diff --git a/teleport-cluster-16.0.4/.lint/acme-off.yaml b/teleport-cluster-16.4.6/.lint/acme-off.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/acme-off.yaml rename to teleport-cluster-16.4.6/.lint/acme-off.yaml diff --git a/teleport-cluster-16.0.4/.lint/acme-on.yaml b/teleport-cluster-16.4.6/.lint/acme-on.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/acme-on.yaml rename to teleport-cluster-16.4.6/.lint/acme-on.yaml diff --git a/teleport-cluster-16.0.4/.lint/acme-uri-staging.yaml b/teleport-cluster-16.4.6/.lint/acme-uri-staging.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/acme-uri-staging.yaml rename to teleport-cluster-16.4.6/.lint/acme-uri-staging.yaml diff --git a/teleport-cluster-16.0.4/.lint/affinity.yaml b/teleport-cluster-16.4.6/.lint/affinity.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/affinity.yaml rename to teleport-cluster-16.4.6/.lint/affinity.yaml diff --git a/teleport-cluster-16.0.4/.lint/annotations.yaml b/teleport-cluster-16.4.6/.lint/annotations.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/annotations.yaml rename to teleport-cluster-16.4.6/.lint/annotations.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-connector-name.yaml b/teleport-cluster-16.4.6/.lint/auth-connector-name.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-connector-name.yaml rename to teleport-cluster-16.4.6/.lint/auth-connector-name.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-disable-local.yaml b/teleport-cluster-16.4.6/.lint/auth-disable-local.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-disable-local.yaml rename to teleport-cluster-16.4.6/.lint/auth-disable-local.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-disable-passwordless.yaml b/teleport-cluster-16.4.6/.lint/auth-disable-passwordless.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-disable-passwordless.yaml rename to teleport-cluster-16.4.6/.lint/auth-disable-passwordless.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-locking-mode.yaml b/teleport-cluster-16.4.6/.lint/auth-locking-mode.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-locking-mode.yaml rename to teleport-cluster-16.4.6/.lint/auth-locking-mode.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-passwordless.yaml b/teleport-cluster-16.4.6/.lint/auth-passwordless.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-passwordless.yaml rename to teleport-cluster-16.4.6/.lint/auth-passwordless.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-type-legacy.yaml b/teleport-cluster-16.4.6/.lint/auth-type-legacy.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-type-legacy.yaml rename to teleport-cluster-16.4.6/.lint/auth-type-legacy.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-type.yaml b/teleport-cluster-16.4.6/.lint/auth-type.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-type.yaml rename to teleport-cluster-16.4.6/.lint/auth-type.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-webauthn-legacy.yaml b/teleport-cluster-16.4.6/.lint/auth-webauthn-legacy.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-webauthn-legacy.yaml rename to teleport-cluster-16.4.6/.lint/auth-webauthn-legacy.yaml diff --git a/teleport-cluster-16.0.4/.lint/auth-webauthn.yaml b/teleport-cluster-16.4.6/.lint/auth-webauthn.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/auth-webauthn.yaml rename to teleport-cluster-16.4.6/.lint/auth-webauthn.yaml diff --git a/teleport-cluster-16.0.4/.lint/aws-access-monitoring.yaml b/teleport-cluster-16.4.6/.lint/aws-access-monitoring.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/aws-access-monitoring.yaml rename to teleport-cluster-16.4.6/.lint/aws-access-monitoring.yaml diff --git a/teleport-cluster-16.0.4/.lint/aws-dynamodb-autoscaling.yaml b/teleport-cluster-16.4.6/.lint/aws-dynamodb-autoscaling.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/aws-dynamodb-autoscaling.yaml rename to teleport-cluster-16.4.6/.lint/aws-dynamodb-autoscaling.yaml diff --git a/teleport-cluster-16.0.4/.lint/aws-ha-acme.yaml b/teleport-cluster-16.4.6/.lint/aws-ha-acme.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/aws-ha-acme.yaml rename to teleport-cluster-16.4.6/.lint/aws-ha-acme.yaml diff --git a/teleport-cluster-16.0.4/.lint/aws-ha-antiaffinity.yaml b/teleport-cluster-16.4.6/.lint/aws-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/aws-ha-antiaffinity.yaml rename to teleport-cluster-16.4.6/.lint/aws-ha-antiaffinity.yaml diff --git a/teleport-cluster-16.0.4/.lint/aws-ha-log.yaml b/teleport-cluster-16.4.6/.lint/aws-ha-log.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/aws-ha-log.yaml rename to teleport-cluster-16.4.6/.lint/aws-ha-log.yaml diff --git a/teleport-cluster-16.0.4/.lint/aws-ha.yaml b/teleport-cluster-16.4.6/.lint/aws-ha.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/aws-ha.yaml rename to teleport-cluster-16.4.6/.lint/aws-ha.yaml diff --git a/teleport-cluster-16.0.4/.lint/aws.yaml b/teleport-cluster-16.4.6/.lint/aws.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/aws.yaml rename to teleport-cluster-16.4.6/.lint/aws.yaml diff --git a/teleport-cluster-16.0.4/.lint/azure.yaml b/teleport-cluster-16.4.6/.lint/azure.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/azure.yaml rename to teleport-cluster-16.4.6/.lint/azure.yaml diff --git a/teleport-cluster-16.0.4/.lint/cert-manager.yaml b/teleport-cluster-16.4.6/.lint/cert-manager.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/cert-manager.yaml rename to teleport-cluster-16.4.6/.lint/cert-manager.yaml diff --git a/teleport-cluster-16.0.4/.lint/cert-secret.yaml b/teleport-cluster-16.4.6/.lint/cert-secret.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/cert-secret.yaml rename to teleport-cluster-16.4.6/.lint/cert-secret.yaml diff --git a/teleport-cluster-16.0.4/.lint/example-minimal-standalone.yaml b/teleport-cluster-16.4.6/.lint/example-minimal-standalone.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/example-minimal-standalone.yaml rename to teleport-cluster-16.4.6/.lint/example-minimal-standalone.yaml diff --git a/teleport-cluster-16.0.4/.lint/existing-tls-secret-with-ca.yaml b/teleport-cluster-16.4.6/.lint/existing-tls-secret-with-ca.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/existing-tls-secret-with-ca.yaml rename to teleport-cluster-16.4.6/.lint/existing-tls-secret-with-ca.yaml diff --git a/teleport-cluster-16.0.4/.lint/existing-tls-secret.yaml b/teleport-cluster-16.4.6/.lint/existing-tls-secret.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/existing-tls-secret.yaml rename to teleport-cluster-16.4.6/.lint/existing-tls-secret.yaml diff --git a/teleport-cluster-16.0.4/.lint/extra-containers.yaml b/teleport-cluster-16.4.6/.lint/extra-containers.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/extra-containers.yaml rename to teleport-cluster-16.4.6/.lint/extra-containers.yaml diff --git a/teleport-cluster-16.0.4/.lint/extra-env.yaml b/teleport-cluster-16.4.6/.lint/extra-env.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/extra-env.yaml rename to teleport-cluster-16.4.6/.lint/extra-env.yaml diff --git a/teleport-cluster-16.0.4/.lint/gcp-ha-acme.yaml b/teleport-cluster-16.4.6/.lint/gcp-ha-acme.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/gcp-ha-acme.yaml rename to teleport-cluster-16.4.6/.lint/gcp-ha-acme.yaml diff --git a/teleport-cluster-16.0.4/.lint/gcp-ha-antiaffinity.yaml b/teleport-cluster-16.4.6/.lint/gcp-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/gcp-ha-antiaffinity.yaml rename to teleport-cluster-16.4.6/.lint/gcp-ha-antiaffinity.yaml diff --git a/teleport-cluster-16.0.4/.lint/gcp-ha-log.yaml b/teleport-cluster-16.4.6/.lint/gcp-ha-log.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/gcp-ha-log.yaml rename to teleport-cluster-16.4.6/.lint/gcp-ha-log.yaml diff --git a/teleport-cluster-16.0.4/.lint/gcp-ha-workload.yaml b/teleport-cluster-16.4.6/.lint/gcp-ha-workload.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/gcp-ha-workload.yaml rename to teleport-cluster-16.4.6/.lint/gcp-ha-workload.yaml diff --git a/teleport-cluster-16.0.4/.lint/gcp-ha.yaml b/teleport-cluster-16.4.6/.lint/gcp-ha.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/gcp-ha.yaml rename to teleport-cluster-16.4.6/.lint/gcp-ha.yaml diff --git a/teleport-cluster-16.0.4/.lint/gcp.yaml b/teleport-cluster-16.4.6/.lint/gcp.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/gcp.yaml rename to teleport-cluster-16.4.6/.lint/gcp.yaml diff --git a/teleport-cluster-16.0.4/.lint/imagepullsecrets.yaml b/teleport-cluster-16.4.6/.lint/imagepullsecrets.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/imagepullsecrets.yaml rename to teleport-cluster-16.4.6/.lint/imagepullsecrets.yaml diff --git a/teleport-cluster-16.0.4/.lint/ingress-publicaddr.yaml b/teleport-cluster-16.4.6/.lint/ingress-publicaddr.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/ingress-publicaddr.yaml rename to teleport-cluster-16.4.6/.lint/ingress-publicaddr.yaml diff --git a/teleport-cluster-16.0.4/.lint/ingress.yaml b/teleport-cluster-16.4.6/.lint/ingress.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/ingress.yaml rename to teleport-cluster-16.4.6/.lint/ingress.yaml diff --git a/teleport-cluster-16.0.4/.lint/initcontainers.yaml b/teleport-cluster-16.4.6/.lint/initcontainers.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/initcontainers.yaml rename to teleport-cluster-16.4.6/.lint/initcontainers.yaml diff --git a/teleport-cluster-16.0.4/.lint/kube-cluster-name.yaml b/teleport-cluster-16.4.6/.lint/kube-cluster-name.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/kube-cluster-name.yaml rename to teleport-cluster-16.4.6/.lint/kube-cluster-name.yaml diff --git a/teleport-cluster-16.0.4/.lint/log-basic.yaml b/teleport-cluster-16.4.6/.lint/log-basic.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/log-basic.yaml rename to teleport-cluster-16.4.6/.lint/log-basic.yaml diff --git a/teleport-cluster-16.0.4/.lint/log-extra.yaml b/teleport-cluster-16.4.6/.lint/log-extra.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/log-extra.yaml rename to teleport-cluster-16.4.6/.lint/log-extra.yaml diff --git a/teleport-cluster-16.0.4/.lint/log-legacy.yaml b/teleport-cluster-16.4.6/.lint/log-legacy.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/log-legacy.yaml rename to teleport-cluster-16.4.6/.lint/log-legacy.yaml diff --git a/teleport-cluster-16.0.4/.lint/node-selector.yaml b/teleport-cluster-16.4.6/.lint/node-selector.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/node-selector.yaml rename to teleport-cluster-16.4.6/.lint/node-selector.yaml diff --git a/teleport-cluster-16.0.4/.lint/operator.yaml b/teleport-cluster-16.4.6/.lint/operator.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/operator.yaml rename to teleport-cluster-16.4.6/.lint/operator.yaml diff --git a/teleport-cluster-16.0.4/.lint/pdb.yaml b/teleport-cluster-16.4.6/.lint/pdb.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/pdb.yaml rename to teleport-cluster-16.4.6/.lint/pdb.yaml diff --git a/teleport-cluster-16.0.4/.lint/persistence-legacy.yaml b/teleport-cluster-16.4.6/.lint/persistence-legacy.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/persistence-legacy.yaml rename to teleport-cluster-16.4.6/.lint/persistence-legacy.yaml diff --git a/teleport-cluster-16.0.4/.lint/pod-security-context-empty.yaml b/teleport-cluster-16.4.6/.lint/pod-security-context-empty.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/pod-security-context-empty.yaml rename to teleport-cluster-16.4.6/.lint/pod-security-context-empty.yaml diff --git a/teleport-cluster-16.0.4/.lint/pod-security-context.yaml b/teleport-cluster-16.4.6/.lint/pod-security-context.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/pod-security-context.yaml rename to teleport-cluster-16.4.6/.lint/pod-security-context.yaml diff --git a/teleport-cluster-16.0.4/.lint/podmonitor.yaml b/teleport-cluster-16.4.6/.lint/podmonitor.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/podmonitor.yaml rename to teleport-cluster-16.4.6/.lint/podmonitor.yaml diff --git a/teleport-cluster-16.0.4/.lint/priority-class-name.yaml b/teleport-cluster-16.4.6/.lint/priority-class-name.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/priority-class-name.yaml rename to teleport-cluster-16.4.6/.lint/priority-class-name.yaml diff --git a/teleport-cluster-16.0.4/.lint/probe-timeout-seconds.yaml b/teleport-cluster-16.4.6/.lint/probe-timeout-seconds.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/probe-timeout-seconds.yaml rename to teleport-cluster-16.4.6/.lint/probe-timeout-seconds.yaml diff --git a/teleport-cluster-16.0.4/.lint/proxy-listener-mode-multiplex.yaml b/teleport-cluster-16.4.6/.lint/proxy-listener-mode-multiplex.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/proxy-listener-mode-multiplex.yaml rename to teleport-cluster-16.4.6/.lint/proxy-listener-mode-multiplex.yaml diff --git a/teleport-cluster-16.0.4/.lint/proxy-listener-mode-separate.yaml b/teleport-cluster-16.4.6/.lint/proxy-listener-mode-separate.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/proxy-listener-mode-separate.yaml rename to teleport-cluster-16.4.6/.lint/proxy-listener-mode-separate.yaml diff --git a/teleport-cluster-16.0.4/.lint/public-addresses.yaml b/teleport-cluster-16.4.6/.lint/public-addresses.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/public-addresses.yaml rename to teleport-cluster-16.4.6/.lint/public-addresses.yaml diff --git a/teleport-cluster-16.0.4/.lint/resources.yaml b/teleport-cluster-16.4.6/.lint/resources.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/resources.yaml rename to teleport-cluster-16.4.6/.lint/resources.yaml diff --git a/teleport-cluster-16.0.4/.lint/security-context-empty.yaml b/teleport-cluster-16.4.6/.lint/security-context-empty.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/security-context-empty.yaml rename to teleport-cluster-16.4.6/.lint/security-context-empty.yaml diff --git a/teleport-cluster-16.0.4/.lint/security-context.yaml b/teleport-cluster-16.4.6/.lint/security-context.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/security-context.yaml rename to teleport-cluster-16.4.6/.lint/security-context.yaml diff --git a/teleport-cluster-16.0.4/.lint/separate-mongo-listener.yaml b/teleport-cluster-16.4.6/.lint/separate-mongo-listener.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/separate-mongo-listener.yaml rename to teleport-cluster-16.4.6/.lint/separate-mongo-listener.yaml diff --git a/teleport-cluster-16.0.4/.lint/separate-postgres-listener.yaml b/teleport-cluster-16.4.6/.lint/separate-postgres-listener.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/separate-postgres-listener.yaml rename to teleport-cluster-16.4.6/.lint/separate-postgres-listener.yaml diff --git a/teleport-cluster-16.0.4/.lint/service-account.yaml b/teleport-cluster-16.4.6/.lint/service-account.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/service-account.yaml rename to teleport-cluster-16.4.6/.lint/service-account.yaml diff --git a/teleport-cluster-16.0.4/.lint/service.yaml b/teleport-cluster-16.4.6/.lint/service.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/service.yaml rename to teleport-cluster-16.4.6/.lint/service.yaml diff --git a/teleport-cluster-16.0.4/.lint/session-recording-off.yaml b/teleport-cluster-16.4.6/.lint/session-recording-off.