spec.rules
content:
host: "teleport.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- equal:
path: spec.rules[1].host
value: "*.teleport.example.com"
- contains:
path: spec.rules
content:
host: "*.teleport.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- matchSnapshot:
path: spec.tls
- it: does not set a wildcard of clusterName as a hostname when Ingress is enabled and ingress.suppressAutomaticWildcards is true
values:
- ../.lint/ingress.yaml
set:
ingress:
suppressAutomaticWildcards: true
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "teleport.example.com"
- contains:
path: spec.tls
content:
hosts:
- "teleport.example.com"
- equal:
path: spec.rules[0].host
value: "teleport.example.com"
- contains:
path: spec.rules
content:
host: "teleport.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- notContains:
path: spec.rules
content:
host: "*.teleport.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- matchSnapshot:
path: spec.tls
- it: sets the publicAddr and wildcard of publicAddr as hostnames when Ingress is enabled and publicAddr is set
values:
- ../.lint/ingress.yaml
set:
publicAddr: ["helm-lint.example.com"]
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "helm-lint.example.com"
- contains:
path: spec.tls
content:
hosts:
- "helm-lint.example.com"
- "*.helm-lint.example.com"
- equal:
path: spec.rules[0].host
value: helm-lint.example.com
- contains:
path: spec.rules
content:
host: "helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- equal:
path: spec.rules[1].host
value: "*.helm-lint.example.com"
- contains:
path: spec.rules
content:
host: "*.helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- matchSnapshot:
path: spec.tls
- it: does not set a wildcard of publicAddr as a hostname when Ingress is enabled, publicAddr is set and ingress.suppressAutomaticWildcards is true
values:
- ../.lint/ingress.yaml
set:
publicAddr: ["helm-lint.example.com"]
ingress:
suppressAutomaticWildcards: true
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "helm-lint.example.com"
- contains:
path: spec.tls
content:
hosts:
- "helm-lint.example.com"
- equal:
path: spec.rules[0].host
value: helm-lint.example.com
- contains:
path: spec.rules
content:
host: "helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- notContains:
path: spec.rules
content:
host: "*.helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- matchSnapshot:
path: spec.tls
- it: trims ports from publicAddr and uses it as the hostname when Ingress is enabled and publicAddr is set
values:
- ../.lint/ingress.yaml
set:
publicAddr: ["helm-lint.example.com:443"]
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "helm-lint.example.com"
- contains:
path: spec.tls
content:
hosts:
- "helm-lint.example.com"
- "*.helm-lint.example.com"
- equal:
path: spec.rules[0].host
value: "helm-lint.example.com"
- contains:
path: spec.rules
content:
host: helm-lint.example.com
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- equal:
path: spec.rules[1].host
value: "*.helm-lint.example.com"
- contains:
path: spec.rules
content:
host: "*.helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- matchSnapshot:
path: spec.tls
- it: exposes all publicAddrs and wildcard publicAddrs as hostnames when Ingress is enabled and multiple publicAddrs are set
values:
- ../.lint/ingress.yaml
set:
publicAddr: ["helm-lint.example.com", "helm-lint-second-domain.example.com"]
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "helm-lint.example.com"
- equal:
path: spec.tls[0].hosts[1]
value: "helm-lint-second-domain.example.com"
- contains:
path: spec.tls
content:
hosts:
- "helm-lint.example.com"
- "helm-lint-second-domain.example.com"
- "*.helm-lint.example.com"
- "*.helm-lint-second-domain.example.com"
- equal:
path: spec.rules[0].host
value: "helm-lint.example.com"
- equal:
path: spec.rules[1].host
value: "helm-lint-second-domain.example.com"
- equal:
path: spec.rules[2].host
value: "*.helm-lint.example.com"
- equal:
path: spec.rules[3].host
value: "*.helm-lint-second-domain.example.com"
- contains:
path: spec.rules
content:
host: "helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- contains:
path: spec.rules
content:
host: "helm-lint-second-domain.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- contains:
path: spec.rules
content:
host: "*.helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- contains:
path: spec.rules
content:
host: "*.helm-lint-second-domain.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- matchSnapshot:
path: spec.tls
# this is a very contrived example which wouldn't even work in reality
# it's just to test the logic in the hostname generation code
- it: does not add additional wildcard publicAddrs when Ingress is enabled and a publicAddr already contains a wildcard
values:
- ../.lint/ingress.yaml
set:
publicAddr: ["helm-lint.example.com", "*.helm-lint.example.com", "helm-lint-second-domain.example.com:443"]
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "helm-lint.example.com"
- equal:
path: spec.tls[0].hosts[1]
value: "*.helm-lint.example.com"
- equal:
path: spec.tls[0].hosts[2]
value: "helm-lint-second-domain.example.com"
- equal:
path: spec.tls[0].hosts[3]
value: "*.helm-lint-second-domain.example.com"
- contains:
path: spec.tls
content:
hosts:
- "helm-lint.example.com"
- "*.helm-lint.example.com"
- "helm-lint-second-domain.example.com"
- "*.helm-lint-second-domain.example.com"
- equal:
path: spec.rules[0].host
value: "helm-lint.example.com"
- equal:
path: spec.rules[1].host
value: "*.helm-lint.example.com"
- equal:
path: spec.rules[2].host
value: "helm-lint-second-domain.example.com"
- equal:
path: spec.rules[3].host
value: "*.helm-lint-second-domain.example.com"
- contains:
path: spec.rules
content:
host: "helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- contains:
path: spec.rules
content:
host: "*.helm-lint.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- contains:
path: spec.rules
content:
host: "helm-lint-second-domain.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- contains:
path: spec.rules
content:
host: "*.helm-lint-second-domain.example.com"
http:
paths:
- backend:
service:
name: RELEASE-NAME
port:
number: 443
path: /
pathType: Prefix
- matchSnapshot:
path: spec.tls
- it: sets spec when passed
values:
- ../.lint/ingress.yaml
set:
ingress:
spec:
ingressClassName: nginx
otherSpecStuff: lint
asserts:
- hasDocuments:
count: 1
- isKind:
of: Ingress
- equal:
path: spec.ingressClassName
value: nginx
- equal:
path: spec.otherSpecStuff
value: lint
- it: does not set tls.secretName by default
values:
- ../.lint/ingress.yaml
asserts:
- isEmpty:
path: spec.tls[0].secretName
- matchSnapshot:
path: spec.tls
- it: sets tls.secretName when cert-manager is enabled
values:
- ../.lint/ingress.yaml
set:
highAvailability:
certManager:
enabled: true
asserts:
- equal:
path: spec.tls[0].secretName
value: teleport-tls
- matchSnapshot:
path: spec.tls
- it: sets tls.secretName the value of tls.existingSecretName when set
values:
- ../.lint/ingress.yaml
set:
tls:
existingSecretName: helm-lint-tls-secret
asserts:
- equal:
path: spec.tls[0].secretName
value: helm-lint-tls-secret
- matchSnapshot:
path: spec.tls

111
teleport-cluster-15.0.1/tests/predeploy_test.yaml
View File

@ -1,111 +0,0 @@
suite: Pre-Deploy Config Test Hooks
templates:
- auth/predeploy_job.yaml
- auth/predeploy_config.yaml
- proxy/predeploy_job.yaml
- proxy/predeploy_config.yaml
tests:
- it: Deploys the auth-test config
template: auth/predeploy_config.yaml
set:
clusterName: helm-lint
asserts:
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: RELEASE-NAME-auth-test
namespace: NAMESPACE
- it: Deploys the proxy-test config
template: proxy/predeploy_config.yaml
set:
clusterName: helm-lint
asserts:
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: RELEASE-NAME-proxy-test
namespace: NAMESPACE
- it: Deploys the auth-test job
template: auth/predeploy_job.yaml
set:
clusterName: helm-lint
asserts:
- containsDocument:
kind: Job
apiVersion: batch/v1
name: RELEASE-NAME-auth-test
namespace: NAMESPACE
- it: Is executed as a pre-install and pre-upgrade hook
set:
clusterName: helm-lint
asserts:
- equal:
path: metadata.annotations.helm\.sh/hook
value: pre-install,pre-upgrade
- it: Does not render hooks when config validation is disabled
set:
clusterName: helm-lint
validateConfigOnDeploy: false
asserts:
- hasDocuments:
count: 0
- it: should set resources on auth predeploy job when set in values
template: auth/predeploy_job.yaml
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- it: should set resources on proxy predeploy job when set in values
template: proxy/predeploy_job.yaml
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- it: should set imagePullSecrets on proxy predeploy job when set in values
template: proxy/predeploy_job.yaml
values:
- ../.lint/imagepullsecrets.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets
- it: should set imagePullSecrets on auth predeploy job when set in values
template: auth/predeploy_job.yaml
values:
- ../.lint/imagepullsecrets.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets