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/session-recording-off.yaml rename to teleport-cluster-16.4.6/.lint/session-recording-off.yaml diff --git a/teleport-cluster-16.0.4/.lint/session-recording.yaml b/teleport-cluster-16.4.6/.lint/session-recording.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/session-recording.yaml rename to teleport-cluster-16.4.6/.lint/session-recording.yaml diff --git a/teleport-cluster-16.0.4/.lint/standalone-custom-storage-class.yaml b/teleport-cluster-16.4.6/.lint/standalone-custom-storage-class.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/standalone-custom-storage-class.yaml rename to teleport-cluster-16.4.6/.lint/standalone-custom-storage-class.yaml diff --git a/teleport-cluster-16.0.4/.lint/standalone-customsize.yaml b/teleport-cluster-16.4.6/.lint/standalone-customsize.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/standalone-customsize.yaml rename to teleport-cluster-16.4.6/.lint/standalone-customsize.yaml diff --git a/teleport-cluster-16.0.4/.lint/standalone-existingpvc.yaml b/teleport-cluster-16.4.6/.lint/standalone-existingpvc.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/standalone-existingpvc.yaml rename to teleport-cluster-16.4.6/.lint/standalone-existingpvc.yaml diff --git a/teleport-cluster-16.0.4/.lint/tolerations.yaml b/teleport-cluster-16.4.6/.lint/tolerations.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/tolerations.yaml rename to teleport-cluster-16.4.6/.lint/tolerations.yaml diff --git a/teleport-cluster-16.0.4/.lint/version-override.yaml b/teleport-cluster-16.4.6/.lint/version-override.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/version-override.yaml rename to teleport-cluster-16.4.6/.lint/version-override.yaml diff --git a/teleport-cluster-16.0.4/.lint/volumes.yaml b/teleport-cluster-16.4.6/.lint/volumes.yaml similarity index 100% rename from teleport-cluster-16.0.4/.lint/volumes.yaml rename to teleport-cluster-16.4.6/.lint/volumes.yaml diff --git a/teleport-cluster-16.0.4/Chart.yaml b/teleport-cluster-16.4.6/Chart.yaml similarity index 83% rename from teleport-cluster-16.0.4/Chart.yaml rename to teleport-cluster-16.4.6/Chart.yaml index 51b290f..93b012b 100644 --- a/teleport-cluster-16.0.4/Chart.yaml +++ b/teleport-cluster-16.4.6/Chart.yaml @@ -1,13 +1,13 @@ apiVersion: v2 -appVersion: 16.0.4 +appVersion: 16.4.6 dependencies: - alias: operator name: teleport-operator repository: "" - version: 16.0.4 + version: 16.4.6 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-cluster -version: 16.0.4 +version: 16.4.6 diff --git a/teleport-cluster-16.0.4/README.md b/teleport-cluster-16.4.6/README.md similarity index 78% rename from teleport-cluster-16.0.4/README.md rename to teleport-cluster-16.4.6/README.md index b239357..a198737 100644 --- a/teleport-cluster-16.0.4/README.md +++ b/teleport-cluster-16.4.6/README.md @@ -37,15 +37,16 @@ or by installing [cert-manager](https://cert-manager.io/docs/) and setting the ` ### Replicated setup guides -- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/aws/) -- [Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/gcp/) -- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/custom/) +- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/aws/) +- [Running an HA Teleport cluster in Kubernetes using an Google Cloud GKE cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/gcp/) +- [Running an HA Teleport cluster in Kubernetes using an Azure AKS cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/azure/) +- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/custom/) ### Creating first user The first user can be created by executing a command in one of the auth pods. -```shell +```code kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access ``` @@ -59,7 +60,7 @@ helm uninstall --namespace teleport-cluster teleport-cluster ## Documentation -See https://goteleport.com/docs/kubernetes-access/helm/guides/ for guides on setting up HA Teleport clusters +See https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/ for guides on setting up HA Teleport clusters in EKS or GKE, plus a comprehensive chart reference. ## Contributing to the chart diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/.lint/annotations.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/.lint/annotations.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/.lint/annotations.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/.lint/annotations.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/.lint/cloud-join.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/.lint/cloud-join.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/.lint/cloud-join.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/.lint/cloud-join.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/.lint/disabled.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/.lint/disabled.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/.lint/disabled.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/.lint/disabled.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/.lint/existing-tls-ca.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/.lint/existing-tls-ca.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/.lint/existing-tls-ca.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/.lint/existing-tls-ca.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/.lint/non-kubernetes-joining.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/.lint/non-kubernetes-joining.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/.lint/non-kubernetes-joining.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/.lint/non-kubernetes-joining.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/.lint/resources.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/.lint/resources.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/.lint/resources.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/.lint/resources.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/Chart.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/Chart.yaml similarity index 85% rename from teleport-cluster-16.0.4/charts/teleport-operator/Chart.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/Chart.yaml index b407a5f..62540f2 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 16.0.4 +appVersion: 16.4.6 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-operator -version: 16.0.4 +version: 16.4.6 diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/README.md b/teleport-cluster-16.4.6/charts/teleport-operator/README.md similarity index 99% rename from teleport-cluster-16.0.4/charts/teleport-operator/README.md rename to teleport-cluster-16.4.6/charts/teleport-operator/README.md index d0b87ed..8755e8c 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/README.md +++ b/teleport-cluster-16.4.6/charts/teleport-operator/README.md @@ -13,7 +13,7 @@ operator version is deployed, use the `--version` Helm flag. The chart can be deployed in two ways: - in standalone mode by running - ```shell + ```code helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token ``` See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details. diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml similarity index 94% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml index f73fc63..60c0a57 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml @@ -36,7 +36,7 @@ spec: description: AccessList resource definition v1 from Teleport properties: audit: - description: audit describes the frequency that this access list must + description: audit describes the frequency that this Access List must be audited. nullable: true properties: @@ -74,16 +74,16 @@ spec: type: object description: description: description is an optional plaintext description of the - access list. + Access List. type: string grants: description: grants describes the access granted by membership to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -94,13 +94,13 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object membership_requires: description: membership_requires describes the requirements for a - user to be a member of the access list. For a membership to an access - list to be effective, the user must meet the requirements of Membership_requires + user to be a member of the Access List. For a membership to an Access + List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. nullable: true properties: @@ -122,12 +122,12 @@ spec: type: object owner_grants: description: owner_grants describes the access granted by owners to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -138,11 +138,11 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object owners: - description: owners is a list of owners of the access list. + description: owners is a list of owners of the Access List. items: properties: description: @@ -161,7 +161,7 @@ spec: type: array ownership_requires: description: ownership_requires describes the requirements for a user - to be an owner of the access list. For ownership of an access list + to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. nullable: true @@ -183,8 +183,8 @@ spec: type: object type: object title: - description: title is a plaintext short description of the access - list. + description: title is a plaintext short description of the Access + List. type: string type: object status: diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml similarity index 95% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml index 78f55c6..be8404b 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml @@ -55,9 +55,18 @@ spec: type: string nullable: true type: array + insecure_allowed_cidr_ranges: + description: a list of CIDRs allowed for HTTP or HTTPS client + redirect URLs + items: + type: string + nullable: true + type: array type: object client_secret: - description: ClientSecret is the Github OAuth app client secret. + description: ClientSecret is the Github OAuth app client secret. This + field supports secret lookup. See the operator documentation for + more details. type: string display: description: Display is the connector display name. diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml similarity index 95% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml index aa3486d..7175f92 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml @@ -65,7 +65,7 @@ spec: type: array client_id: description: ClientID is the id of the authentication client (Teleport - Auth server). + Auth Service). type: string client_redirect_settings: description: ClientRedirectSettings defines which client redirect @@ -80,9 +80,18 @@ spec: type: string nullable: true type: array + insecure_allowed_cidr_ranges: + description: a list of CIDRs allowed for HTTP or HTTPS client + redirect URLs + items: + type: string + nullable: true + type: array type: object client_secret: - description: ClientSecret is used to authenticate the client. + description: ClientSecret is used to authenticate the client. This + field supports secret lookup. See the operator documentation for + more details. type: string display: description: Display is the friendly name for this provider. diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml similarity index 88% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml index edd501d..e0c410c 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml @@ -70,8 +70,8 @@ spec: type: array aws_role: description: AWSRole is used for the EC2 join method and is - the ARN of the AWS role that the auth server will assume in - order to call the ec2 API. + the ARN of the AWS role that the Auth Service will assume + in order to call the ec2 API. type: string type: object nullable: true @@ -192,7 +192,7 @@ spec: against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate - must be trusted by the Auth Server. + must be trusted by the Auth Service. type: string enterprise_slug: description: EnterpriseSlug allows the slug of a GitHub Enterprise @@ -257,9 +257,9 @@ spec: type: string type: object join_method: - description: JoinMethod is the joining method required in order to - use this token. Supported joining methods include "token", "ec2", - and "iam". + description: 'JoinMethod is the joining method required in order to + use this token. Supported joining methods include: azure, circleci, + ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm' type: string kubernetes: description: Kubernetes allows the configuration of options specific @@ -341,6 +341,51 @@ spec: set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion. type: object + terraform_cloud: + description: TerraformCloud allows the configuration of options specific + to the "terraform_cloud" join method. + nullable: true + properties: + allow: + description: Allow is a list of Rules, nodes using this token + must match one allow rule to use this token. + items: + properties: + organization_id: + type: string + organization_name: + type: string + project_id: + type: string + project_name: + type: string + run_phase: + type: string + workspace_id: + type: string + workspace_name: + type: string + type: object + nullable: true + type: array + audience: + description: Audience is the JWT audience as configured in the + TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform + Cloud. If unset, defaults to the Teleport cluster name. For + example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is + set in Terraform Cloud, this value should be `foo`. If the variable + is set to match the cluster name, it does not need to be set + here. + type: string + hostname: + description: Hostname is the hostname of the Terraform Enterprise + instance expected to issue JWTs allowed by this token. This + may be unset for regular Terraform Cloud use, in which case + it will be assumed to be `app.terraform.io`. Otherwise, it must + both match the `iss` (issuer) field included in JWTs, and provide + standard JWKS endpoints. + type: string + type: object tpm: description: TPM allows the configuration of options specific to the "tpm" join method. diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml similarity index 98% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml index 02dae56..7ab8f4d 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml @@ -298,7 +298,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -824,7 +824,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -1133,9 +1133,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -1155,7 +1158,6 @@ spec: device_trust_mode: description: DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. - Reserved for future use, not yet used by Teleport. type: string disconnect_expired_cert: description: DisconnectExpiredCert sets disconnect clients on @@ -1211,6 +1213,16 @@ spec: sessions per connection. format: int64 type: integer + mfa_verification_interval: + description: MFAVerificationInterval optionally defines the maximum + duration that can elapse between successive MFA verifications. + This variable is used to ensure that users are periodically + prompted to verify their identity, enhancing security by preventing + prolonged sessions without