194
teleport-cluster-15.0.1/tests/proxy_certificate_test.yaml
View File

@ -1,194 +0,0 @@
suite: Proxy Certificate
templates:
- proxy/certificate.yaml
tests:
- it: should request a certificate for cluster name when cert-manager is enabled (cert-manager.yaml)
values:
- ../.lint/cert-manager.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- it: should request a certificate for cluster name when cert-manager is enabled (cert-secret.yaml)
values:
- ../.lint/cert-secret.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-manager.yaml)
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-manager.yaml)
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: false
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "teleport.test.com"
- notEqual:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-secret.yaml)
values:
- ../.lint/cert-secret.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-secret.yaml)
values:
- ../.lint/cert-secret.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- notEqual:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "teleport.test.com"
- notEqual:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set, removing duplicates
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['test-cluster:443', 'teleport.test.com:443', 'teleport.shared-services.old-domain.com:443', 'teleport.test.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- notEqual:
path: spec.dnsNames[4]
value: "teleport.test.com"

258
teleport-cluster-15.0.1/tests/proxy_config_test.yaml
View File

@ -1,258 +0,0 @@
suite: ConfigMap
templates:
- proxy/config.yaml
tests:
- it: matches snapshot for log-basic.yaml
values:
- ../.lint/log-basic.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for log-extra.yaml
values:
- ../.lint/log-extra.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for public-addresses.yaml
values:
- ../.lint/public-addresses.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: wears annotations (annotations.yaml)
values:
- ../.lint/annotations.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- equal:
path: metadata.annotations.kubernetes\.io/config
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/config-different
value: 2
- it: matches snapshot for proxy-listener-mode-multiplex.yaml
values:
- ../.lint/proxy-listener-mode-multiplex.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for proxy-listener-mode-separate.yaml
values:
- ../.lint/proxy-listener-mode-separate.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for separate-mongo-listener.yaml
values:
- ../.lint/separate-mongo-listener.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for separate-postgres-listener.yaml
values:
- ../.lint/separate-postgres-listener.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for aws-ha-acme.yaml
values:
- ../.lint/aws-ha-acme.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for existing-tls-secret.yaml
values:
- ../.lint/existing-tls-secret.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for acme-on.yaml
values:
- ../.lint/acme-on.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for acme-uri-staging.yaml
values:
- ../.lint/acme-uri-staging.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config with a clusterName containing a regular string
set:
clusterName: "helm-test.example.com"
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: fails when clusterName contains a regular string and a colon
set:
clusterName: "helm-test:cluster-1"
asserts:
- failedTemplate:
errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr"
- it: fails when clusterName contains a port
set:
clusterName: "helm-test.example.com:443"
asserts:
- failedTemplate:
errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr"
- it: generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true
chart:
version: 14.0.0
values:
- ../.lint/ingress.yaml
set:
clusterName: "helm-test.example.com"
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config with proxy_service.trust_x_forwarded_for=true when version = 14.0.0-rc.1 and ingress.enabled=true
chart:
version: "14.0.0-rc.1"
values:
- ../.lint/ingress.yaml
set:
clusterName: "helm-test.example.com"
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set
chart:
version: 14.0.0
set:
clusterName: "helm-test.example.com"
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true
chart:
version: 13.1.5
values:
- ../.lint/ingress.yaml
set:
clusterName: "helm-test.example.com"
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set
chart:
version: 14.0.0
set:
clusterName: "helm-test.example.com"
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: sets "proxy_protocol" to "on"
set:
proxyProtocol: "on"
clusterName: teleport.example.com
asserts:
- matchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol: "on"'
- it: sets "proxy_protocol" to "off"
set:
proxyProtocol: "off"
clusterName: teleport.example.com
asserts:
- matchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol: "off"'
- it: does not set "proxy_protocol"
set:
clusterName: teleport.example.com
asserts:
- notMatchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol:'

941
teleport-cluster-15.0.1/tests/proxy_deployment_test.yaml
View File

@ -1,941 +0,0 @@
suite: Proxy Deployment
templates:
- proxy/deployment.yaml
- proxy/config.yaml
tests:
- it: sets Deployment annotations when specified
template: proxy/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/deployment
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/deployment-different
value: 3
- it: sets Pod annotations when specified
template: proxy/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod
value: test-annotation
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod-different
value: 4
- it: should not have more than one replica if no certificate is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- equal:
path: spec.replicas
value: 1
- it: should have multiple replicas by default when a certificate is passed through a secret
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
tls:
existingSecretName: my-certs
asserts:
- equal:
path: spec.replicas
value: 2
- it: should have multiple replicas by default when certManager is configured
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
certManager:
enabled: true
asserts:
- equal:
path: spec.replicas
value: 2
- it: should have multiple replicas when global replicaCount is set and a certificate is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
certManager:
enabled: true
asserts:
- equal:
path: spec.replicas
value: 3
- it: should have a single replica when proxy-specific replicaCount is set to 1 and a cert is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
certManager:
enabled: true
proxy:
highAvailability:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- it: should have multiple replicas by default when an ingress is terminating TLS
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
ingress:
enabled: true
asserts:
- equal:
path: spec.replicas
value: 2
- it: should set affinity when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
asserts:
- isNotNull:
path: spec.template.spec.affinity
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set required affinity when highAvailability.requireAntiAffinity is set
template: proxy/deployment.yaml
values:
- ../.lint/aws-ha-antiaffinity.yaml
asserts:
- isNotNull:
path: spec.template.spec.affinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set tolerations when set in values
template: proxy/deployment.yaml
values:
- ../.lint/tolerations.yaml
asserts:
- isNotNull:
path: spec.template.spec.tolerations
- matchSnapshot:
path: spec.template.spec.tolerations
- it: should set resources when set in values
template: proxy/deployment.yaml
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec
- it: should set securityContext when set in values
template: proxy/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.containers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.containers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext when is empty object (default value)
template: proxy/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.containers[0].securityContext
- it: should set securityContext for initContainers when set in values
template: proxy/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.initContainers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext for initContainers when is empty object (default value)
template: proxy/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.initContainers[0].securityContext
# we can't use the dynamic chart version or appVersion as a variable in the tests,
# so we override it manually and check that gets set instead
# this saves us having to update the test every time we cut a new release
- it: should use enterprise image when enterprise is set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
- it: should use OSS image when enterprise is not set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
- it: should mount TLS certs when cert-manager is enabled
template: proxy/deployment.yaml
values:
- ../.lint/gcp-ha-acme.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- contains:
path: spec.template.spec.initContainers[2].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- it: should mount ConfigMap containing Teleport config
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport
name: "config"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: config
configMap:
name: RELEASE-NAME-proxy
- it: should mount extraVolumes and extraVolumeMounts on container and initContainers
template: proxy/deployment.yaml
values:
- ../.lint/volumes.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[2].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.volumes
content:
name: my-mount
secret:
secretName: mySecret
- it: should set imagePullPolicy when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
imagePullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should have only one container when no `extraContainers` is set in values
template: proxy/deployment.yaml
set:
extraContainers: []
clusterName: helm-lint.example.com
asserts:
- isNotNull:
path: spec.template.spec.containers[0]
- isNull:
path: spec.template.spec.containers[1]
- it: should add one more container when `extraContainers` is set in values
template: proxy/deployment.yaml
values:
- ../.lint/extra-containers.yaml
asserts:
- equal:
path: spec.template.spec.containers[1]
value:
name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false
- it: should set environment when extraEnv set in values
template: proxy/deployment.yaml
values:
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"
- it: should set imagePullSecrets when set in values
template: proxy/deployment.yaml
values:
- ../.lint/imagepullsecrets.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets
- it: should provision initContainer correctly when set in values
template: proxy/deployment.yaml
values:
- ../.lint/initcontainers.yaml
- ../.lint/resources.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[1].args
content: "echo test"
- equal:
path: spec.template.spec.initContainers[1].name
value: "teleport-init"
- equal:
path: spec.template.spec.initContainers[1].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[1].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[1].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[1].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[1].resources.requests.memory
value: 2Gi
- contains:
path: spec.template.spec.initContainers[2].args
content: "echo test2"
- equal:
path: spec.template.spec.initContainers[2].name
value: "teleport-init2"
- equal:
path: spec.template.spec.initContainers[2].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[2].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[2].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[2].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[2].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec.initContainers
- it: should add insecureSkipProxyTLSVerify to args when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
insecureSkipProxyTLSVerify: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--insecure"
- it: should expose diag port
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: diag
containerPort: 3000
protocol: TCP
- it: should expose tls port
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: tls
containerPort: 3080
protocol: TCP
- it: should expose tls port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: tls
containerPort: 3080
protocol: TCP
- it: should not expose proxy peering port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: proxypeering
containerPort: 3021
protocol: TCP
- it: should expose proxy peering port when enterprise is true
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: proxypeering
containerPort: 3021
protocol: TCP
- it: should expose sshproxy port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: sshproxy
containerPort: 3023
protocol: TCP
- it: should not expose sshproxy port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: sshproxy
containerPort: 3023
protocol: TCP
- it: should expose sshtun port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: sshtun
containerPort: 3024
protocol: TCP
- it: should not expose sshtun port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: sshtun
containerPort: 3024
protocol: TCP
- it: should expose k8s port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should not expose k8s port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should expose mysql port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: mysql
containerPort: 3036
protocol: TCP
- it: should not expose mysql port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: mysql
containerPort: 3036
protocol: TCP
- it: should expose postgres port when separate postgres listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
separatePostgresListener: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: postgres
containerPort: 5432
protocol: TCP
- it: should not expose postgres port when proxyListenerMode is multiplex and separate postgres listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
separatePostgresListener: true
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: postgres
containerPort: 5432
protocol: TCP
- it: should expose mongo port when separate mongo listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
separateMongoListener: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: mongo
containerPort: 27017
protocol: TCP
- it: should not expose mongo port when when proxyListenerMode is multiplex and separate mongo listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
separateMongoListener: true
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: mongo
containerPort: 27017
protocol: TCP
- it: should set postStart command if set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
postStart:
command: ["/bin/echo", "test"]
asserts:
- equal:
path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
value: ["/bin/echo", "test"]
- it: should add and mount emptyDir for data
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/lib/teleport
name: data
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: should set priorityClassName when set in values
template: proxy/deployment.yaml
values:
- ../.lint/priority-class-name.yaml
asserts:
- equal:
path: spec.template.spec.priorityClassName
value: system-cluster-critical
- it: should set probeTimeoutSeconds when set in values
template: proxy/deployment.yaml
values:
- ../.lint/probe-timeout-seconds.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
value: 5
- equal:
path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
value: 5
- it: should not mount TLS secrets when when highAvailability.certManager.enabled is false and tls.existingSecretName is not set
template: proxy/deployment.yaml
set:
clusterName: helm-lint-test-cluster
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount cert-manager TLS secret when highAvailability.certManager.enabled is true
template: proxy/deployment.yaml
values:
- ../.lint/cert-manager.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount tls.existingSecretName when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: helm-lint-existing-tls-secret
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount tls.existingCASecretName and set environment when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- it: should mount tls.existingCASecretName and set extra environment when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: some-value
- it: should set minReadySeconds when replicaCount > 1
template: proxy/deployment.yaml
set:
clusterName: helm-lint
highAvailability:
certManager:
enabled: true
replicaCount: 3
minReadySeconds: 60
asserts:
- equal:
path: spec.minReadySeconds
value: 60
- it: should not set minReadySeconds when replicaCount = 1
template: proxy/deployment.yaml
set:
chartMode: scratch
highAvailability:
minReadySeconds: 60
replicaCount: 1
asserts:
- equal:
path: spec.minReadySeconds
value: null
- it: should set nodeSelector when set in values
template: proxy/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
nodeSelector:
role: bastion
environment: security
asserts:
- isNotNull:
path: spec.template.spec.nodeSelector
- matchSnapshot:
path: spec.template.spec
- it: mounts regular tokens on older Kubernetes versions
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- notEqual:
path: spec.template.spec.automountServiceAccountToken
value: false
- notContains:
path: spec.template.spec.volumes
content:
name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
- it: mounts tokens through projected volumes on newer Kubernetes versions
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 21
asserts:
- equal:
path: spec.template.spec.automountServiceAccountToken
value: false
- contains:
path: spec.template.spec.volumes
content:
name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true

23
teleport-cluster-15.0.1/tests/proxy_pdb_test.yaml
View File

@ -1,23 +0,0 @@
suite: Proxy PodDisruptionBudget
templates:
- proxy/pdb.yaml
tests:
- it: not should create a PDB when disabled in values
set:
highAvailability:
podDisruptionBudget:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: should create a PDB when enabled in values (pdb.yaml)
values:
- ../.lint/pdb.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: PodDisruptionBudget
- equal:
path: spec.minAvailable
value: 2

381
teleport-cluster-15.0.1/tests/proxy_service_test.yaml
View File

@ -1,381 +0,0 @@
suite: Proxy Service
templates:
- proxy/service.yaml
tests:
- it: uses a LoadBalancer by default
set:
clusterName: teleport.example.com
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: LoadBalancer
- it: uses a ClusterIP when service.type=ClusterIP
set:
clusterName: teleport.example.com
service:
type: ClusterIP
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: ClusterIP
- it: uses a ClusterIP when proxy.service.type=ClusterIP
set:
clusterName: teleport.example.com
service:
type: NodePort
proxy:
service:
type: ClusterIP
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: ClusterIP
- it: fails to deploy when ingress.enabled=true and proxy.service.type is set to LoadBalancer (default)
set:
clusterName: teleport.example.com
ingress:
enabled: true
asserts:
- failedTemplate:
errorMessage: "proxy.service.type must not be LoadBalancer when using an ingress - any load balancer should be provisioned by your ingress controller. Set proxy.service.type=ClusterIP instead"
- it: uses a ClusterIP when ingress.enabled=true and service.type=ClusterIP
set:
clusterName: teleport.example.com
ingress:
enabled: true
service:
type: ClusterIP
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: ClusterIP
- it: uses a ClusterIP when ingress.enabled=true and proxy.service.type=ClusterIP
set:
clusterName: teleport.example.com
ingress:
enabled: true
proxy:
service:
type: ClusterIP
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: ClusterIP
- it: uses a NodePort when ingress.enabled=true and proxy.service.type=NodePort
set:
clusterName: teleport.example.com
ingress:
enabled: true
proxy:
service:
type: NodePort
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: NodePort
- it: uses a NodePort when ingress.enabled=true and service.type=NodePort
set:
clusterName: teleport.example.com
ingress:
enabled: true
service:
type: NodePort
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: NodePort
- it: uses a NodePort when ingress.enabled=true and proxy.service.type is overridden
set:
clusterName: teleport.example.com
ingress:
enabled: true
proxy:
service:
type: NodePort
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: NodePort
- it: sets AWS annotations when chartMode=aws
set:
clusterName: teleport.example.com
chartMode: aws
asserts:
- hasDocuments:
count: 1
- isKind:
of: Service
- equal:
path: spec.type
value: LoadBalancer
- equal:
path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-type
value: nlb
- equal:
path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
value: tcp
- equal:
path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled
value: "true"
- it: sets service annotations when specified
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/service
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/service-different
value: 5
- it: adds a separate Postgres listener port when separatePostgresListener is true
values:
- ../.lint/separate-postgres-listener.yaml
asserts:
- contains:
path: spec.ports
content:
name: postgres
port: 5432
targetPort: 5432
protocol: TCP
- it: does not add a separate Postgres listener port when separatePostgresListener is true and ingress.enabled=true
values:
- ../.lint/separate-postgres-listener.yaml
set:
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP
asserts:
- notContains:
path: spec.ports
content:
name: postgres
port: 5432
targetPort: 5432
protocol: TCP
- it: adds a separate Mongo listener port when separateMongoListener is true
values:
- ../.lint/separate-mongo-listener.yaml
asserts:
- contains:
path: spec.ports
content:
name: mongo
port: 27017
targetPort: 27017
protocol: TCP
- it: does not add a separate Mongo listener port when separateMongoListener is true and ingress.enabled=true
values:
- ../.lint/separate-mongo-listener.yaml
set:
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP
asserts:
- notContains:
path: spec.ports
content:
name: mongo
port: 27017
targetPort: 27017
protocol: TCP
- it: sets AWS backend protocol annotation to ssl when in AWS mode and ACM annotation is set
values:
- ../.lint/aws-ha.yaml
set:
annotations:
service:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:1234567890:certificate/a857a76c-51d0-4d3d-8000-465bb3e9829b
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
asserts:
- equal:
path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
value: ssl
- it: does not add AWS backend protocol annotation when in AWS mode, ACM annotation is set and ingress is enabled
values:
- ../.lint/aws-ha.yaml
set:
ingress:
enabled: true
service:
type: ClusterIP
annotations:
service:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:1234567890:certificate/a857a76c-51d0-4d3d-8000-465bb3e9829b
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
asserts:
- isNull:
path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
- it: sets AWS backend protocol annotation to tcp when in AWS mode and ACM annotation is not set
values:
- ../.lint/aws-ha.yaml
asserts:
- equal:
path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
value: tcp
- it: does not set AWS backend protocol annotation when in AWS mode, ACM annotation is not set and ingress is enabled
values:
- ../.lint/aws-ha.yaml
set:
ingress:
enabled: true
service:
type: ClusterIP
annotations:
service:
# required so at least one service annotation exists, to avoid non map type error
service.beta.kubernetes.io/random-annotation: helm-lint
asserts:
- isNull:
path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
- it: exposes separate listener ports by default
values:
- ../.lint/example-minimal-standalone.yaml
asserts:
- matchSnapshot:
path: spec.ports
- it: does not expose separate listener ports by default when ingress.enabled=true
values:
- ../.lint/example-minimal-standalone.yaml
set:
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP
asserts:
- notContains:
path: spec.ports
content:
- name: sshproxy
port: 3023
targetPort: 3023
protocol: TCP
- name: k8s
port: 3026
targetPort: 3026
protocol: TCP
- name: sshtun
port: 3024
targetPort: 3024
protocol: TCP
- name: mysql
port: 3036
targetPort: 3036
protocol: TCP
- matchSnapshot:
path: spec.ports
- it: exposes separate listener ports when running in separate mode
values:
- ../.lint/proxy-listener-mode-separate.yaml
asserts:
- matchSnapshot:
path: spec.ports
- it: does not expose separate listener ports when running in separate mode and ingress.enabled=true
values:
- ../.lint/proxy-listener-mode-separate.yaml
set:
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP
asserts:
- notContains:
path: spec.ports
content:
- name: sshproxy
port: 3023
targetPort: 3023
protocol: TCP
- name: k8s
port: 3026
targetPort: 3026
protocol: TCP
- name: sshtun
port: 3024
targetPort: 3024
protocol: TCP
- name: mysql
port: 3036
targetPort: 3036
protocol: TCP
- matchSnapshot:
path: spec.ports
- it: exposes a single port when running in multiplex mode
values:
- ../.lint/proxy-listener-mode-multiplex.yaml
asserts:
- matchSnapshot:
path: spec.ports
- it: exposes a single port when running in multiplex mode and ingress.enabled=true
values:
- ../.lint/proxy-listener-mode-multiplex.yaml
set:
ingress:
enabled: true
service:
type: ClusterIP
asserts:
- matchSnapshot:
path: spec.ports