re-authentication when using tsh + proxy * derivatives. It's only effective if the session requires + MFA. If not set, defaults to `max_session_ttl`. + format: duration + type: string permit_x11_forwarding: description: PermitX11Forwarding authorizes use of X11 forwarding. type: boolean @@ -1242,8 +1254,8 @@ spec: type: string type: object request_access: - description: RequestAccess defines the access request strategy - (optional|note|always) where optional is the default. + description: RequestAccess defines the request strategy (optional|note|always) + where optional is the default. type: string request_prompt: description: RequestPrompt is an optional message which tells @@ -1630,7 +1642,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -2156,7 +2168,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -2465,9 +2477,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -2487,7 +2502,6 @@ spec: device_trust_mode: description: DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. - Reserved for future use, not yet used by Teleport. type: string disconnect_expired_cert: description: DisconnectExpiredCert sets disconnect clients on @@ -2543,6 +2557,16 @@ spec: sessions per connection. format: int64 type: integer + mfa_verification_interval: + description: MFAVerificationInterval optionally defines the maximum + duration that can elapse between successive MFA verifications. + This variable is used to ensure that users are periodically + prompted to verify their identity, enhancing security by preventing + prolonged sessions without re-authentication when using tsh + proxy * derivatives. It's only effective if the session requires + MFA. If not set, defaults to `max_session_ttl`. + format: duration + type: string permit_x11_forwarding: description: PermitX11Forwarding authorizes use of X11 forwarding. type: boolean @@ -2574,8 +2598,8 @@ spec: type: string type: object request_access: - description: RequestAccess defines the access request strategy - (optional|note|always) where optional is the default. + description: RequestAccess defines the request strategy (optional|note|always) + where optional is the default. type: string request_prompt: description: RequestPrompt is an optional message which tells diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml similarity index 98% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml index 6600f60..a0d50c8 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml @@ -301,7 +301,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -827,7 +827,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -1136,9 +1136,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -1158,7 +1161,6 @@ spec: device_trust_mode: description: DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. - Reserved for future use, not yet used by Teleport. type: string disconnect_expired_cert: description: DisconnectExpiredCert sets disconnect clients on @@ -1214,6 +1216,16 @@ spec: sessions per connection. format: int64 type: integer + mfa_verification_interval: + description: MFAVerificationInterval optionally defines the maximum + duration that can elapse between successive MFA verifications. + This variable is used to ensure that users are periodically + prompted to verify their identity, enhancing security by preventing + prolonged sessions without re-authentication when using tsh + proxy * derivatives. It's only effective if the session requires + MFA. If not set, defaults to `max_session_ttl`. + format: duration + type: string permit_x11_forwarding: description: PermitX11Forwarding authorizes use of X11 forwarding. type: boolean @@ -1245,8 +1257,8 @@ spec: type: string type: object request_access: - description: RequestAccess defines the access request strategy - (optional|note|always) where optional is the default. + description: RequestAccess defines the request strategy (optional|note|always) + where optional is the default. type: string request_prompt: description: RequestPrompt is an optional message which tells diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml similarity index 98% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml index 525c5fb..ebf0a0a 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml @@ -301,7 +301,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -827,7 +827,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -1136,9 +1136,12 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean + create_host_user_default_shell: + description: CreateHostUserDefaultShell is used to configure the + default shell for newly provisioned host users. + type: string create_host_user_mode: description: CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 @@ -1158,7 +1161,6 @@ spec: device_trust_mode: description: DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. - Reserved for future use, not yet used by Teleport. type: string disconnect_expired_cert: description: DisconnectExpiredCert sets disconnect clients on @@ -1214,6 +1216,16 @@ spec: sessions per connection. format: int64 type: integer + mfa_verification_interval: + description: MFAVerificationInterval optionally defines the maximum + duration that can elapse between successive MFA verifications. + This variable is used to ensure that users are periodically + prompted to verify their identity, enhancing security by preventing + prolonged sessions without re-authentication when using tsh + proxy * derivatives. It's only effective if the session requires + MFA. If not set, defaults to `max_session_ttl`. + format: duration + type: string permit_x11_forwarding: description: PermitX11Forwarding authorizes use of X11 forwarding. type: boolean @@ -1245,8 +1257,8 @@ spec: type: string type: object request_access: - description: RequestAccess defines the access request strategy - (optional|note|always) where optional is the default. + description: RequestAccess defines the request strategy (optional|note|always) + where optional is the default. type: string request_prompt: description: RequestPrompt is an optional message which tells diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml similarity index 97% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml index 4ffda89..a443722 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml @@ -95,6 +95,13 @@ spec: type: string nullable: true type: array + insecure_allowed_cidr_ranges: + description: a list of CIDRs allowed for HTTP or HTTPS client + redirect URLs + items: + type: string + nullable: true + type: array type: object display: description: Display controls how this connector is displayed. diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml similarity index 95% rename from teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml index f8720f7..0c5221f 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml @@ -119,8 +119,12 @@ spec: type: object trusted_device_ids: description: TrustedDeviceIDs contains the IDs of trusted devices - enrolled by the user. Managed by the Device Trust subsystem, avoid - manual edits. + enrolled by the user. Note that SSO users are transient and thus + may contain an empty TrustedDeviceIDs field, even though the user->device + association exists under the Device Trust subsystem. Do not rely + on this field to determine device associations or ownership, it + exists for legacy/informative purposes only. Managed by the Device + Trust subsystem, avoid manual edits. items: type: string nullable: true diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/templates/_helpers.tpl b/teleport-cluster-16.4.6/charts/teleport-operator/templates/_helpers.tpl similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/templates/_helpers.tpl rename to teleport-cluster-16.4.6/charts/teleport-operator/templates/_helpers.tpl diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/templates/crds.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/templates/crds.yaml similarity index 94% rename from teleport-cluster-16.0.4/charts/teleport-operator/templates/crds.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/templates/crds.yaml index 5217aaa..feacc38 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/templates/crds.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/templates/crds.yaml @@ -2,7 +2,7 @@ and creates them if needed. It also adds common labels, like any other Helm-deployed resource. -We cannot rely on the "crds/" Helm directory as Helm's startegy is "fire and forget". +We cannot rely on the "crds/" Helm directory as Helm's strategy is "fire and forget". We have no way to update the CRDs after the initial deployment. As Teleport keeps adding new field to existing CRs, we need a deployment strategy that supports updating CRDs. diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/templates/deployment.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/templates/deployment.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/templates/deployment.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/templates/deployment.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/templates/role.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/templates/role.yaml similarity index 82% rename from teleport-cluster-16.0.4/charts/teleport-operator/templates/role.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/templates/role.yaml index 666c2ae..90bf13b 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/templates/role.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/templates/role.yaml @@ -6,6 +6,7 @@ metadata: name: {{ include "teleport-cluster.operator.fullname" . }} namespace: {{ .Release.Namespace }} rules: + # Rights to manage the Teleport CRs - apiGroups: - "resources.teleport.dev" resources: @@ -41,6 +42,7 @@ rules: - patch - update - watch + # Used to perform leader election when running with multiple replicas - apiGroups: - "coordination.k8s.io" resources: @@ -49,11 +51,19 @@ rules: - create - get - update + # Ability to emit reconciliation events - apiGroups: - "" resources: - events verbs: - create + # Ability to lookup sensitive values from secrets rather than CRs + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" {{- end -}} {{- end -}} diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/templates/rolebinding.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/templates/rolebinding.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/templates/rolebinding.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/templates/rolebinding.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/templates/serviceaccount.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/templates/serviceaccount.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/templates/serviceaccount.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/templates/serviceaccount.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/tests/crds_test.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/tests/crds_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/tests/crds_test.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/tests/crds_test.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/tests/deployment_test.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/tests/deployment_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/tests/deployment_test.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/tests/deployment_test.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/tests/role_test.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/tests/role_test.yaml similarity index 82% rename from teleport-cluster-16.0.4/charts/teleport-operator/tests/role_test.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/tests/role_test.yaml index a0dce65..3cbb290 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/tests/role_test.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/tests/role_test.yaml @@ -41,3 +41,12 @@ tests: kind: Role apiVersion: rbac.authorization.k8s.io/v1 name: RELEASE-NAME-operator + + - it: grants access to secret in the namespace + asserts: + - contains: + path: rules + content: + apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] \ No newline at end of file diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/tests/rolebinding_test.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/tests/rolebinding_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/tests/rolebinding_test.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/tests/rolebinding_test.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/tests/serviceaccount_test.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/tests/serviceaccount_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/charts/teleport-operator/tests/serviceaccount_test.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/tests/serviceaccount_test.yaml diff --git a/teleport-cluster-16.0.4/charts/teleport-operator/values.yaml b/teleport-cluster-16.4.6/charts/teleport-operator/values.yaml similarity index 99% rename from teleport-cluster-16.0.4/charts/teleport-operator/values.yaml rename to teleport-cluster-16.4.6/charts/teleport-operator/values.yaml index c213d58..f576b26 100644 --- a/teleport-cluster-16.0.4/charts/teleport-operator/values.yaml +++ b/teleport-cluster-16.4.6/charts/teleport-operator/values.yaml @@ -41,7 +41,7 @@ joinMethod: "kubernetes" # teleportClusterName(string) -- is the name of the joined Teleport cluster. # Setting this value is required when joining via the -# [Kubernetes JWKS](../../join-methods.mdx#kubernetes-jwks) join method. +# [Kubernetes JWKS](../../reference/join-methods.mdx#kubernetes-jwks) join method. teleportClusterName: "" # token(string) -- is the name of the token used by the operator to join the Teleport cluster. @@ -180,7 +180,7 @@ tls: # certs in the same namespace as the Teleport Kubernetes Operator using a # command such as: # - # ```shell + # ```code # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem # ``` existingCASecretName: "" diff --git a/teleport-cluster-16.0.4/templates/NOTES.txt b/teleport-cluster-16.4.6/templates/NOTES.txt similarity index 100% rename from teleport-cluster-16.0.4/templates/NOTES.txt rename to teleport-cluster-16.4.6/templates/NOTES.txt diff --git a/teleport-cluster-16.0.4/templates/_helpers.tpl b/teleport-cluster-16.4.6/templates/_helpers.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/_helpers.tpl rename to teleport-cluster-16.4.6/templates/_helpers.tpl diff --git a/teleport-cluster-16.0.4/templates/auth/_config.aws.tpl b/teleport-cluster-16.4.6/templates/auth/_config.aws.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/_config.aws.tpl rename to teleport-cluster-16.4.6/templates/auth/_config.aws.tpl diff --git a/teleport-cluster-16.0.4/templates/auth/_config.azure.tpl b/teleport-cluster-16.4.6/templates/auth/_config.azure.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/_config.azure.tpl rename to teleport-cluster-16.4.6/templates/auth/_config.azure.tpl diff --git a/teleport-cluster-16.0.4/templates/auth/_config.common.tpl b/teleport-cluster-16.4.6/templates/auth/_config.common.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/_config.common.tpl rename to teleport-cluster-16.4.6/templates/auth/_config.common.tpl diff --git a/teleport-cluster-16.0.4/templates/auth/_config.gcp.tpl b/teleport-cluster-16.4.6/templates/auth/_config.gcp.