22
teleport-cluster-15.0.1/tests/proxy_serviceaccount_test.yaml
View File

@ -1,22 +0,0 @@
suite: Proxy ServiceAccount
templates:
- proxy/serviceaccount.yaml
tests:
- it: sets ServiceAccount annotations when specified
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/serviceaccount
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/serviceaccount-different
value: 6
- it: changes ServiceAccount name when specified and appends "-proxy"
values:
- ../.lint/service-account.yaml
asserts:
- equal:
path: metadata.name
value: "helm-lint-proxy"

972
teleport-cluster-15.0.1/values.schema.json
View File

@ -1,972 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema",
"type": "object",
"required": [
"clusterName",
"authentication",
"enterprise",
"operator",
"podSecurityPolicy",
"labels",
"chartMode",
"validateConfigOnDeploy",
"highAvailability",
"podMonitor",
"tls",
"image",
"enterpriseImage",
"log",
"affinity",
"nodeSelector",
"annotations",
"extraContainers",
"extraVolumes",
"extraVolumeMounts",
"imagePullPolicy",
"initContainers",
"resources",
"tolerations",
"probeTimeoutSeconds"
],
"properties": {
"clusterName": {
"$id": "#/properties/clusterName",
"type": "string",
"default": ""
},
"proxyProtocol": {
"$id": "#/properties/proxyProtocol",
"type": "string",
"default": "",
"enum": [
"off",
"on"
]
},
"auth": {
"$id": "#/properties/auth",
"type": "object"
},
"proxy": {
"$id": "#/properties/proxy",
"type": "object"
},
"createProxyToken": {
"$id": "#/properties/createProxyToken",
"type": "boolean",
"default": true
},
"podMonitor": {
"$id": "#/properties/podMonitor",
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/podMonitor/enabled",
"type": "boolean",
"default": false
},
"additionalLabels": {
"$id": "#/properties/podMonitor/additionalLabels",
"type": "object",
"default": {
"prometheus": "default"
},
"additionalProperties": {
"type": "string"
}
},
"interval": {
"$id": "#/properties/podMonitor/interval",
"type": "string",
"default": "30s"
}
}
},
"authentication": {
"$id": "#/properties/authentication",
"type": "object",
"required": [
"type",
"localAuth"
],
"properties": {
"type": {
"$id": "#/properties/authentication/properties/type",
"type": "string",
"default": "local"
},
"connectorName": {
"$id": "#/properties/authentication/properties/connectorName",
"type": "string",
"default": ""
},
"localAuth": {
"$id": "#/properties/authentication/properties/localAuth",
"type": "boolean",
"default": true
},
"lockingMode": {
"$id": "#/properties/authentication/properties/lockingMode",
"type": "string",
"default": ""
},
"secondFactor": {
"$id": "#/properties/authentication/properties/secondFactor",
"type": "string",
"enum": [
"off",
"on",
"otp",
"optional",
"webauthn"
],
"default": "otp"
},
"webauthn": {
"$id": "#/properties/authentication/properties/webauthn",
"type": "object",
"required": [],
"properties": {
"attestationAllowedCas": {
"$id": "#/properties/authentication/properties/webauthn/properties/attestationAllowedCas",
"type": "array",
"default": []
},
"attestationDeniedCas": {
"$id": "#/properties/authentication/properties/webauthn/properties/attestationDeniedCas",
"type": "array",
"default": []
}
}
}
}
},
"authenticationType": {
"$id": "#/properties/authenticationType",
"type": "string"
},
"authenticationSecondFactor": {
"$id": "#/properties/authenticationSecondFactor",
"type": "object",
"required": [],
"properties": {
"secondFactor": {
"$id": "#/properties/authenticationSecondFactor/properties/secondFactor",
"type": "string",
"enum": [
"off",
"on",
"otp",
"optional",
"webauthn"
],
"default": "otp"
},
"webauthn": {
"$id": "#/properties/authenticationSecondFactor/properties/webauthn",
"type": "object",
"required": [],
"properties": {
"attestationAllowedCas": {
"$id": "#/properties/authenticationSecondFactor/properties/webauthn/properties/attestationAllowedCas",
"type": "array",
"default": []
},
"attestationDeniedCas": {
"$id": "#/properties/authenticationSecondFactor/properties/webauthn/properties/attestationDeniedCas",
"type": "array",
"default": []
}
}
}
}
},
"proxyListenerMode": {
"$id": "#/properties/proxyListenerMode",
"type": "string",
"default": ""
},
"sessionRecording": {
"$id": "#/properties/sessionRecording",
"type": "string",
"default": ""
},
"separatePostgresListener": {
"$id": "#/properties/separatePostgresListener",
"type": "boolean",
"default": false
},
"separateMongoListener": {
"$id": "#/properties/separateMongoListener",
"type": "boolean",
"default": false
},
"publicAddr": {
"$id": "#/properties/publicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"kubePublicAddr": {
"$id": "#/properties/kubePublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"mongoPublicAddr": {
"$id": "#/properties/mongoPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"mysqlPublicAddr": {
"$id": "#/properties/mysqlPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"postgresPublicAddr": {
"$id": "#/properties/postgresPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"sshPublicAddr": {
"$id": "#/properties/sshPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"tunnelPublicAddr": {
"$id": "#/properties/tunnelPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"teleportVersionOverride": {
"$id": "#/properties/teleportVersionOverride",
"type": "string",
"default": ""
},
"acme": {
"$id": "#/properties/acme",
"type": "boolean",
"default": false
},
"acmeEmail": {
"$id": "#/properties/acmeEmail",
"type": "string",
"default": ""
},
"acmeURI": {
"$id": "#/properties/acmeURI",
"type": "string",
"default": ""
},
"enterprise": {
"$id": "#/properties/enterprise",
"type": "boolean",
"default": false
},
"installCRDs": {
"$id": "#/properties/installCRDs",
"type": "boolean"
},
"operator": {
"$id": "#/properties/operator",
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/operator/properties/enabled",
"type": "boolean",
"default": false
},
"image": {
"$id": "#/properties/operator/properties/image",
"type": "string",
"default": "public.ecr.aws/gravitational/teleport-operator"
},
"resources": {
"$id": "#/properties/operator/properties/resources",
"type": "object",
"default": {}
}
}
},
"podSecurityPolicy": {
"$id": "#/properties/podSecurityPolicy",
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/podSecurityPolicy/properties/enabled",
"type": "boolean",
"default": true
}
}
},
"labels": {
"$id": "#/properties/labels",
"type": "object",
"default": {}
},
"chartMode": {
"$id": "#/properties/chartMode",
"type": "string",
"enum": [
"standalone",
"aws",
"azure",
"gcp",
"scratch"
],
"default": "standalone"
},
"validateConfigOnDeploy": {
"$id": "#/properties/validateConfigOnDeploy",
"type": "boolean",
"default": true
},
"standalone": {
"$id": "#/properties/standalone",
"type": "object",
"required": [
"volumeSize"
],
"properties": {
"existingClaimName": {
"$id": "#/properties/standalone/properties/existingClaimName",
"type": "string",
"default": ""
},
"volumeSize": {
"$id": "#/properties/standalone/properties/volumeSize",
"type": "string",
"default": ""
}
}
},
"persistence": {
"$id": "#/properties/persistence",
"type": "object",
"required": [
"enabled",
"volumeSize"
],
"properties": {
"enabled": {
"$id": "#/properties/persistence/properties/enabled",
"type": "boolean",
"default": "true"
},
"existingClaimName": {
"$id": "#/properties/persistence/properties/existingClaimName",
"type": "string",
"default": ""
},
"storageClassName": {
"$id": "#/properties/persistence/properties/storageClassName",
"type": "string",
"default": ""
},
"volumeSize": {
"$id": "#/properties/persistence/properties/volumeSize",
"type": "string",
"default": ""
}
}
},
"aws": {
"$id": "#/properties/aws",
"type": "object",
"properties": {
"region": {
"$id": "#/properties/aws/properties/region",
"type": "string",
"default": ""
},
"backendTable": {
"$id": "#/properties/aws/properties/backendTable",
"type": "string",
"default": ""
},
"auditLogTable": {
"$id": "#/properties/aws/properties/auditLogTable",
"type": "string",
"default": ""
},
"auditLogMirrorOnStdout": {
"$id": "#/properties/aws/properties/auditLogMirrorOnStdout",
"type": "boolean",
"default": "false"
},
"sessionRecordingBucket": {
"$id": "#/properties/aws/properties/sessionRecordingBucket",
"type": "string",
"default": ""
},
"backups": {
"$id": "#/properties/aws/properties/backups",
"type": "boolean",
"default": false
},
"dynamoAutoScaling": {
"$id": "#/properties/aws/properties/dynamoAutoScaling",
"type": "boolean",
"default": false
}
},
"if": {
"properties": {
"dynamoAutoScaling": {
"const": true
}
}
},
"then": {
"properties": {
"readMinCapacity": {
"$id": "#/properties/aws/properties/readMinCapacity",
"type": "integer"
},
"readMaxCapacity": {
"$id": "#/properties/aws/properties/readMaxCapacity",
"type": "integer"
},
"readTargetValue": {
"$id": "#/properties/aws/properties/readTargetValue",
"type": "number"
},
"writeMinCapacity": {
"$id": "#/properties/aws/properties/writeMinCapacity",
"type": "integer"
},
"writeMaxCapacity": {
"$id": "#/properties/aws/properties/writeMaxCapacity",
"type": "integer"
},
"writeTargetValue": {
"$id": "#/properties/aws/properties/writeTargetValue",
"type": "number"
}
}
},
"else": {
"properties": {
"readMinCapacity": {
"$id": "#/properties/aws/properties/readMinCapacity",
"type": "null"
},
"readMaxCapacity": {
"$id": "#/properties/aws/properties/readMaxCapacity",
"type": "null"
},
"readTargetValue": {
"$id": "#/properties/aws/properties/readTargetValue",
"type": "null"
},
"writeMinCapacity": {
"$id": "#/properties/aws/properties/writeMinCapacity",
"type": "null"
},
"writeMaxCapacity": {
"$id": "#/properties/aws/properties/writeMaxCapacity",
"type": "null"
},
"writeTargetValue": {
"$id": "#/properties/aws/properties/writeTargetValue",
"type": "null"
}
}
}
},
"azure": {
"$id": "#/properties/azure",
"type": "object",
"properties": {
"databaseHost": {
"$id": "#/properties/azure/properties/databaseHost",
"type": "string",
"default": ""
},
"databaseUser": {
"$id": "#/properties/azure/properties/databaseUser",
"type": "string",
"default": ""
},
"backendDatabase": {
"$id": "#/properties/azure/properties/backendDatabase",
"type": "string",
"default": "teleport_backend"
},
"auditLogDatabase": {
"$id": "#/properties/azure/properties/auditLogDatabase",
"type": "string",
"default": "teleport_audit"
},
"auditLogMirrorOnStdout": {
"$id": "#/properties/azure/properties/auditLogMirrorOnStdout",
"type": "boolean",
"default": false
},
"sessionRecordingStorageAccount": {
"$id": "#/properties/azure/properties/sessionRecordingStorageAccount",
"type": "string",
"default": ""
},
"clientID": {
"$id": "#/properties/azure/properties/clientID",
"type": "string",
"default": ""
},
"databasePoolMaxConnections": {
"$id": "#/properties/azure/properties/databasePoolMaxConnections",
"type": "integer",
"default": 0
}
}
},
"gcp": {
"$id": "#/properties/gcp",
"type": "object",
"properties": {
"projectId": {
"$id": "#/properties/gcp/properties/projectId",
"type": "string",
"default": ""
},
"backendTable": {
"$id": "#/properties/gcp/properties/backendTable",
"type": "string",
"default": ""
},
"auditLogTable": {
"$id": "#/properties/gcp/properties/auditLogTable",
"type": "string",
"default": ""
},
"auditLogMirrorOnStdout": {
"$id": "#/properties/aws/properties/auditLogMirrorOnStdout",
"type": "boolean",
"default": "false"
},
"sessionRecordingBucket": {
"$id": "#/properties/gcp/properties/sessionRecordingBucket",
"type": "string",
"default": ""
},
"credentialSecretName": {
"$id": "#/properties/gcp/properties/credentialSecretName",
"type": "string",
"default": "teleport-gcp-credentials"
}
}
},
"highAvailability": {
"$id": "#/properties/highAvailability",
"type": "object",
"required": [
"replicaCount",
"requireAntiAffinity",
"certManager",
"minReadySeconds",
"podDisruptionBudget"
],
"properties": {
"replicaCount": {
"$id": "#/properties/highAvailability/properties/replicaCount",
"type": "integer",
"default": 1
},
"requireAntiAffinity": {
"$id": "#/properties/highAvailability/properties/requireAntiAffinity",
"type": "boolean",
"default": false
},
"certManager": {
"$id": "#/properties/highAvailability/properties/certManager",
"type": "object",
"required": [
"enabled",
"issuerName",
"issuerKind",
"issuerGroup"
],
"properties": {
"addCommonName": {
"$id": "#/properties/highAvailability/properties/certManager/properties/addCommonName",
"type": "boolean",
"default": "false"
},
"addPublicAddrs": {
"$id": "#/properties/highAvailability/properties/certManager/properties/addPublicAddrs",
"type": "boolean",
"default": "false"
},
"enabled": {
"$id": "#/properties/highAvailability/properties/certManager/properties/enabled",
"type": "boolean",
"default": "false"
},
"issuerName": {
"$id": "#/properties/highAvailability/properties/certManager/properties/issuerName",
"type": "string",
"default": ""
},
"issuerKind": {
"$id": "#/properties/highAvailability/properties/certManager/properties/issuerKind",
"type": "string",
"default": "Issuer"
},
"issuerGroup": {
"$id": "#/properties/highAvailability/properties/certManager/properties/issuerGroup",
"type": "string",
"default": "cert-manager.io"
}
}
},
"minReadySeconds": {
"$id": "#/properties/highAvailability/properties/minReadySeconds",
"type": "integer",
"default": 15
},
"podDisruptionBudget": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget",
"type": "object",
"required": [
"enabled",
"minAvailable"
],
"properties": {
"enabled": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled",
"type": "boolean",
"default": false
},
"minAvailable": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable",
"type": "integer",
"default": 1
}
}
}
}
},
"tls": {
"$id": "#/properties/tls",
"type": "object",
"required": [
"existingSecretName",
"existingCASecretName"
],
"properties": {
"existingSecretName": {
"$id": "#/properties/tls/properties/existingSecretName",
"type": "string",
"default": ""
},
"existingCASecretName": {
"$id": "#/properties/tls/properties/existingCASecretName",
"type": "string",
"default": ""
}
}
},
"image": {
"$id": "#/properties/image",
"type": "string",
"default": "public.ecr.aws/gravitational/teleport-distroless"
},
"enterpriseImage": {
"$id": "#/properties/enterpriseImage",
"type": "string",
"default": "public.ecr.aws/gravitational/teleport-ent-distroless"
},
"imagePullSecrets": {
"$id": "#/properties/imagePullSecrets",
"type": "array",
"default": []
},
"logLevel": {
"$id": "#/properties/logLevel",
"type": "string",
"enum": [
"DEBUG",
"INFO",
"WARN",
"WARNING",
"ERROR"
],
"default": "INFO"
},
"log": {
"$id": "#/properties/log",
"type": "object",
"required": [
"output",
"format",
"extraFields"
],
"properties": {
"level": {
"$id": "#/properties/log/properties/level",
"type": "string",
"enum": [
"DEBUG",
"INFO",
"WARN",
"WARNING",
"ERROR"
],
"default": "INFO"
},
"deployment": {
"$id": "#/properties/log/properties/output",
"type": "string",
"default": {}
},
"pod": {
"$id": "#/properties/log/properties/format",
"type": "string",
"default": {}
},
"service": {
"$id": "#/properties/log/properties/extraFields",
"type": "array",
"default": {}
}
}
},
"affinity": {
"$id": "#/properties/affinity",
"type": "object",
"default": {}
},
"nodeSelector": {
"$id": "#/properties/nodeSelector",
"type": "object",
"default": {}
},
"annotations": {
"$id": "#/properties/annotations",
"type": "object",
"required": [
"config",
"deployment",
"pod",
"service",
"serviceAccount",
"certSecret",
"ingress"
],
"properties": {
"config": {
"$id": "#/properties/annotations/properties/config",
"type": "object",
"default": {}
},
"deployment": {
"$id": "#/properties/annotations/properties/deployment",
"type": "object",
"default": {}
},
"pod": {
"$id": "#/properties/annotations/properties/pod",
"type": "object",
"default": {}
},
"service": {
"$id": "#/properties/annotations/properties/service",
"type": "object",
"default": {}
},
"serviceAccount": {
"$id": "#/properties/annotations/properties/serviceAccount",
"type": "object",
"default": {}
},
"certSecret": {
"$id": "#/properties/annotations/properties/certSecret",
"type": "object",
"default": {}
}
}
},
"service": {
"$id": "#/properties/service",
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"$id": "#properties/service/type",
"type": "string",
"default": "LoadBalancer"
},
"spec": {
"$id": "#/properties/service/spec",
"type": "object",
"default": {}
}
}
},
"ingress": {
"enabled": {
"$id": "#/properties/ingress/enabled",
"type": "boolean",
"default": false
},
"suppressAutomaticWildcards": {
"$id": "#/properties/ingress/suppressAutomaticWildcards",
"type": "boolean",
"default": false
},
"spec": {
"$id": "#/properties/ingress/spec",
"type": "object",
"default": {}
}
},
"serviceAccount": {
"$id": "#/properties/serviceAccount",
"type": "object",
"required": [],
"properties": {
"name": {
"$id": "#properties/service/name",
"type": "string",
"default": ""
},
"create": {
"$id": "#properties/service/create",
"type": "boolean",
"default": true
}
}
},
"rbac": {
"$id": "#/properties/rbac",
"type": "object",
"required": [],
"properties": {
"create": {
"$id": "#properties/rbac/create",
"type": "boolean",
"default": true
}
}
},
"extraArgs": {
"$id": "#/properties/extraArgs",
"type": "array",
"default": []
},
"extraEnv": {
"$id": "#/properties/extraEnv",
"type": "array",
"default": []
},
"extraContainers": {
"$id": "#/properties/extraContainers",
"type": "array",
"default": []
},
"extraVolumes": {
"$id": "#/properties/extraVolumes",
"type": "array",
"default": []
},
"extraVolumeMounts": {
"$id": "#/properties/extraVolumeMounts",
"type": "array",
"default": []
},
"imagePullPolicy": {
"$id": "#/properties/imagePullPolicy",
"type": "string",
"enum": [
"Never",
"IfNotPresent",
"Always"
],
"default": "IfNotPresent"
},
"initContainers": {
"$id": "#/properties/initContainers",
"type": "array",
"default": []
},
"postStart": {
"$id": "#/properties/postStart",
"type": "object",
"required": [
"command"
],
"properties": {
"command": {
"$id": "#properties/postStart/command",
"type": "array",
"default": []
}
}
},
"kubeClusterName": {
"$id": "#/properties/kubeClusterName",
"type": "string",
"default": ""
},
"resources": {
"$id": "#/properties/resources",
"type": "object",
"default": {}
},
"securityContext": {
"$id": "#/properties/securityContext",
"type": "object",
"default": {}
},
"tolerations": {
"$id": "#/properties/tolerations",
"type": "array",
"default": []
},
"priorityClassName": {
"$id": "#/properties/priorityClassName",
"type": "string",
"default": ""
},
"probeTimeoutSeconds": {
"$id": "#/properties/probeTimeoutSeconds",
"type": "integer",
"default": 1
},
"terminationGracePeriodSeconds": {
"$id": "#/properties/terminationGracePeriodSeconds",
"type": "integer",
"default": 60
}
}
}