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/_config.gcp.tpl rename to teleport-cluster-16.4.6/templates/auth/_config.gcp.tpl diff --git a/teleport-cluster-16.0.4/templates/auth/_config.scratch.tpl b/teleport-cluster-16.4.6/templates/auth/_config.scratch.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/_config.scratch.tpl rename to teleport-cluster-16.4.6/templates/auth/_config.scratch.tpl diff --git a/teleport-cluster-16.0.4/templates/auth/_config.standalone.tpl b/teleport-cluster-16.4.6/templates/auth/_config.standalone.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/_config.standalone.tpl rename to teleport-cluster-16.4.6/templates/auth/_config.standalone.tpl diff --git a/teleport-cluster-16.0.4/templates/auth/clusterrole.yaml b/teleport-cluster-16.4.6/templates/auth/clusterrole.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/clusterrole.yaml rename to teleport-cluster-16.4.6/templates/auth/clusterrole.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/clusterrolebinding.yaml b/teleport-cluster-16.4.6/templates/auth/clusterrolebinding.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/clusterrolebinding.yaml rename to teleport-cluster-16.4.6/templates/auth/clusterrolebinding.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/config.yaml b/teleport-cluster-16.4.6/templates/auth/config.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/config.yaml rename to teleport-cluster-16.4.6/templates/auth/config.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/deployment.yaml b/teleport-cluster-16.4.6/templates/auth/deployment.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/deployment.yaml rename to teleport-cluster-16.4.6/templates/auth/deployment.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/pdb.yaml b/teleport-cluster-16.4.6/templates/auth/pdb.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/pdb.yaml rename to teleport-cluster-16.4.6/templates/auth/pdb.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/predeploy_config.yaml b/teleport-cluster-16.4.6/templates/auth/predeploy_config.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/predeploy_config.yaml rename to teleport-cluster-16.4.6/templates/auth/predeploy_config.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/predeploy_job.yaml b/teleport-cluster-16.4.6/templates/auth/predeploy_job.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/predeploy_job.yaml rename to teleport-cluster-16.4.6/templates/auth/predeploy_job.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/pvc.yaml b/teleport-cluster-16.4.6/templates/auth/pvc.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/pvc.yaml rename to teleport-cluster-16.4.6/templates/auth/pvc.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/service-previous-version.yaml b/teleport-cluster-16.4.6/templates/auth/service-previous-version.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/service-previous-version.yaml rename to teleport-cluster-16.4.6/templates/auth/service-previous-version.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/service.yaml b/teleport-cluster-16.4.6/templates/auth/service.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/auth/service.yaml rename to teleport-cluster-16.4.6/templates/auth/service.yaml diff --git a/teleport-cluster-16.0.4/templates/auth/serviceaccount.yaml b/teleport-cluster-16.4.6/templates/auth/serviceaccount.yaml similarity index 81% rename from teleport-cluster-16.0.4/templates/auth/serviceaccount.yaml rename to teleport-cluster-16.4.6/templates/auth/serviceaccount.yaml index 0eb96f0..d060ea8 100644 --- a/teleport-cluster-16.0.4/templates/auth/serviceaccount.yaml +++ b/teleport-cluster-16.4.6/templates/auth/serviceaccount.yaml @@ -1,4 +1,5 @@ {{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} +{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} {{- if $auth.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount @@ -19,4 +20,7 @@ metadata: azure.workload.identity/client-id: "{{ $auth.azure.clientID }}" {{- end }} {{- end -}} +{{- if $projectedServiceAccountToken }} +automountServiceAccountToken: false +{{- end }} {{- end }} diff --git a/teleport-cluster-16.0.4/templates/podmonitor.yaml b/teleport-cluster-16.4.6/templates/podmonitor.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/podmonitor.yaml rename to teleport-cluster-16.4.6/templates/podmonitor.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/_config.aws.tpl b/teleport-cluster-16.4.6/templates/proxy/_config.aws.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/_config.aws.tpl rename to teleport-cluster-16.4.6/templates/proxy/_config.aws.tpl diff --git a/teleport-cluster-16.0.4/templates/proxy/_config.azure.tpl b/teleport-cluster-16.4.6/templates/proxy/_config.azure.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/_config.azure.tpl rename to teleport-cluster-16.4.6/templates/proxy/_config.azure.tpl diff --git a/teleport-cluster-16.0.4/templates/proxy/_config.common.tpl b/teleport-cluster-16.4.6/templates/proxy/_config.common.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/_config.common.tpl rename to teleport-cluster-16.4.6/templates/proxy/_config.common.tpl diff --git a/teleport-cluster-16.0.4/templates/proxy/_config.gcp.tpl b/teleport-cluster-16.4.6/templates/proxy/_config.gcp.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/_config.gcp.tpl rename to teleport-cluster-16.4.6/templates/proxy/_config.gcp.tpl diff --git a/teleport-cluster-16.0.4/templates/proxy/_config.scratch.tpl b/teleport-cluster-16.4.6/templates/proxy/_config.scratch.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/_config.scratch.tpl rename to teleport-cluster-16.4.6/templates/proxy/_config.scratch.tpl diff --git a/teleport-cluster-16.0.4/templates/proxy/_config.standalone.tpl b/teleport-cluster-16.4.6/templates/proxy/_config.standalone.tpl similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/_config.standalone.tpl rename to teleport-cluster-16.4.6/templates/proxy/_config.standalone.tpl diff --git a/teleport-cluster-16.0.4/templates/proxy/certificate.yaml b/teleport-cluster-16.4.6/templates/proxy/certificate.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/certificate.yaml rename to teleport-cluster-16.4.6/templates/proxy/certificate.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/config.yaml b/teleport-cluster-16.4.6/templates/proxy/config.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/config.yaml rename to teleport-cluster-16.4.6/templates/proxy/config.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/deployment.yaml b/teleport-cluster-16.4.6/templates/proxy/deployment.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/deployment.yaml rename to teleport-cluster-16.4.6/templates/proxy/deployment.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/ingress.yaml b/teleport-cluster-16.4.6/templates/proxy/ingress.yaml similarity index 61% rename from teleport-cluster-16.0.4/templates/proxy/ingress.yaml rename to teleport-cluster-16.4.6/templates/proxy/ingress.yaml index 82ddea2..3b4900f 100644 --- a/teleport-cluster-16.0.4/templates/proxy/ingress.yaml +++ b/teleport-cluster-16.4.6/templates/proxy/ingress.yaml @@ -3,21 +3,22 @@ {{- if (not (eq .Values.proxyListenerMode "multiplex")) -}} {{- fail "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/" -}} {{- end -}} - {{- $publicAddr := coalesce .Values.publicAddr (list .Values.clusterName) -}} - {{- /* Trim ports from all public addresses if present */ -}} - {{- range $publicAddr -}} - {{- $address := . -}} - {{- if (contains ":" $address) -}} - {{- $split := split ":" $address -}} - {{- $address = $split._0 -}} - {{- $publicAddr = append (mustWithout $publicAddr .) $address -}} + {{- if not .Values.ingress.useExisting }} + {{- $publicAddr := coalesce .Values.publicAddr (list .Values.clusterName) -}} + {{- /* Trim ports from all public addresses if present */ -}} + {{- range $publicAddr -}} + {{- $address := . -}} + {{- if (contains ":" $address) -}} + {{- $split := split ":" $address -}} + {{- $address = $split._0 -}} + {{- $publicAddr = append (mustWithout $publicAddr .) $address -}} + {{- end -}} + {{- $wildcard := printf "*.%s" $address -}} + {{- /* Add wildcard versions of all public addresses to ingress, unless 1) suppressed or 2) wildcard version already exists */ -}} + {{- if and (not $.Values.ingress.suppressAutomaticWildcards) (not (hasPrefix "*." $address)) (not (has $wildcard $publicAddr)) -}} + {{- $publicAddr = append $publicAddr (printf "*.%s" $address) -}} + {{- end -}} {{- end -}} - {{- $wildcard := printf "*.%s" $address -}} - {{- /* Add wildcard versions of all public addresses to ingress, unless 1) suppressed or 2) wildcard version already exists */ -}} - {{- if and (not $.Values.ingress.suppressAutomaticWildcards) (not (hasPrefix "*." $address)) (not (has $wildcard $publicAddr)) -}} - {{- $publicAddr = append $publicAddr (printf "*.%s" $address) -}} - {{- end -}} - {{- end -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -58,4 +59,5 @@ spec: port: number: 443 {{- end }} + {{- end }} {{- end }} diff --git a/teleport-cluster-16.0.4/templates/proxy/pdb.yaml b/teleport-cluster-16.4.6/templates/proxy/pdb.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/pdb.yaml rename to teleport-cluster-16.4.6/templates/proxy/pdb.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/predeploy_config.yaml b/teleport-cluster-16.4.6/templates/proxy/predeploy_config.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/predeploy_config.yaml rename to teleport-cluster-16.4.6/templates/proxy/predeploy_config.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/predeploy_job.yaml b/teleport-cluster-16.4.6/templates/proxy/predeploy_job.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/predeploy_job.yaml rename to teleport-cluster-16.4.6/templates/proxy/predeploy_job.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/service.yaml b/teleport-cluster-16.4.6/templates/proxy/service.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/proxy/service.yaml rename to teleport-cluster-16.4.6/templates/proxy/service.yaml diff --git a/teleport-cluster-16.0.4/templates/proxy/serviceaccount.yaml b/teleport-cluster-16.4.6/templates/proxy/serviceaccount.yaml similarity index 76% rename from teleport-cluster-16.0.4/templates/proxy/serviceaccount.yaml rename to teleport-cluster-16.4.6/templates/proxy/serviceaccount.yaml index 7f5ecd8..4e26c23 100644 --- a/teleport-cluster-16.0.4/templates/proxy/serviceaccount.yaml +++ b/teleport-cluster-16.4.6/templates/proxy/serviceaccount.yaml @@ -1,4 +1,5 @@ {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} +{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} {{- if $proxy.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount @@ -13,4 +14,7 @@ metadata: {{- if $proxy.annotations.serviceAccount }} annotations: {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }} {{- end -}} +{{- if $projectedServiceAccountToken }} +automountServiceAccountToken: false +{{- end }} {{- end }} diff --git a/teleport-cluster-16.0.4/templates/psp.yaml b/teleport-cluster-16.4.6/templates/psp.yaml similarity index 100% rename from teleport-cluster-16.0.4/templates/psp.yaml rename to teleport-cluster-16.4.6/templates/psp.yaml diff --git a/teleport-cluster-16.0.4/tests/README.md b/teleport-cluster-16.4.6/tests/README.md similarity index 100% rename from teleport-cluster-16.0.4/tests/README.md rename to teleport-cluster-16.4.6/tests/README.md diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/auth_clusterrole_test.yaml.snap similarity index 89% rename from teleport-cluster-16.0.4/tests/__snapshot__/auth_clusterrole_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/auth_clusterrole_test.yaml.snap index b5265fb..a1aff5a 100644 --- a/teleport-cluster-16.0.4/tests/__snapshot__/auth_clusterrole_test.yaml.snap +++ b/teleport-cluster-16.4.6/tests/__snapshot__/auth_clusterrole_test.yaml.snap @@ -8,8 +8,8 @@ adds operator permissions to ClusterRole: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.0.4 - helm.sh/chart: teleport-cluster-16.0.4 + app.kubernetes.io/version: 16.4.6 + helm.sh/chart: teleport-cluster-16.4.6 teleport.dev/majorVersion: "16" name: RELEASE-NAME rules: diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/auth_config_test.yaml.snap similarity index 99% rename from teleport-cluster-16.0.4/tests/__snapshot__/auth_config_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/auth_config_test.yaml.snap index a05eb9f..ecf6965 100644 --- a/teleport-cluster-16.0.4/tests/__snapshot__/auth_config_test.yaml.snap +++ b/teleport-cluster-16.4.6/tests/__snapshot__/auth_config_test.yaml.snap @@ -1848,8 +1848,8 @@ sets clusterDomain on Configmap: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.0.4 - helm.sh/chart: teleport-cluster-16.0.4 + app.kubernetes.io/version: 16.4.6 + helm.sh/chart: teleport-cluster-16.4.6 teleport.dev/majorVersion: "16" name: RELEASE-NAME-auth namespace: NAMESPACE diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/auth_deployment_test.yaml.snap similarity index 99% rename from teleport-cluster-16.0.4/tests/__snapshot__/auth_deployment_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/auth_deployment_test.yaml.snap index 05e8373..9d5cb72 100644 --- a/teleport-cluster-16.0.4/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster-16.4.6/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -8,7 +8,7 @@ - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -141,7 +141,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -238,7 +238,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -324,7 +324,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/ingress_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/ingress_test.yaml.snap similarity index 100% rename from teleport-cluster-16.0.4/tests/__snapshot__/ingress_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/ingress_test.yaml.snap diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/predeploy_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/predeploy_test.yaml.snap similarity index 100% rename from teleport-cluster-16.0.4/tests/__snapshot__/predeploy_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/predeploy_test.yaml.snap diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/proxy_certificate_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/proxy_certificate_test.yaml.snap similarity index 100% rename from teleport-cluster-16.0.4/tests/__snapshot__/proxy_certificate_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/proxy_certificate_test.yaml.snap diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/proxy_config_test.yaml.snap similarity index 99% rename from teleport-cluster-16.0.4/tests/__snapshot__/proxy_config_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/proxy_config_test.yaml.snap index 6396f7b..792468b 100644 --- a/teleport-cluster-16.0.4/tests/__snapshot__/proxy_config_test.yaml.snap +++ b/teleport-cluster-16.4.6/tests/__snapshot__/proxy_config_test.yaml.snap @@ -567,8 +567,8 @@ sets clusterDomain on Configmap: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.0.4 - helm.sh/chart: teleport-cluster-16.0.4 + app.kubernetes.io/version: 16.4.6 + helm.sh/chart: teleport-cluster-16.4.6 