698
teleport-cluster-15.0.1/values.yaml
View File

@ -1,698 +0,0 @@
##################################################
# Values that must always be provided by the user.
##################################################
# `clusterName` controls the name used to refer to the Teleport cluster, along with
# the externally-facing public address to use to access it. In most setups this must
# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is
# used as the cluster's public address by default.
#
# Note: When using a fully qualified domain name as your `clusterName`, you will also
# need to configure the DNS provider for this domain to point to the external
# load balancer address of your Teleport cluster.
#
# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan.
# If you need to change it, you must redeploy a completely new cluster.
clusterName: ""
# Name for this kubernetes cluster to be used by teleport users.
kubeClusterName: ""
##################################################
# Values that you may need to change.
##################################################
# Version of teleport image, if different from chart version in Chart.yaml.
# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
# This chart is designed to run a specific teleport version (see Chart.yaml).
# You will face compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version X, you should use `helm --version X` instead.
teleportVersionOverride: ""
# The `proxyProtocol` value controls whether the Proxy pods will
# accept PROXY lines with the client's IP address when they are
# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
# required to ensure that Teleport can properly audit the client's IP address.
#
# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
# value should be set to "off" to prevent Teleport from accepting PROXY headers
# from untrusted sources.
# Possible values are "on" and "off".
# - "on" will enable the PROXY protocol for all connections and will require the
# L4 LB to send a PROXY header.
# - "off" will disable the PROXY protocol for all connections and denies all
# connections prefixed with a PROXY header.
#
# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
# connection, but will accept it if present. This mode is considered insecure
# and should only be used for testing purposes.
#
# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/
# for more information.
#
# proxyProtocol: on
# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
#
# `auth` allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service.
# This is merged with chart-scoped values and takes precedence in case of conflict.
# For example:
#
# auth:
# postStart: ["curl", "http://hook"]
# imagePullPolicy: Always
auth:
# auth.teleportConfig contains YAML teleport configuration for auth pods
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict.
#
# See the Teleport Configuration Reference for the list of supported fields:
# https://goteleport.com/docs/reference/config/
#
# teleportConfig:
# teleport:
# cache:
# enabled: false
# auth_service:
# client_idle_timeout: 2h
# client_idle_timeout_message: "Connection closed after 2hours without activity"
teleportConfig: {}
# `proxy` allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service.
# This is merged with chart-scoped values and takes precedence in case of conflict.
# For example:
# proxy:
# postStart: ["curl", "http://hook"]
# imagePullPolicy: Always
# annotations:
# service:
# external-dns.alpha.kubernetes.io/hostname: "teleport.example.com"
proxy:
# proxy.teleportConfig contains YAML teleport configuration for proxy pods
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict
#
# See the Teleport Configuration Reference for the list of supported fields:
# https://goteleport.com/docs/reference/config/
#
# teleportConfig:
# teleport:
# cache:
# enabled: false
# proxy_service:
# https_keypairs:
# - key_file: /my-custom-mount/key.pem
# cert_file: /my-custom-mount/cert.pem
teleportConfig: {}
authentication:
# Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise.
type: local
# Sets the authenticator connector for SSO or the default connector for "local" authentication.
# See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/).
# See Passwordless for local
# (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default).
# Defaults to "local".
connectorName: ""
# Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`.
# Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/.
localAuth: true
# Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ?
# Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort".
# See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
lockingMode: ""
# Second factor requirements for users of the Teleport cluster.
# Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
# Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
secondFactor: "on"
# (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
# webauthn:
# attestationAllowedCas:
# - /path/to/allowed_ca.pem
# - |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# attestationDeniedCas:
# - /path/to/denied_ca.pem
# - |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# Deprecated way to set the authentication type, `authentication.type` should be preferred.
# authenticationType: local
# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred.
# authenticationSecondFactor:
# secondFactor: "otp"
# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port.
# Default mode will not utilize TLS routing and operate in backwards-compatibility mode.
#
# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP
#
# Possible values are 'separate' and 'multiplex'
proxyListenerMode: "separate"
# Optional setting for configuring session recording.
# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml
sessionRecording: ""
# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443)
# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB)
# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM)
# These settings will not apply if proxyListenerMode is set to "multiplex".
separatePostgresListener: false
separateMongoListener: false
# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName, you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
#
# Public cluster addresses, including port (e.g. teleport.example.com:443)
# Defaults to `clusterName` on port 443.
publicAddr: []
# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026.
# Only used when `proxyListenerMode` is not 'multiplex'.
kubePublicAddr: []
# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017.
# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true.
mongoPublicAddr: []
# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036.
# Only used when `proxyListenerMode` is not 'multiplex'.
mysqlPublicAddr: []
# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432.
# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true.
postgresPublicAddr: []
# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023.
# Only used when `proxyListenerMode` is not 'multiplex'.
sshPublicAddr: []
# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024.
# Only used when `proxyListenerMode` is not 'multiplex'.
tunnelPublicAddr: []
# ACME is a protocol for getting Web X.509 certificates
# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
# For HA configurations, see either the "highAvailability.certManager" or "tls" values.
# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
# This section is mutually exclusive with the "tls" value below.
acme: false
# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement)
acmeEmail: ""
# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server.
acmeURI: ""
# Set enterprise to true to use enterprise image
# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this:
# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
enterprise: false
# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation
# when deploying multiple releases in the same cluster.
# installCRDs:
# Configuration of the optional Teleport operator
operator:
# Set enabled to true to add the Kubernetes Teleport Operator
enabled: false
# Kubernetes Teleport Operator image
image: public.ecr.aws/gravitational/teleport-operator
# Resources to request for the operator container
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# cpu: "0.5"
# memory: "1Gi"
# limits:
# memory: "1Gi"
joinMethod: "kubernetes"
token: "teleport-operator"
# This is needed to have a sensible name and predictible service account name.
nameOverride: operator
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
podSecurityPolicy:
enabled: true
# Labels is a map of key-value pairs about this cluster
labels: {}
# Mode to deploy the chart in. The default is "standalone". Options:
# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage.
# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1)
# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2)
# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3)
# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4)
# (1) To use "aws" mode, you must also configure the "aws" section below.
# (2) To use "gcp" mode, you must also configure the "gcp" section below.
# (3) To use "azure" mode, you must also configure the "azure" section below.
# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig.
# `scratch` usage is strongly discouraged, this is a last resort option and
# everything should be doable with `standalone` mode + overrides through
# `auth.teleportConfig` and `proxy.teleportConfig`.
chartMode: standalone
# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify
# if the teleport.yaml configuration is valid and will block the deployment if it is not
validateConfigOnDeploy: true
# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster.
# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the
# Helm chart user is responsible for configuring working join_params on the proxy.
createProxyToken: true
# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
# This CRD is managed by the prometheus-operator and allows workload to
# get monitored. To use this value, you need to run a `prometheus-operator`
# in the cluster for this value to take effect.
# See https://prometheus-operator.dev/docs/prologue/introduction/
podMonitor:
# Whether the chart should deploy a PodMonitor.
# Disabled by default as it requires the PodMonitor CRD to be installed.
enabled: false
# additionalLabels to put on the PodMonitor.
# This is used to be selected by a specific prometheus instance.
# Defaults to {prometheus: default} which seems to be the common default prometheus selector
additionalLabels:
prometheus: default
# interval is the interval between two metrics scrapes. Defaults to 30s
interval: 30s
######################################################################
# Persistence settings (only used in "standalone" and "scratch" modes)
# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters
# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details.
# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23.
######################################################################
persistence:
# Enable persistence using a PersistentVolumeClaim
enabled: true
# Leave blank to automatically create a PersistentVolumeClaim for Teleport storage.
# If you would like to use a pre-existing PersistentVolumeClaim, put its name here.
existingClaimName: ""
# Size of persistent volume to request when created by Teleport.
# Ignored if existingClaimName is provided.
volumeSize: 10Gi
##################################################
# AWS-specific settings (only used in "aws" mode)
##################################################
aws:
# The AWS region where the DynamoDB tables are located.
region: ""
# The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
backendTable: ""
# The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
# This MUST NOT be the same table name as used for 'backendTable' as the schemas are different.
auditLogTable: ""
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.
sessionRecordingBucket: ""
# Whether or not to turn on DynamoDB backups
backups: false
# Whether Teleport should configure DynamoDB's autoscaling.
# Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling.
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
dynamoAutoScaling: false
# DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`.
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