teleport.dev/majorVersion: "16" name: RELEASE-NAME-proxy namespace: NAMESPACE diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/proxy_deployment_test.yaml.snap similarity index 98% rename from teleport-cluster-16.0.4/tests/__snapshot__/proxy_deployment_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/proxy_deployment_test.yaml.snap index 50fe124..dfcf643 100644 --- a/teleport-cluster-16.0.4/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster-16.4.6/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.0.4 - helm.sh/chart: teleport-cluster-16.0.4 + app.kubernetes.io/version: 16.4.6 + helm.sh/chart: teleport-cluster-16.4.6 teleport.dev/majorVersion: "16" name: RELEASE-NAME-proxy namespace: NAMESPACE @@ -26,7 +26,7 @@ sets clusterDomain on Deployment Pods: template: metadata: annotations: - checksum/config: d24cb6509f15138dec13a689a62973f156f7d688d5e4d2bd56993a7859402cd1 + checksum/config: 87177e0131f696376c17d797df17be252ebdc247a7f84bb05b7a5680ebcd205c kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: @@ -34,8 +34,8 @@ sets clusterDomain on Deployment Pods: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.0.4 - helm.sh/chart: teleport-cluster-16.0.4 + app.kubernetes.io/version: 16.4.6 + helm.sh/chart: teleport-cluster-16.4.6 teleport.dev/majorVersion: "16" spec: affinity: @@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -105,7 +105,7 @@ sets clusterDomain on Deployment Pods: - wait - no-resolve - RELEASE-NAME-auth-v15.NAMESPACE.svc.test.com - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -137,7 +137,7 @@ should provision initContainer correctly when set in values: - wait - no-resolve - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 name: wait-auth-update resources: limits: @@ -201,7 +201,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -262,7 +262,7 @@ should set nodeSelector when set in values: - wait - no-resolve - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 name: wait-auth-update nodeSelector: environment: security @@ -313,7 +313,7 @@ should set resources for wait-auth-update initContainer when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -381,7 +381,7 @@ should set resources for wait-auth-update initContainer when set in values: - wait - no-resolve - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 name: wait-auth-update resources: limits: @@ -421,7 +421,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -489,7 +489,7 @@ should set resources when set in values: - wait - no-resolve - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 name: wait-auth-update resources: limits: @@ -529,7 +529,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -597,7 +597,7 @@ should set securityContext for initContainers when set in values: - wait - no-resolve - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -637,7 +637,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -705,7 +705,7 @@ should set securityContext when set in values: - wait - no-resolve - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.0.4 + image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/proxy_service_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/proxy_service_test.yaml.snap similarity index 100% rename from teleport-cluster-16.0.4/tests/__snapshot__/proxy_service_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/proxy_service_test.yaml.snap diff --git a/teleport-cluster-16.0.4/tests/__snapshot__/psp_test.yaml.snap b/teleport-cluster-16.4.6/tests/__snapshot__/psp_test.yaml.snap similarity index 100% rename from teleport-cluster-16.0.4/tests/__snapshot__/psp_test.yaml.snap rename to teleport-cluster-16.4.6/tests/__snapshot__/psp_test.yaml.snap diff --git a/teleport-cluster-16.0.4/tests/auth_clusterrole_test.yaml b/teleport-cluster-16.4.6/tests/auth_clusterrole_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/auth_clusterrole_test.yaml rename to teleport-cluster-16.4.6/tests/auth_clusterrole_test.yaml diff --git a/teleport-cluster-16.0.4/tests/auth_clusterrolebinding_test.yaml b/teleport-cluster-16.4.6/tests/auth_clusterrolebinding_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/auth_clusterrolebinding_test.yaml rename to teleport-cluster-16.4.6/tests/auth_clusterrolebinding_test.yaml diff --git a/teleport-cluster-16.0.4/tests/auth_config_test.yaml b/teleport-cluster-16.4.6/tests/auth_config_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/auth_config_test.yaml rename to teleport-cluster-16.4.6/tests/auth_config_test.yaml diff --git a/teleport-cluster-16.0.4/tests/auth_deployment_test.yaml b/teleport-cluster-16.4.6/tests/auth_deployment_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/auth_deployment_test.yaml rename to teleport-cluster-16.4.6/tests/auth_deployment_test.yaml diff --git a/teleport-cluster-16.0.4/tests/auth_pdb_test.yaml b/teleport-cluster-16.4.6/tests/auth_pdb_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/auth_pdb_test.yaml rename to teleport-cluster-16.4.6/tests/auth_pdb_test.yaml diff --git a/teleport-cluster-16.0.4/tests/auth_pvc_test.yaml b/teleport-cluster-16.4.6/tests/auth_pvc_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/auth_pvc_test.yaml rename to teleport-cluster-16.4.6/tests/auth_pvc_test.yaml diff --git a/teleport-cluster-16.0.4/tests/auth_serviceaccount_test.yaml b/teleport-cluster-16.4.6/tests/auth_serviceaccount_test.yaml similarity index 69% rename from teleport-cluster-16.0.4/tests/auth_serviceaccount_test.yaml rename to teleport-cluster-16.4.6/tests/auth_serviceaccount_test.yaml index 49e2799..2165131 100644 --- a/teleport-cluster-16.0.4/tests/auth_serviceaccount_test.yaml +++ b/teleport-cluster-16.4.6/tests/auth_serviceaccount_test.yaml @@ -50,3 +50,25 @@ tests: - equal: path: metadata.labels.baz value: overridden + + - it: does not set automountServiceAccountToken if cluster version is <1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 18 + asserts: + - notEqual: + path: automountServiceAccountToken + value: false + + - it: sets automountServiceAccountToken to false if cluster version is >=1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 20 + asserts: + - equal: + path: automountServiceAccountToken + value: false diff --git a/teleport-cluster-16.0.4/tests/ingress_test.yaml b/teleport-cluster-16.4.6/tests/ingress_test.yaml similarity index 98% rename from teleport-cluster-16.0.4/tests/ingress_test.yaml rename to teleport-cluster-16.4.6/tests/ingress_test.yaml index c0f7756..2486967 100644 --- a/teleport-cluster-16.0.4/tests/ingress_test.yaml +++ b/teleport-cluster-16.4.6/tests/ingress_test.yaml @@ -18,6 +18,16 @@ tests: - isKind: of: Ingress + - it: does not create an Ingress when ingress.enabled=true, proxyListenerMode=multiplex but ingress.useExisting is true + values: + - ../.lint/ingress.yaml + set: + ingress: + useExisting: true + asserts: + - hasDocuments: + count: 0 + - it: fails to deploy an Ingress when ingress.enabled=true and proxyListenerMode is not set values: - ../.lint/ingress.yaml diff --git a/teleport-cluster-16.0.4/tests/podmonitor_test.yaml b/teleport-cluster-16.4.6/tests/podmonitor_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/podmonitor_test.yaml rename to teleport-cluster-16.4.6/tests/podmonitor_test.yaml diff --git a/teleport-cluster-16.0.4/tests/predeploy_test.yaml b/teleport-cluster-16.4.6/tests/predeploy_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/predeploy_test.yaml rename to teleport-cluster-16.4.6/tests/predeploy_test.yaml diff --git a/teleport-cluster-16.0.4/tests/proxy_certificate_test.yaml b/teleport-cluster-16.4.6/tests/proxy_certificate_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/proxy_certificate_test.yaml rename to teleport-cluster-16.4.6/tests/proxy_certificate_test.yaml diff --git a/teleport-cluster-16.0.4/tests/proxy_config_test.yaml b/teleport-cluster-16.4.6/tests/proxy_config_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/proxy_config_test.yaml rename to teleport-cluster-16.4.6/tests/proxy_config_test.yaml diff --git a/teleport-cluster-16.0.4/tests/proxy_deployment_test.yaml b/teleport-cluster-16.4.6/tests/proxy_deployment_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/proxy_deployment_test.yaml rename to teleport-cluster-16.4.6/tests/proxy_deployment_test.yaml diff --git a/teleport-cluster-16.0.4/tests/proxy_pdb_test.yaml b/teleport-cluster-16.4.6/tests/proxy_pdb_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/proxy_pdb_test.yaml rename to teleport-cluster-16.4.6/tests/proxy_pdb_test.yaml diff --git a/teleport-cluster-16.0.4/tests/proxy_service_test.yaml b/teleport-cluster-16.4.6/tests/proxy_service_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/proxy_service_test.yaml rename to teleport-cluster-16.4.6/tests/proxy_service_test.yaml diff --git a/teleport-cluster-16.0.4/tests/proxy_serviceaccount_test.yaml b/teleport-cluster-16.4.6/tests/proxy_serviceaccount_test.yaml similarity index 65% rename from teleport-cluster-16.0.4/tests/proxy_serviceaccount_test.yaml rename to teleport-cluster-16.4.6/tests/proxy_serviceaccount_test.yaml index 70198bd..fe3dee4 100644 --- a/teleport-cluster-16.0.4/tests/proxy_serviceaccount_test.yaml +++ b/teleport-cluster-16.4.6/tests/proxy_serviceaccount_test.yaml @@ -40,3 +40,25 @@ tests: - equal: path: metadata.labels.baz value: overridden + + - it: does not set automountServiceAccountToken if cluster version is <1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 18 + asserts: + - notEqual: + path: automountServiceAccountToken + value: false + + - it: sets automountServiceAccountToken to false if cluster version is >=1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 20 + asserts: + - equal: + path: automountServiceAccountToken + value: false diff --git a/teleport-cluster-16.0.4/tests/psp_test.yaml b/teleport-cluster-16.4.6/tests/psp_test.yaml similarity index 100% rename from teleport-cluster-16.0.4/tests/psp_test.yaml rename to teleport-cluster-16.4.6/tests/psp_test.yaml diff --git a/teleport-cluster-16.0.4/values.home.yaml b/teleport-cluster-16.4.6/values.home.yaml similarity index 100% rename from teleport-cluster-16.0.4/values.home.yaml rename to teleport-cluster-16.4.6/values.home.yaml diff --git a/teleport-cluster-16.0.4/values.schema.json b/teleport-cluster-16.4.6/values.schema.json similarity index 100% rename from teleport-cluster-16.0.4/values.schema.json rename to teleport-cluster-16.4.6/values.schema.json diff --git a/teleport-cluster-16.0.4/values.yaml b/teleport-cluster-16.4.6/values.yaml similarity index 98% rename from teleport-cluster-16.0.4/values.yaml rename to teleport-cluster-16.4.6/values.yaml index 79aad77..20e9171 100644 --- a/teleport-cluster-16.0.4/values.yaml +++ b/teleport-cluster-16.4.6/values.yaml @@ -49,7 +49,7 @@ teleportVersionOverride: "" # connection, but will accept it if present. This mode is considered insecure # and should only be used for testing purposes. # -# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/ +# See https://goteleport.com/docs/admin-guides/management/security/proxy-protocol/ # for more information. # # proxyProtocol: on @@ -287,7 +287,7 @@ global: clusterDomain: cluster.local # Labels is a map of key-value pairs about this cluster. Those labels are used -# in Teleport to access the Kuebrnetes cluster. They must not be confused with +# in Teleport to access the Kubernetes cluster. They must not be confused with # `extraLabels` which are additional labels to add on Kubernetes resources # created by the Helm chart. labels: {} @@ -700,6 +700,11 @@ service: # See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details. ingress: enabled: false + # useExisting indicates to the chart that you are managing your own ingress. + # (or HTTPRoute, or any other LoadBalancing method that terminates TLS). + # The chart will configure Teleport like it's running behind an ingress, but will not create the ingress resource. + # You are responsible for creating and managing the ingress. + useExisting: false # Setting suppressAutomaticWildcards to true will not automatically add *. as a hostname served # by the Ingress. This may be desirable if you don't use Teleport Application Access. suppressAutomaticWildcards: false diff --git a/teleport-cluster/.lint/auth-enterprise-license.yaml b/teleport-cluster/.lint/auth-enterprise-license.yaml new file mode 100644 index 0000000..a86c526 --- /dev/null +++ b/teleport-cluster/.lint/auth-enterprise-license.yaml @@ -0,0 +1,4 @@ +clusterName: helm-lint +enterprise: true +licenseSecretName: enterprise-license + diff --git a/teleport-cluster/Chart.yaml b/teleport-cluster/Chart.yaml index 93b012b..c0622f6 100644 --- a/teleport-cluster/Chart.yaml +++ b/teleport-cluster/Chart.yaml @@ -1,13 +1,13 @@ apiVersion: v2 -appVersion: 16.4.6 +appVersion: 17.2.7 dependencies: - alias: operator name: teleport-operator repository: "" - version: 16.4.6 + version: 17.2.7 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-cluster -version: 16.4.6 +version: 17.2.7 diff --git a/teleport-cluster/charts/teleport-operator/.lint/labels.yaml b/teleport-cluster/charts/teleport-operator/.lint/labels.yaml new file mode 100644 index 0000000..15d33de --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/.lint/labels.yaml @@ -0,0 +1,10 @@ +labels: + deployment: + kubernetes.io/deployment: "test-label" + kubernetes.io/deployment-different: 3 + pod: + kubernetes.io/pod: "test-label" + kubernetes.io/pod-different: 4 +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +teleportClusterName: "example.teleport.sh" diff --git a/teleport-cluster/charts/teleport-operator/Chart.yaml b/teleport-cluster/charts/teleport-operator/Chart.yaml index 62540f2..af29aae 100644 --- a/teleport-cluster/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 16.4.6 +appVersion: 17.2.7 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-operator -version: 16.4.6 +version: 17.2.7 diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml index 60c0a57..2c59561 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml @@ -153,6 +153,10 @@ spec: description: ineligible_status describes if this owner is eligible or not and if not, describes how they're lacking eligibility. x-kubernetes-int-or-string: true + membership_kind: + description: membership_kind describes the type of membership, + either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. + x-kubernetes-int-or-string: true name: description: name is the username of the owner. type: string @@ -194,16 +198,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -244,12 +240,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml index be8404b..1832b3d 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml @@ -107,16 +107,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -157,12 +149,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml index 7b5928c..0f116e8 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml @@ -63,16 +63,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -113,12 +105,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml index 7175f92..29a7b8e 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml @@ -116,6 +116,42 @@ spec: time period, they will be forced to re-authenticate. format: duration type: string + mfa: + description: MFASettings contains settings to enable SSO MFA checks + through this auth connector. + nullable: true + properties: + acr_values: + description: AcrValues are Authentication Context Class Reference + values. The meaning of the ACR value is context-specific and + varies for identity providers. Some identity providers support + MFA specific contexts, such Okta with its "phr" (phishing-resistant) + ACR. + type: string + client_id: + description: ClientID is the OIDC OAuth app client ID. + type: string + client_secret: + description: ClientSecret is the OIDC OAuth app client secret. + type: string + enabled: + description: Enabled specified whether this OIDC connector supports + MFA checks. Defaults to false. + type: boolean + max_age: + description: MaxAge is the amount of time in nanoseconds that + an IdP session is valid for. Defaults to 0 to always force re-authentication + for MFA checks. This should only be set to a non-zero value + if the IdP is setup to perform MFA checks on top of active user + sessions. + format: duration + type: string + prompt: + description: Prompt is an optional OIDC prompt. An empty string + omits prompt. If not specified, it defaults to select_account + for backwards compatibility. + type: string + type: object prompt: description: Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards @@ -152,16 +188,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -202,12 +230,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml index f6077e4..00c5c08 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml @@ -101,16 +101,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -151,12 +143,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml index c2d28a5..bad8469 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml @@ -88,6 +88,20 @@ spec: type: string type: object type: object + github: + description: GitHub contains info about GitHub proxies where each + server represents a GitHub organization. + nullable: true + properties: + integration: + description: Integration is the integration that is associated + with this Server. + type: string + organization: + description: Organization specifies the name of the organization + for the GitHub integration. + type: string + type: object hostname: description: Hostname is server hostname type: string @@ -178,16 +192,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -228,12 +234,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml index d9aaf70..fe3d76a 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml @@ -87,6 +87,20 @@ spec: type: string type: object type: object + github: + description: GitHub contains info about GitHub proxies where each + server represents a GitHub organization. + nullable: true + properties: + integration: + description: Integration is the integration that is associated + with this Server. + type: string + organization: + description: Organization specifies the name of the organization + for the GitHub integration. + type: string + type: object hostname: description: Hostname is server hostname type: string @@ -177,16 +191,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -227,12 +233,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml index e0c410c..e42dc48 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml @@ -102,6 +102,40 @@ spec: nullable: true type: array type: object + bitbucket: + description: Bitbucket allows the configuration of options specific + to the "bitbucket" join method. + nullable: true + properties: + allow: + description: Allow is a list of Rules, nodes using this token + must match one allow rule to use this token. + items: + properties: + branch_name: + type: string + deployment_environment_uuid: + type: string + repository_uuid: + type: string + workspace_uuid: + type: string + type: object + nullable: true + type: array + audience: + description: Audience is a Bitbucket-specified audience value + for this token. It is unique to each Bitbucket repository, and + must be set to the value as written in the Pipelines -> OpenID + Connect section of the repository settings. + type: string + identity_provider_url: + description: IdentityProviderURL is a Bitbucket-specified issuer + URL for incoming OIDC tokens. It is unique to each Bitbucket + repository, and must be set to the value as written in the Pipelines + -> OpenID Connect section of the repository settings. + type: string + type: object bot_name: description: BotName is the name of the bot this token grants access to, if any @@ -204,6 +238,12 @@ spec: if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. type: string + static_jwks: + description: StaticJWKS disables fetching of the GHES signing + keys via the JWKS/OIDC endpoints, and allows them to be directly + specified. This allows joining from GitHub Actions in GHES instances + that are not reachable by the Teleport Auth Service. + type: string type: object gitlab: description: GitLab allows the configuration of options specific to @@ -425,16 +465,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -475,12 +507,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml index 7ab8f4d..9e3a0f4 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml @@ -35,6 +35,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -146,6 +157,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -249,7 +272,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -326,12 +348,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -556,11 +607,33 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object deny: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -672,6 +745,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -775,7 +860,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -852,12 +936,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1082,6 +1195,17 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object options: description: Options is for OpenSSH options like agent forwarding. @@ -1231,9 +1355,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -1271,6 +1393,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: @@ -1280,16 +1422,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -1330,12 +1464,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1379,6 +1508,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -1490,6 +1630,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -1593,7 +1745,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -1670,12 +1821,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1900,11 +2080,33 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object deny: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -2016,6 +2218,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -2119,7 +2333,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -2196,12 +2409,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -2426,6 +2668,17 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object options: description: Options is for OpenSSH options like agent forwarding. @@ -2575,9 +2828,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -2615,6 +2866,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: @@ -2624,16 +2895,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -2674,12 +2937,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml index a0d50c8..5e1ff2a 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml @@ -38,6 +38,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -149,6 +160,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -252,7 +275,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -329,12 +351,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -559,11 +610,33 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object deny: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -675,6 +748,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -778,7 +863,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -855,12 +939,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1085,6 +1198,17 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object options: description: Options is for OpenSSH options like agent forwarding. @@ -1234,9 +1358,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -1274,6 +1396,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: @@ -1283,16 +1425,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -1333,12 +1467,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml index ebf0a0a..fb68240 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml @@ -38,6 +38,17 @@ spec: allow: description: Allow is the set of conditions evaluated to grant access. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -149,6 +160,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -252,7 +275,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -329,12 +351,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -559,11 +610,33 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object deny: description: Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. properties: + account_assignments: + description: AccountAssignments holds the list of account assignments + affected by this condition. + items: + properties: + account: + type: string + permission_set: + type: string + type: object + type: array app_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -675,6 +748,18 @@ spec: type: string nullable: true type: array + github_permissions: + description: GitHubPermissions defines GitHub integration related + permissions. + items: + properties: + orgs: + items: + type: string + nullable: true + type: array + type: object + type: array group_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -778,7 +863,6 @@ spec: properties: kind: description: Kind specifies the Kubernetes Resource type. - At the moment only "pod" is supported. type: string name: description: Name is the resource name. It supports wildcards. @@ -855,12 +939,41 @@ spec: type: string type: object type: array + kubernetes_resources: + description: 'kubernetes_resources can optionally enforce + a requester to request only certain kinds of kube resources. + Eg: Users can make request to either a resource kind "kube_cluster" + or any of its subresources like "namespaces". This field + can be defined such that it prevents a user from requesting + "kube_cluster" and enforce requesting any of its subresources.' + items: + properties: + kind: + description: kind specifies the Kubernetes Resource + type. + type: string + type: object + type: array max_duration: description: MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. format: duration type: string + reason: + description: Reason defines settings for the reason for the + access provided by the user. + nullable: true + properties: + mode: + description: Mode can be either "required" or "optional". + Empty string is treated as "optional". If a role has + the request reason mode set to "required", then reason + is required for all Access Requests requesting roles + or resources allowed by this role. It applies only to + users who have this role assigned. + type: string + type: object roles: description: Roles is the name of roles which will match the request rule. @@ -1085,6 +1198,17 @@ spec: type: string nullable: true type: array + workload_identity_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WorkloadIdentityLabels controls whether or not specific + WorkloadIdentity resources can be invoked. Further authorization + controls exist on the WorkloadIdentity resource itself. + type: object + workload_identity_labels_expression: + description: WorkloadIdentityLabelsExpression is a predicate expression + used to allow/deny access to issuing a WorkloadIdentity. + type: string type: object options: description: Options is for OpenSSH options like agent forwarding. @@ -1234,9 +1358,7 @@ spec: generation and usage type: boolean port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use SSHPortForwarding instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -1274,6 +1396,26 @@ spec: via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. type: boolean + ssh_port_forwarding: + description: SSHPortForwarding configures what types of SSH port + forwarding are allowed by a role. + nullable: true + properties: + local: + description: Allow local port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + remote: + description: Allow remote port forwarding. + nullable: true + properties: + enabled: + type: boolean + type: object + type: object type: object type: object status: @@ -1283,16 +1425,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -1333,12 +1467,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml index a443722..c681433 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml @@ -115,9 +115,52 @@ spec: description: EntityDescriptorURL is a URL that supplies a configuration XML. type: string + force_authn: + description: ForceAuthn specified whether re-authentication should + be forced on login. UNSPECIFIED is treated as NO. + x-kubernetes-int-or-string: true issuer: description: Issuer is the identity provider issuer. type: string + mfa: + description: MFASettings contains settings to enable SSO MFA checks + through this auth connector. + nullable: true + properties: + cert: + description: Cert is the identity provider certificate PEM. IDP + signs `` responses using this certificate. + type: string + enabled: + description: Enabled specified whether this SAML connector supports + MFA checks. Defaults to false. + type: boolean + entity_descriptor: + description: EntityDescriptor is XML with descriptor. It can be + used to supply configuration parameters in one XML file rather + than supplying them in the individual elements. Usually set + from EntityDescriptorUrl. + type: string + entity_descriptor_url: + description: EntityDescriptorUrl is a URL that supplies a configuration + XML. + type: string + force_authn: + description: ForceAuthn specified whether re-authentication should + be forced for MFA checks. UNSPECIFIED is treated as YES to always + re-authentication for MFA checks. This should only be set to + NO if the IdP is setup to perform MFA checks on top of active + user sessions. + x-kubernetes-int-or-string: true + issuer: + description: Issuer is the identity provider issuer. Usually set + from EntityDescriptor. + type: string + sso: + description: SSO is the URL of the identity provider's SSO service. + Usually set from EntityDescriptor. + type: string + type: object provider: description: Provider is the external identity provider. type: string @@ -151,16 +194,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -201,12 +236,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_trustedclustersv2.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_trustedclustersv2.yaml new file mode 100644 index 0000000..4cf1410 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_trustedclustersv2.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleporttrustedclustersv2.