readMinCapacity: null # Integer
readMaxCapacity: null # Integer
readTargetValue: null # Float
writeMinCapacity: null # Integer
writeMaxCapacity: null # Integer
writeTargetValue: null # Float
##################################################
# GCP-specific settings (only used in "gcp" mode)
##################################################
gcp:
# The project name being used for the GCP account where Teleport is running.
# See https://support.google.com/googleapi/answer/7014113?hl=en
projectId: ""
# The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist.
# Either of the following must be true:
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
backendTable: ""
# The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist.
# Either of the following must be true:
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
# This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different.
auditLogTable: ""
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used.
sessionRecordingBucket: ""
# The name of the Kubernetes secret used to store the Google credentials.
# You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use.
# You can override this to a blank value if the worker node running Teleport already has a service account which grants access.
credentialSecretName: teleport-gcp-credentials
#####################################################
# Azure-specific settings (only used in "azure" mode)
#####################################################
azure:
# The fully qualified hostname of the Postgres database cluster hosted in Azure.
# It should follow the format "<database name>.postgres.database.azure.com".
databaseHost: ""
# The Postgres user Teleport must use to connect to the backend and audit
# databases.
databaseUser: ""
# The Postgres database to use for backend storage.
backendDatabase: "teleport_backend"
# The Postgres database to use for audit log storage.
# This MUST NOT be the same database as used for 'backendDatabase'.
auditLogDatabase: "teleport_audit"
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The fully qualified domain name of the Azure Blob Storage account to use for
# recorded session storage. This account must already exist.
# It should follow the format "<storage account>.blob.core.windows.net"
sessionRecordingStorageAccount: ""
# Azure client ID is used by the Kubernetes Service Account to know which
# Application it should impersonate. This can be unset only if the clientID is
# passed through other means (e.g. environment variable)
clientID: ""
# Controls the `pool_max_conns` setting passed to PostgreSQL. This is the
# max amount of connections Teleport can open to the database. This can affect
# performance on large clusters and depends on various factors like the
# database size, the number of CPU cores available for Teleport, GOMAXPROCS
# and the database latency.
# This only applies to the core backend connections, not the audit log ones.
# 0 means the parameter is not set and the client's default is used (recommended)
databasePoolMaxConnections: 0
# `highAvailability` contains settings controlling how Teleport pods are
# replicated and scheduled. This allows Teleport to run in a highly-available
# fashion: Teleport should sustain the crash/loss of a machine without interrupting
# the service.
#
# For auth pods:
# When using "standalone" or "scratch" mode, you must use highly-available storage
# (etcd, DynamoDB or Firestore) for multiple replicas to be supported.
# Manually configuring NFS-based storage or ReadWriteMany volume claims
# is NOT supported and will result in errors. Using Teleport's built-in
# ACME client (as opposed to using cert-manager or passing certs through a secret)
# is not supported with multiple replicas.
# For proxy pods:
# Proxy pods need to be provided a certificate to be replicated (either via
# `tls.existingSecretName` or via `highAvailability.certManager`) or be exposed
# via an ingress (`ingress.enabled`).
# If proxy pods are replicable, they will default to 2 replicas,
# even if `highAvailability.replicaCount` is 1. To force a single proxy replica,
# set `proxy.highAvailability.replicaCount: 1`.
highAvailability:
# Controls the amount of pod replicas. The `highAvailability` comment describes
# the replication requirements.
#
# WARNING: You **must** meet the replication criteria,
# else the deployment will result in errors and inconsistent data.
replicaCount: 1
# Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
# same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
# Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
# This setting only has any effect when replicaCount is greater than 1.
requireAntiAffinity: false
# If enabled will create a Pod Disruption Budget
# https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
# These settings are mutually exclusive with the "tls" value below.
certManager:
# If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
enabled: false
# If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
addCommonName: false
# If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
# This setting is not enabled by default to preserve backward compatibility.
addPublicAddrs: false
# Name of the Issuer/ClusterIssuer to use for certs
# NOTE: You will always need to create this yourself when certManager.enabled is true.
issuerName: ""
# Kind of Issuer that cert-manager should look for.
# This defaults to 'Issuer' to keep everything contained within the teleport namespace.
issuerKind: Issuer
# Group of Issuer that cert-manager should look for.
# This defaults to 'cert-manager.io' which is the default Issuer group.
issuerGroup: cert-manager.io
# Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time
# See https://github.com/gravitational/teleport/issues/13129
minReadySeconds: 15
# Settings for mounting your own TLS keypair to secure Teleport's web UI.
# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above.
tls:
# Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml.
# Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file`
# See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
existingSecretName: ""
# (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
# Useful for building trust when using intermediate certificate authorities.
# This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
# Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
# The filename inside the secret is important - it _must_ be ca.pem
existingCASecretName: ""
##################################################
# Values that you shouldn't need to change.
##################################################
# Container image for the cluster.
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be
# removed with teleport 14.
image: public.ecr.aws/gravitational/teleport-distroless
# Enterprise version of the image
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 14.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
# Optional array of imagePullSecrets, to use when pulling from a private registry
imagePullSecrets: []
# Teleport logging configuration
log:
# Log level for the Teleport process.
# Available log levels are: DEBUG, INFO, WARNING, ERROR.
# The default is INFO, which is recommended in production.
# DEBUG is useful during first-time setup or to see more detailed logs for debugging.
level: INFO
# Log output
# Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
# Other supported values: 'stdout', 'stderr' and 'syslog'
output: stderr
# Log format configuration
# Possible output values are 'json' and 'text' (default).
format: text
# Possible extra_fields values include: timestamp, component, caller, and level.
# All extra fields are included by default.
extraFields: ["timestamp", "level", "component", "caller"]
##################################
# Extra Kubernetes configuration #
##################################
# nodeSelector to apply for pod assignment
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
nodeSelector: {}
# Affinity for pod assignment
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
affinity: {}
# Kubernetes annotations to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations:
# Annotations for the ConfigMap
config: {}
# Annotations for the Deployment
deployment: {}
# Annotations for each Pod in the Deployment
pod: {}
# Annotations for the Service object
service: {}
# Annotations for the ServiceAccount object
serviceAccount: {}
# Annotations for the certificate secret generated by cert-manager v1.5+ when
# highAvailability.certManager.enabled is true
certSecret: {}
# Annotations for the Ingress object
ingress: {}
# Kubernetes service account to create/use.
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and serviceAccount.create is true, the name is generated using the release name.
# If create is false, the name will be used to reference an existing service account.
name: ""
# To set annotations on the service account, use the annotations.serviceAccount value.
# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
rbac:
# Specifies whether a ClusterRole and ClusterRoleBinding should be created.
# Set to false if your cluster level resources are managed separately.
create: true
# Options for the Teleport proxy service
# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP.
# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed.
# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true
service:
type: LoadBalancer
# Additional entries here will be added to the service spec.
spec: {}
# loadBalancerIP: "1.2.3.4"
# Options for ingress
# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent
# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer.
# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport.
# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details.
ingress:
enabled: false
# Setting suppressAutomaticWildcards to true will not automatically add *.<clusterName> as a hostname served
# by the Ingress. This may be desirable if you don't use Teleport Application Access.
suppressAutomaticWildcards: false
# Additional entries here will be added to the ingress spec.
spec: {}
# ingressClassName: nginx
# Extra arguments to pass to 'teleport start' for the main Teleport pod
extraArgs: []
# Extra environment to be configured on the Teleport pod
extraEnv: []
# Extra containers to be added to the Teleport pod
extraContainers: []
# - name: nscenter
# command:
# - /bin/bash
# - -c
# - sleep infinity & wait
# image: praqma/network-multitool
# imagePullPolicy: IfNotPresent
# securityContext:
# privileged: true
# runAsNonRoot: false
# Extra volumes to mount into the Teleport pods
# https://kubernetes.io/docs/concepts/storage/volumes/
extraVolumes: []
# - name: myvolume
# secret:
# secretName: testSecret
# Extra volume mounts corresponding to the volumes mounted above
extraVolumeMounts: []
# - name: myvolume
# mountPath: /path/on/host
# Allow the imagePullPolicy to be overridden
imagePullPolicy: IfNotPresent
# A list of initContainers to run before each Teleport pod starts
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: "teleport-init"
# image: "alpine"
# args: ["echo test"]
# If set, will run the command as a postStart handler
# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
postStart:
command: []
# Resources to request for the teleport container
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
#
# DANGER: Setting CPU limits is an anti-pattern and harmful in most cases.
# Unless you enabled [the Static CPU management policy](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy),
# a multithreaded workload with CPU limits will very likely not behave the way
# you expect when approaching its CPU limit.
#
# Teleport will become unstable once throttling starts. We recommend not to set CPU limits.
# See [the GitHub PR](https://github.com/gravitational/teleport/pull/36251) for technical details.
resources: {}
# requests:
# cpu: "1"
# memory: "2Gi"
# limits:
# memory: "2Gi"
# Security context to add to the container
securityContext: {}
# runAsUser: 99
# Priority class name to add to the deployment
priorityClassName: ""
# Tolerations for pod assignment
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Timeouts for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1
# Kubernetes termination grace period
# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
#
# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook.
terminationGracePeriodSeconds: 60