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportTrustedClusterV2 + listKind: TeleportTrustedClusterV2List + plural: teleporttrustedclustersv2 + shortNames: + - trustedclusterv2 + - trustedclustersv2 + singular: teleporttrustedclusterv2 + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: TrustedClusterV2 is the Schema for the trustedclustersv2 API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TrustedCluster resource definition v2 from Teleport + properties: + enabled: + description: Enabled is a bool that indicates if the TrustedCluster + is enabled or disabled. Setting Enabled to false has a side effect + of deleting the user and host certificate authority (CA). + type: boolean + role_map: + description: RoleMap specifies role mappings to remote roles. + items: + properties: + local: + description: Local specifies local roles to map to + items: + type: string + nullable: true + type: array + remote: + description: Remote specifies remote role name to map from + type: string + type: object + type: array + token: + description: Token is the authorization token provided by another + cluster needed by this cluster to join. This field supports secret + lookup. See the operator documentation for more details. + type: string + tunnel_addr: + description: ReverseTunnelAddress is the address of the SSH proxy + server of the cluster to join. If not set, it is derived from `:`. + type: string + web_proxy_addr: + description: ProxyAddress is the address of the web proxy server of + the cluster to join. If not set, it is derived from `:`. + type: string + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml index 0c5221f..0c68b6d 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml @@ -57,6 +57,10 @@ spec: description: SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable. type: string + user_id: + description: UserID is the ID of the identity. Some connectors + like GitHub have an unique ID apart from the username. + type: string username: description: Username is username supplied by external identity provider @@ -76,6 +80,10 @@ spec: description: SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable. type: string + user_id: + description: UserID is the ID of the identity. Some connectors + like GitHub have an unique ID apart from the username. + type: string username: description: Username is username supplied by external identity provider @@ -101,6 +109,10 @@ spec: description: SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable. type: string + user_id: + description: UserID is the ID of the identity. Some connectors + like GitHub have an unique ID apart from the username. + type: string username: description: Username is username supplied by external identity provider @@ -137,16 +149,8 @@ spec: description: Conditions represent the latest available observations of an object's state items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -187,12 +191,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/deployment.yaml b/teleport-cluster/charts/teleport-operator/templates/deployment.yaml index cd6d676..ae0395a 100644 --- a/teleport-cluster/charts/teleport-operator/templates/deployment.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/deployment.yaml @@ -4,7 +4,11 @@ kind: Deployment metadata: name: {{ include "teleport-cluster.operator.fullname" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.operator.labels" . | nindent 4 }} + {{- if .Values.labels.deployment }} + {{- toYaml .Values.labels.deployment | nindent 4 }} + {{- end }} {{- if .Values.annotations.deployment }} annotations: {{- toYaml .Values.annotations.deployment | nindent 4 }} {{- end }} @@ -22,7 +26,11 @@ spec: {{- if .Values.annotations.pod }} annotations: {{- toYaml .Values.annotations.pod | nindent 8 }} {{- end }} - labels: {{- include "teleport-cluster.operator.labels" . | nindent 8 }} + labels: + {{- include "teleport-cluster.operator.labels" . | nindent 8 }} + {{- if .Values.labels.pod }} + {{- toYaml .Values.labels.pod | nindent 8 }} + {{- end }} spec: {{- if .Values.nodeSelector }} nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} diff --git a/teleport-cluster/charts/teleport-operator/templates/role.yaml b/teleport-cluster/charts/teleport-operator/templates/role.yaml index 90bf13b..1b7c219 100644 --- a/teleport-cluster/charts/teleport-operator/templates/role.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/role.yaml @@ -36,6 +36,8 @@ rules: - teleportopensshserversv2/status - teleportopenssheiceserversv2 - teleportopenssheiceserversv2/status + - teleporttrustedclustersv2 + - teleporttrustedclustersv2/status verbs: - get - list @@ -65,5 +67,7 @@ rules: - "secrets" verbs: - "get" + - "list" + - "watch" {{- end -}} {{- end -}} diff --git a/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml b/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml index 56f8f51..ca261d8 100644 --- a/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml +++ b/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml @@ -59,6 +59,25 @@ tests: path: metadata.annotations.kubernetes\.io/deployment-different value: 3 + - it: sets labels when specified + values: + - ../.lint/labels.yaml + asserts: + # Pod labels + - equal: + path: spec.template.metadata.labels.kubernetes\.io/pod + value: test-label + - equal: + path: spec.template.metadata.labels.kubernetes\.io/pod-different + value: 4 + # Deployment labels + - equal: + path: metadata.labels.kubernetes\.io/deployment + value: test-label + - equal: + path: metadata.labels.kubernetes\.io/deployment-different + value: 3 + - it: should mount tls.existingCASecretName and set environment when set in values values: - ../.lint/existing-tls-ca.yaml diff --git a/teleport-cluster/charts/teleport-operator/tests/role_test.yaml b/teleport-cluster/charts/teleport-operator/tests/role_test.yaml index 3cbb290..4ae5d4b 100644 --- a/teleport-cluster/charts/teleport-operator/tests/role_test.yaml +++ b/teleport-cluster/charts/teleport-operator/tests/role_test.yaml @@ -49,4 +49,4 @@ tests: content: apiGroups: [""] resources: ["secrets"] - verbs: ["get"] \ No newline at end of file + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/teleport-cluster/charts/teleport-operator/values.yaml b/teleport-cluster/charts/teleport-operator/values.yaml index f576b26..f96b8ec 100644 --- a/teleport-cluster/charts/teleport-operator/values.yaml +++ b/teleport-cluster/charts/teleport-operator/values.yaml @@ -28,8 +28,8 @@ installCRDs: "dynamic" teleportAddress: "" # caPins(list[string]) -- is a list of Teleport CA fingerprints that is used by the operator to -# validate the identity of the Teleport Auth server. This is only used when joining -# an Auth server directly (on port `3025`) and is ignored when joining through a Proxy +# validate the identity of the Teleport Auth Service. This is only used when joining +# an Auth Service directly (on port `3025`) and is ignored when joining through a Proxy # (port `443` or `3080`). caPins: [] @@ -89,6 +89,15 @@ annotations: # put on the `Deployment` resource created by the chart. serviceAccount: {} +# annotations -- +labels: + # labels.deployment(object) -- contains the Kubernetes labels + # put on the `Deployment` resource created by the chart. + deployment: {} + # labels.pod(object) -- contains the Kubernetes labels + # put on the `Pod` resources created by the chart. + pod: {} + # serviceAccount -- serviceAccount: # serviceAccount.create(bool) -- controls if the chart should create the Kubernetes diff --git a/teleport-cluster/templates/_helpers.tpl b/teleport-cluster/templates/_helpers.tpl index 92b8fc0..7e2f4de 100644 --- a/teleport-cluster/templates/_helpers.tpl +++ b/teleport-cluster/templates/_helpers.tpl @@ -6,10 +6,48 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N {{- coalesce .Values.serviceAccount.name .Release.Name -}} {{- end -}} +{{/* +Create the name of the service account to use in the auth config check hook. + +If the chart is creating service accounts, we know we can create new arbitrary service accounts. +We cannot reuse the same name as the deployment SA because the non-hook service account might +not exist yet. We tried being smart with hooks but ArgoCD doesn't differentiate between install +and upgrade, causing various issues on update and eventually forcing us to use a separate SA. + +If the chart is not creating service accounts, for backward compatibility we don't want +to force new service account names to existing chart users. We know the SA should already exist, +so we can use the same SA for deployments and hooks. +*/}} +{{- define "teleport-cluster.auth.hookServiceAccountName" -}} +{{- include "teleport-cluster.auth.serviceAccountName" . -}} +{{- if .Values.serviceAccount.create -}} +-hook +{{- end -}} +{{- end -}} + {{- define "teleport-cluster.proxy.serviceAccountName" -}} {{- coalesce .Values.serviceAccount.name .Release.Name -}}-proxy {{- end -}} +{{/* +Create the name of the service account to use in the proxy config check hook. + +If the chart is creating service accounts, we know we can create new arbitrary service accounts. +We cannot reuse the same name as the deployment SA because the non-hook service account might +not exist yet. We tried being smart with hooks but ArgoCD doesn't differentiate between install +and upgrade, causing various issues on update and eventually forcing us to use a separate SA. + +If the chart is not creating service accounts, for backward compatibility we don't want +to force new service account names to existing chart users. We know the SA should already exist, +so we can use the same SA for deployments and hooks. +*/}} +{{- define "teleport-cluster.proxy.hookServiceAccountName" -}} +{{- include "teleport-cluster.proxy.serviceAccountName" . -}} +{{- if .Values.serviceAccount.create -}} +-hook +{{- end -}} +{{- end -}} + {{- define "teleport-cluster.version" -}} {{- coalesce .Values.teleportVersionOverride .Chart.Version }} {{- end -}} diff --git a/teleport-cluster/templates/auth/config.yaml b/teleport-cluster/templates/auth/config.yaml index 99fe59e..d1c4bff 100644 --- a/teleport-cluster/templates/auth/config.yaml +++ b/teleport-cluster/templates/auth/config.yaml @@ -131,6 +131,14 @@ data: - read - update - delete + - resources: + - trusted_cluster + verbs: + - list + - create + - read + - update + - delete deny: {} version: v7 --- diff --git a/teleport-cluster/templates/auth/deployment.yaml b/teleport-cluster/templates/auth/deployment.yaml index 7dc0901..aee44b6 100644 --- a/teleport-cluster/templates/auth/deployment.yaml +++ b/teleport-cluster/templates/auth/deployment.yaml @@ -266,7 +266,7 @@ spec: {{- if $auth.enterprise }} - name: license secret: - secretName: "license" + secretName: {{ $auth.licenseSecretName | quote }} {{- end }} {{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }} - name: gcp-credentials diff --git a/teleport-cluster/templates/auth/predeploy_job.yaml b/teleport-cluster/templates/auth/predeploy_job.yaml index a8edf70..c557c71 100644 --- a/teleport-cluster/templates/auth/predeploy_job.yaml +++ b/teleport-cluster/templates/auth/predeploy_job.yaml @@ -17,6 +17,12 @@ metadata: spec: backoffLimit: 1 template: + metadata: + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 8 }} + {{- if $auth.extraLabels.jobPod }} + {{- toYaml $auth.extraLabels.jobPod | nindent 8 }} + {{- end }} spec: {{- if $auth.affinity }} affinity: {{- toYaml $auth.affinity | nindent 8 }} @@ -36,7 +42,7 @@ spec: {{- if $auth.resources }} resources: {{- toYaml $auth.resources | nindent 10 }} -{{- end }} +{{- end }} {{- if or $auth.extraEnv $auth.tls.existingCASecretName }} env: {{- if (gt (len $auth.extraEnv) 0) }} @@ -84,7 +90,7 @@ spec: {{- if .Values.enterprise }} - name: license secret: - secretName: "license" + secretName: {{ .Values.licenseSecretName | quote }} {{- end }} {{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }} - name: gcp-credentials @@ -104,4 +110,5 @@ spec: {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} + serviceAccountName: {{ include "teleport-cluster.auth.hookServiceAccountName" . }} {{- end }} diff --git a/teleport-cluster/templates/auth/predeploy_serviceaccount.yaml b/teleport-cluster/templates/auth/predeploy_serviceaccount.yaml new file mode 100644 index 0000000..893078f --- /dev/null +++ b/teleport-cluster/templates/auth/predeploy_serviceaccount.yaml @@ -0,0 +1,34 @@ +# this is a carbon copy of the regular serviceAccount object which is only used to run pre-deploy jobs +# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the +# regular serviceAccount is created with the same name and exists for the lifetime of the release. +{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} +{{- if $auth.validateConfigOnDeploy }} +{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} +{{- if $auth.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-cluster.auth.hookServiceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.serviceAccount }} + {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- if or $auth.annotations.serviceAccount $auth.azure.clientID }} + {{- if $auth.annotations.serviceAccount }} + {{- toYaml $auth.annotations.serviceAccount | nindent 4 }} + {{- end }} + {{- if $auth.azure.clientID }} + azure.workload.identity/client-id: "{{ $auth.azure.clientID }}" + {{- end }} + {{- end -}} +{{- if $projectedServiceAccountToken }} +automountServiceAccountToken: false +{{- end }} +{{- end }} +{{- end }} diff --git a/teleport-cluster/templates/proxy/predeploy_job.yaml b/teleport-cluster/templates/proxy/predeploy_job.yaml index a0d8547..4484d9c 100644 --- a/teleport-cluster/templates/proxy/predeploy_job.yaml +++ b/teleport-cluster/templates/proxy/predeploy_job.yaml @@ -17,6 +17,12 @@ metadata: spec: backoffLimit: 1 template: + metadata: + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 8 }} + {{- if $proxy.extraLabels.jobPod }} + {{- toYaml $proxy.extraLabels.jobPod | nindent 8 }} + {{- end }} spec: {{- if $proxy.affinity }} affinity: {{- toYaml $proxy.affinity | nindent 8 }} @@ -100,4 +106,5 @@ spec: {{- if $proxy.extraVolumes }} {{- toYaml $proxy.extraVolumes | nindent 6 }} {{- end }} + serviceAccountName: {{ include "teleport-cluster.proxy.hookServiceAccountName" . }} {{- end }} diff --git a/teleport-cluster/templates/proxy/predeploy_serviceaccount.yaml b/teleport-cluster/templates/proxy/predeploy_serviceaccount.yaml new file mode 100644 index 0000000..6c5b9a4 --- /dev/null +++ b/teleport-cluster/templates/proxy/predeploy_serviceaccount.yaml @@ -0,0 +1,29 @@ +# this is a carbon copy of the regular serviceAccount object which is only used to run pre-deploy jobs +# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the +# regular serviceAccount is created with the same name and exists for the lifetime of the release. +{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} +{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} +{{- if $proxy.validateConfigOnDeploy }} +{{- if $proxy.