3
teleport-cluster-15.3.3/.lint/acme-off.yaml
View File

@ -1,3 +0,0 @@
clusterName: test-cluster-name
extraArgs:
- "--insecure"

3
teleport-cluster-15.3.3/.lint/acme-on.yaml
View File

@ -1,3 +0,0 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com

4
teleport-cluster-15.3.3/.lint/acme-uri-staging.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com
acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory

29
teleport-cluster-15.3.3/.lint/affinity.yaml
View File

@ -1,29 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 2
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- teleport
topologyKey: kubernetes.io/hostname
weight: 1

17
teleport-cluster-15.3.3/.lint/annotations.yaml
View File

@ -1,17 +0,0 @@
clusterName: helm-lint
annotations:
config:
kubernetes.io/config: "test-annotation"
kubernetes.io/config-different: 2
deployment:
kubernetes.io/deployment: "test-annotation"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-annotation"
kubernetes.io/pod-different: 4
service:
kubernetes.io/service: "test-annotation"
kubernetes.io/service-different: 5
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"
kubernetes.io/serviceaccount-different: 6

3
teleport-cluster-15.3.3/.lint/auth-connector-name.yaml
View File

@ -1,3 +0,0 @@
clusterName: helm-lint
authentication:
connectorName: "okta"

3
teleport-cluster-15.3.3/.lint/auth-locking-mode.yaml
View File

@ -1,3 +0,0 @@
clusterName: helm-lint
authentication:
lockingMode: "strict"

4
teleport-cluster-15.3.3/.lint/auth-passwordless.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint
authentication:
connectorName: passwordless
secondFactor: webauthn

4
teleport-cluster-15.3.3/.lint/auth-type-legacy.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint
authentication:
type: "this-should-be-ignored"
authenticationType: "github"

3
teleport-cluster-15.3.3/.lint/auth-type.yaml
View File

@ -1,3 +0,0 @@
clusterName: helm-lint
authentication:
type: "github"

10
teleport-cluster-15.3.3/.lint/auth-webauthn-legacy.yaml
View File

@ -1,10 +0,0 @@
clusterName: helm-lint
authentication:
secondFactor: "off" # this should be overridden
authenticationSecondFactor:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

8
teleport-cluster-15.3.3/.lint/auth-webauthn.yaml
View File

@ -1,8 +0,0 @@
clusterName: helm-lint
authentication:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

14
teleport-cluster-15.3.3/.lint/aws-dynamodb-autoscaling.yaml
View File

@ -1,14 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
dynamoAutoScaling: true
readMinCapacity: 5
readMaxCapacity: 100
readTargetValue: 50.0
writeMinCapacity: 5
writeMaxCapacity: 100
writeTargetValue: 50.0

14
teleport-cluster-15.3.3/.lint/aws-ha-acme.yaml
View File

@ -1,14 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

12
teleport-cluster-15.3.3/.lint/aws-ha-antiaffinity.yaml
View File

@ -1,12 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: aws

17
teleport-cluster-15.3.3/.lint/aws-ha-log.yaml
View File

@ -1,17 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
log:
level: DEBUG
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 2
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

11
teleport-cluster-15.3.3/.lint/aws-ha.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: aws

11
teleport-cluster-15.3.3/.lint/aws.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: aws

11
teleport-cluster-15.3.3/.lint/azure.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-azure-cluster
chartMode: azure
azure:
databaseHost: "mypostgresinstance.postgres.database.azure.com"
databaseUser: "teleport"
backendDatabase: "teleport_backend"
auditLogDatabase: "teleport_audit"
auditLogMirrorOnStdout: true
sessionRecordingStorageAccount: "mystorageaccount.blob.core.windows.net"
clientID: "1234"
databasePoolMaxConnections: 100

15
teleport-cluster-15.3.3/.lint/cert-manager.yaml
View File

@ -1,15 +0,0 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
addCommonName: true
enabled: true
issuerGroup: custom.cert-manager.io
issuerName: custom
issuerKind: CustomClusterIssuer

15
teleport-cluster-15.3.3/.lint/cert-secret.yaml
View File

@ -1,15 +0,0 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
annotations:
certSecret:
kubernetes.io/cert-secret: value
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt

7
teleport-cluster-15.3.3/.lint/example-minimal-standalone.yaml
View File

@ -1,7 +0,0 @@
# This setup is not safe for production because the proxy will self-sign its certificate.
# Use those values for testing only
# The chart should deploy and work only with a clusterName.
# This setup can also cause redirection issues if the proxy is contacted with a hostName instead of an IP address
# as it is not aware of its external hostname and will attempt to perform a redirection.
clusterName: helm-lint

4
teleport-cluster-15.3.3/.lint/existing-tls-secret-with-ca.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret
existingCASecretName: helm-lint-existing-tls-secret-ca

3
teleport-cluster-15.3.3/.lint/existing-tls-secret.yaml
View File

@ -1,3 +0,0 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret

12
teleport-cluster-15.3.3/.lint/extra-containers.yaml
View File

@ -1,12 +0,0 @@
clusterName: helm-lint.example.com
extraContainers:
- name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false

4
teleport-cluster-15.3.3/.lint/extra-env.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint.example.com
extraEnv:
- name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"

14
teleport-cluster-15.3.3/.lint/gcp-ha-acme.yaml
View File

@ -1,14 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-15.3.3/.lint/gcp-ha-antiaffinity.yaml
View File

@ -1,12 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: gcp

17
teleport-cluster-15.3.3/.lint/gcp-ha-log.yaml
View File

@ -1,17 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
log:
level: DEBUG
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-15.3.3/.lint/gcp-ha-workload.yaml
View File

@ -1,12 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
credentialSecretName: ""
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-15.3.3/.lint/gcp-ha.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-15.3.3/.lint/gcp.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: gcp

4
teleport-cluster-15.3.3/.lint/imagepullsecrets.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-standalone-cluster
chartMode: standalone
imagePullSecrets:
- name: myRegistryKeySecretName

8
teleport-cluster-15.3.3/.lint/ingress-publicaddr.yaml
View File

@ -1,8 +0,0 @@
clusterName: teleport.example.com
publicAddr: ["my-teleport-ingress.example.com:443"]
ingress:
enabled: true
suppressAutomaticWildcards: true
proxyListenerMode: multiplex
service:
type: ClusterIP

6
teleport-cluster-15.3.3/.lint/ingress.yaml
View File

@ -1,6 +0,0 @@
clusterName: teleport.example.com
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP

8
teleport-cluster-15.3.3/.lint/initcontainers.yaml
View File

@ -1,8 +0,0 @@
clusterName: helm-lint
initContainers:
- name: "teleport-init"
image: "alpine"
args: ["echo test"]
- name: "teleport-init2"
image: "alpine"
args: ["echo test2"]

2
teleport-cluster-15.3.3/.lint/kube-cluster-name.yaml
View File

@ -1,2 +0,0 @@
clusterName: test-aws-cluster
kubeClusterName: test-kube-cluster

4
teleport-cluster-15.3.3/.lint/log-basic.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-log-cluster
log:
format: json
level: INFO

6
teleport-cluster-15.3.3/.lint/log-extra.yaml
View File

@ -1,6 +0,0 @@
clusterName: test-log-cluster
log:
format: json
level: DEBUG
output: /var/lib/teleport/test.log
extraFields: ["level", "timestamp", "component", "caller"]

2
teleport-cluster-15.3.3/.lint/log-legacy.yaml
View File

@ -1,2 +0,0 @@
clusterName: test-log-cluster
logLevel: DEBUG

Some files were not shown because too many files have changed in this diff Show More