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "teleport-cluster.proxy.hookServiceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.serviceAccount }} + {{- toYaml $proxy.extraLabels.serviceAccount | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- if $proxy.annotations.serviceAccount }} + {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }} +{{- end -}} +{{- if $projectedServiceAccountToken }} +automountServiceAccountToken: false +{{- end }} +{{- end }} +{{- end }} diff --git a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap index a1aff5a..e9c9f47 100644 --- a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap @@ -8,9 +8,9 @@ adds operator permissions to ClusterRole: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.4.6 - helm.sh/chart: teleport-cluster-16.4.6 - teleport.dev/majorVersion: "16" + app.kubernetes.io/version: 17.2.7 + helm.sh/chart: teleport-cluster-17.2.7 + teleport.dev/majorVersion: "17" name: RELEASE-NAME rules: - apiGroups: diff --git a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap index ecf6965..2c775df 100644 --- a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap @@ -1848,9 +1848,9 @@ sets clusterDomain on Configmap: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.4.6 - helm.sh/chart: teleport-cluster-16.4.6 - teleport.dev/majorVersion: "16" + app.kubernetes.io/version: 17.2.7 + helm.sh/chart: teleport-cluster-17.2.7 + teleport.dev/majorVersion: "17" name: RELEASE-NAME-auth namespace: NAMESPACE uses athena as primary backend when configured: diff --git a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap index 9d5cb72..8cd89fa 100644 --- a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -8,7 +8,7 @@ - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -141,7 +141,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -238,7 +238,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -324,7 +324,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap index 792468b..0e62a2a 100644 --- a/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap @@ -567,8 +567,8 @@ sets clusterDomain on Configmap: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.4.6 - helm.sh/chart: teleport-cluster-16.4.6 - teleport.dev/majorVersion: "16" + app.kubernetes.io/version: 17.2.7 + helm.sh/chart: teleport-cluster-17.2.7 + teleport.dev/majorVersion: "17" name: RELEASE-NAME-proxy namespace: NAMESPACE diff --git a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap index dfcf643..845b369 100644 --- a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -11,9 +11,9 @@ sets clusterDomain on Deployment Pods: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.4.6 - helm.sh/chart: teleport-cluster-16.4.6 - teleport.dev/majorVersion: "16" + app.kubernetes.io/version: 17.2.7 + helm.sh/chart: teleport-cluster-17.2.7 + teleport.dev/majorVersion: "17" name: RELEASE-NAME-proxy namespace: NAMESPACE spec: @@ -26,7 +26,7 @@ sets clusterDomain on Deployment Pods: template: metadata: annotations: - checksum/config: 87177e0131f696376c17d797df17be252ebdc247a7f84bb05b7a5680ebcd205c + checksum/config: 788cc751f0c48b48415714a674bdb771ba9a079091aa0bbe737447df2f94ec58 kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: @@ -34,9 +34,9 @@ sets clusterDomain on Deployment Pods: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 16.4.6 - helm.sh/chart: teleport-cluster-16.4.6 - teleport.dev/majorVersion: "16" + app.kubernetes.io/version: 17.2.7 + helm.sh/chart: teleport-cluster-17.2.7 + teleport.dev/majorVersion: "17" spec: affinity: podAntiAffinity: null @@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -104,8 +104,8 @@ sets clusterDomain on Deployment Pods: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v15.NAMESPACE.svc.test.com - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + - RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -136,8 +136,8 @@ should provision initContainer correctly when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 name: wait-auth-update resources: limits: @@ -201,7 +201,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -261,8 +261,8 @@ should set nodeSelector when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 name: wait-auth-update nodeSelector: environment: security @@ -313,7 +313,7 @@ should set resources for wait-auth-update initContainer when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -380,8 +380,8 @@ should set resources for wait-auth-update initContainer when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 name: wait-auth-update resources: limits: @@ -421,7 +421,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -488,8 +488,8 @@ should set resources when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 name: wait-auth-update resources: limits: @@ -529,7 +529,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -596,8 +596,8 @@ should set securityContext for initContainers when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -637,7 +637,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -704,8 +704,8 @@ should set securityContext when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:16.4.6 + - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster/tests/auth_deployment_test.yaml b/teleport-cluster/tests/auth_deployment_test.yaml index 6f15854..49946a9 100644 --- a/teleport-cluster/tests/auth_deployment_test.yaml +++ b/teleport-cluster/tests/auth_deployment_test.yaml @@ -215,6 +215,30 @@ tests: secret: secretName: license + - it: should use enterprise image and mount license with custom secret name when enterprise is set in values + template: auth/deployment.yaml + set: + clusterName: helm-lint.example.com + enterprise: true + licenseSecretName: enterprise-license + teleportVersionOverride: 12.2.1 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/lib/license + name: "license" + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: license + secret: + secretName: enterprise-license + - it: should use OSS image and not mount license when enterprise is not set in values template: auth/deployment.yaml set: diff --git a/teleport-cluster/tests/predeploy_test.yaml b/teleport-cluster/tests/predeploy_test.yaml index 50a1bdb..7481cae 100644 --- a/teleport-cluster/tests/predeploy_test.yaml +++ b/teleport-cluster/tests/predeploy_test.yaml @@ -2,8 +2,10 @@ suite: Pre-Deploy Config Test Hooks templates: - auth/predeploy_job.yaml - auth/predeploy_config.yaml + - auth/predeploy_serviceaccount.yaml - proxy/predeploy_job.yaml - proxy/predeploy_config.yaml + - proxy/predeploy_serviceaccount.yaml tests: - it: Deploys the auth-test config template: auth/predeploy_config.yaml @@ -53,6 +55,7 @@ tests: asserts: - hasDocuments: count: 0 + - it: should set resources on auth predeploy job when set in values template: auth/predeploy_job.yaml values: @@ -130,6 +133,26 @@ tests: path: metadata.labels.baz value: overridden + - it: should set extraLabels.jobPod on auth predeploy job when set in values + template: auth/predeploy_job.yaml + set: + clusterName: helm-lint + extraLabels: + jobPod: + foo: bar + baz: override-me + auth: + extraLabels: + jobPod: + baz: overridden + asserts: + - equal: + path: spec.template.metadata.labels.foo + value: bar + - equal: + path: spec.template.metadata.labels.baz + value: overridden + - it: should set extraLabels on auth predeploy config when set in values template: auth/predeploy_config.yaml set: @@ -149,6 +172,7 @@ tests: - equal: path: metadata.labels.baz value: overridden + - it: should set extraLabels on proxy predeploy job when set in values template: proxy/predeploy_job.yaml set: @@ -169,6 +193,26 @@ tests: path: metadata.labels.baz value: overridden + - it: should set extraLabels.jobPod on proxy predeploy job when set in values + template: proxy/predeploy_job.yaml + set: + clusterName: helm-lint + extraLabels: + jobPod: + foo: bar + baz: override-me + proxy: + extraLabels: + jobPod: + baz: overridden + asserts: + - equal: + path: spec.template.metadata.labels.foo + value: bar + - equal: + path: spec.template.metadata.labels.baz + value: overridden + - it: should set extraLabels on proxy predeploy config when set in values template: proxy/predeploy_config.yaml set: @@ -188,3 +232,67 @@ tests: - equal: path: metadata.labels.baz value: overridden + + - it: should use default serviceAccount name suffixed with -hook for auth predeploy job SA when not set in values and we're creating SAs + template: auth/predeploy_job.yaml + set: + clusterName: helm-lint + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-hook + + - it: should use serviceAccount.name suffixed with -hook for auth predeploy job SA when set in values and we're creating SAs + template: auth/predeploy_job.yaml + set: + clusterName: helm-lint + serviceAccount: + name: helm-test-sa + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: helm-test-sa-hook + + - it: should use serviceAccount.name for auth predeploy job SA when set in values and we're not creating SAs + template: auth/predeploy_job.yaml + set: + clusterName: helm-lint + serviceAccount: + name: helm-test-sa + create: false + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: helm-test-sa + + - it: should use default serviceAccount name suffixed with -hook for proxy predeploy job SA when not set in values and we're creating SAs + template: proxy/predeploy_job.yaml + set: + clusterName: helm-lint + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-proxy-hook + + - it: should use serviceAccount.name suffixed with -hook for proxy predeploy job SA when set in values and we're creating SAs + template: proxy/predeploy_job.yaml + set: + clusterName: helm-lint + serviceAccount: + name: helm-test-sa + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: helm-test-sa-proxy-hook + + - it: should use serviceAccount.name for proxy predeploy job SA when set in values and we're not creating SAs + template: proxy/predeploy_job.yaml + set: + clusterName: helm-lint + serviceAccount: + name: helm-test-sa + create: false + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: helm-test-sa-proxy diff --git a/teleport-cluster/values.home.yaml b/teleport-cluster/values.home.yaml index c94313d..602b946 100644 --- a/teleport-cluster/values.home.yaml +++ b/teleport-cluster/values.home.yaml @@ -1,21 +1,70 @@ +################################################## +# Values that must always be provided by the user. +################################################## + clusterName: "teleport.ervine.cloud" kubeClusterName: "homeK8s" + +################################################## +# Values that you may need to change. +################################################## + proxyListenerMode: "multiplex" operator: enabled: true + image: public.ecr.aws/gravitational/teleport-operator + resources: {} + # requests: + # cpu: "0.5" + # memory: "1Gi" + # limits: + # memory: "1Gi" + joinMethod: "kubernetes" + token: "teleport-operator" + # This is needed to have a sensible name and predictable service account name. + nameOverride: operator + podSecurityPolicy: enabled: false podMonitor: enabled: true additionalLabels: prometheus: k8s + +###################################################################### +# Persistence settings (only used in "standalone" and "scratch" modes) +# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters +# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details. +# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23. +###################################################################### +persistence: + # Enable persistence using a PersistentVolumeClaim + enabled: true + # Leave blank to automatically create a PersistentVolumeClaim for Teleport storage. + # If you would like to use a pre-existing PersistentVolumeClaim, put its name here. + existingClaimName: "" + # Size of persistent volume to request when created by Teleport. + # Ignored if existingClaimName is provided. + volumeSize: 10Gi + highAvailability: + replicaCount: 2 + requireAntiAffinity: true + # If enabled will create a Pod Disruption Budget + podDisruptionBudget: + enabled: false + minAvailable: 1 certManager: enabled: true addCommonName: false addPublicAddrs: false issuerName: "letsencrypt-prod" issuerKind: ClusterIssuer + +################################## +# Extra Kubernetes configuration # +################################## + annotations: ingress: kubernetes.io/ingress.class: nginx diff --git a/teleport-cluster/values.schema.json b/teleport-cluster/values.schema.json index 2c4a6da..6e3796c 100644 --- a/teleport-cluster/values.schema.json +++ b/teleport-cluster/values.schema.json @@ -286,6 +286,11 @@ "type": "boolean", "default": false }, + "licenseSecretName": { + "$id": "#/properties/licenseSecretName", + "type": "string", + "default": "license" + }, "installCRDs": { "$id": "#/properties/installCRDs", "type": "boolean" diff --git a/teleport-cluster/values.yaml b/teleport-cluster/values.yaml index 20e9171..071801a 100644 --- a/teleport-cluster/values.yaml +++ b/teleport-cluster/values.yaml @@ -61,7 +61,8 @@ teleportVersionOverride: "" # For example: # # auth: -# postStart: ["curl", "http://hook"] +# postStart: +# command: ["curl", "http://hook"] # imagePullPolicy: Always auth: # auth.teleportConfig contains YAML teleport configuration for auth pods @@ -84,7 +85,8 @@ auth: # This is merged with chart-scoped values and takes precedence in case of conflict. # For example: # proxy: -# postStart: ["curl", "http://hook"] +# postStart: +# command: ["curl", "http://hook"] # imagePullPolicy: Always # annotations: # service: @@ -179,7 +181,7 @@ authentication: proxyListenerMode: "separate" # Optional setting for configuring session recording. -# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml +# See `session_recording` under https://goteleport.com/docs/reference/config/#auth-service sessionRecording: "" # By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443) @@ -245,7 +247,8 @@ acmeURI: "" # You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this: # kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem enterprise: false - +# Override default Enterprise license name +licenseSecretName: "license" # CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation # when deploying multiple releases in the same cluster. # installCRDs: @@ -266,7 +269,7 @@ operator: # memory: "1Gi" joinMethod: "kubernetes" token: "teleport-operator" - # This is needed to have a sensible name and predictible service account name. + # This is needed to have a sensible name and predictable service account name. nameOverride: operator # If true, create & use Pod Security Policy resources @@ -565,17 +568,13 @@ tls: # Values that you shouldn't need to change. ################################################## -# Container image for the cluster. -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport`. Those images will be -# removed with teleport 14. +# Container image for the cluster. By default, the image contains only the +# Teleport application and its runtime dependencies, and does not contain a +# shell. image: public.ecr.aws/gravitational/teleport-distroless -# Enterprise version of the image -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport-ent`. Those images will be -# removed with teleport 14. +# Enterprise version of the image. By default, the image contains only the +# Teleport application and its runtime dependencies, and does not contain a +# shell. enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless # Optional array of imagePullSecrets, to use when pulling from a private registry imagePullSecrets: [] @@ -653,6 +652,9 @@ extraLabels: ingress: {} # extraLabels.job(object) -- are labels to set on the Job run by the Helm hook. job: {} + # extraLabels.jobPod(object) -- are labels to set on the Pods created by the + # Job run by the Helm hook. + jobPod: {} # extraLabels.persistentVolumeClaim(object) -- are labels to set on the PersistentVolumeClaim. persistentVolumeClaim: {} # extraLabels.pod(object) -- are labels to set on the Pods created by the