UPdate teleport to version 17

teleport-cluster-16.4.6/Chart.yaml

@@ -1,13 +1,13 @@
 apiVersion: v2
-appVersion: 16.0.4
+appVersion: 16.4.6
 dependencies:
 - alias: operator
   name: teleport-operator
   repository: ""
-  version: 16.0.4
+  version: 16.4.6
 description: Teleport is an access platform for your infrastructure
 icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
 name: teleport-cluster
-version: 16.0.4
+version: 16.4.6

teleport-cluster-16.4.6/README.md

@@ -37,15 +37,16 @@ or by installing [cert-manager](https://cert-manager.io/docs/) and setting the `
 
 ### Replicated setup guides
 
-- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/aws/)
+- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/aws/)
-- [Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/gcp/)
+- [Running an HA Teleport cluster in Kubernetes using an Google Cloud GKE cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/gcp/)
-- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/custom/)
+- [Running an HA Teleport cluster in Kubernetes using an Azure AKS cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/azure/)
+- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/custom/)
 
 ### Creating first user
 
 The first user can be created by executing a command in one of the auth pods.
 
-```shell
+```code
 kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access
 ```
 
@@ -59,7 +60,7 @@ helm uninstall --namespace teleport-cluster teleport-cluster
 
 ## Documentation
 
-See https://goteleport.com/docs/kubernetes-access/helm/guides/ for guides on setting up HA Teleport clusters
+See https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/ for guides on setting up HA Teleport clusters
 in EKS or GKE, plus a comprehensive chart reference.
 
 ## Contributing to the chart

teleport-cluster-16.4.6/charts/teleport-operator/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 16.0.4
+appVersion: 16.4.6
 description: Teleport Operator provides management of select Teleport resources.
 icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
 name: teleport-operator
-version: 16.0.4
+version: 16.4.6

teleport-cluster-16.4.6/charts/teleport-operator/README.md

@@ -13,7 +13,7 @@ operator version is deployed, use the `--version` Helm flag.
 
 The chart can be deployed in two ways:
 - in standalone mode by running
-  ```shell
+  ```code
   helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token
   ```
   See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details.

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml

@@ -36,7 +36,7 @@ spec:
             description: AccessList resource definition v1 from Teleport
             properties:
               audit:
-                description: audit describes the frequency that this access list must
+                description: audit describes the frequency that this Access List must
                   be audited.
                 nullable: true
                 properties:
@@ -74,16 +74,16 @@ spec:
                 type: object
               description:
                 description: description is an optional plaintext description of the
-                  access list.
+                  Access List.
                 type: string
               grants:
                 description: grants describes the access granted by membership to
-                  this access list.
+                  this Access List.
                 nullable: true
                 properties:
                   roles:
                     description: roles are the roles that are granted to users who
-                      are members of the access list.
+                      are members of the Access List.
                     items:
                       type: string
                     nullable: true
@@ -94,13 +94,13 @@ spec:
                         type: string
                       type: array
                     description: traits are the traits that are granted to users who
-                      are members of the access list.
+                      are members of the Access List.
                     type: object
                 type: object
               membership_requires:
                 description: membership_requires describes the requirements for a
-                  user to be a member of the access list. For a membership to an access
+                  user to be a member of the Access List. For a membership to an Access
-                  list to be effective, the user must meet the requirements of Membership_requires
+                  List to be effective, the user must meet the requirements of Membership_requires
                   and must be in the members list.
                 nullable: true
                 properties:
@@ -122,12 +122,12 @@ spec:
                 type: object
               owner_grants:
                 description: owner_grants describes the access granted by owners to
-                  this access list.
+                  this Access List.
                 nullable: true
                 properties:
                   roles:
                     description: roles are the roles that are granted to users who
-                      are members of the access list.
+                      are members of the Access List.
                     items:
                       type: string
                     nullable: true
@@ -138,11 +138,11 @@ spec:
                         type: string
                       type: array
                     description: traits are the traits that are granted to users who
-                      are members of the access list.
+                      are members of the Access List.
                     type: object
                 type: object
               owners:
-                description: owners is a list of owners of the access list.
+                description: owners is a list of owners of the Access List.
                 items:
                   properties:
                     description:
@@ -161,7 +161,7 @@ spec:
                 type: array
               ownership_requires:
                 description: ownership_requires describes the requirements for a user
-                  to be an owner of the access list. For ownership of an access list
+                  to be an owner of the Access List. For ownership of an Access List
                   to be effective, the user must meet the requirements of ownership_requires
                   and must be in the owners list.
                 nullable: true
@@ -183,8 +183,8 @@ spec:
                     type: object
                 type: object
               title:
-                description: title is a plaintext short description of the access
+                description: title is a plaintext short description of the Access
-                  list.
+                  List.
                 type: string
             type: object
           status:

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml

@@ -55,9 +55,18 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
-                description: ClientSecret is the Github OAuth app client secret.
+                description: ClientSecret is the Github OAuth app client secret. This
+                  field supports secret lookup. See the operator documentation for
+                  more details.
                 type: string
               display:
                 description: Display is the connector display name.

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml

@@ -65,7 +65,7 @@ spec:
                 type: array
               client_id:
                 description: ClientID is the id of the authentication client (Teleport
-                  Auth server).
+                  Auth Service).
                 type: string
               client_redirect_settings:
                 description: ClientRedirectSettings defines which client redirect
@@ -80,9 +80,18 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
-                description: ClientSecret is used to authenticate the client.
+                description: ClientSecret is used to authenticate the client. This
+                  field supports secret lookup. See the operator documentation for
+                  more details.
                 type: string
               display:
                 description: Display is the friendly name for this provider.

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml

@@ -70,8 +70,8 @@ spec:
                       type: array
                     aws_role:
                       description: AWSRole is used for the EC2 join method and is
-                        the ARN of the AWS role that the auth server will assume in
+                        the ARN of the AWS role that the Auth Service will assume
-                        order to call the ec2 API.
+                        in order to call the ec2 API.
                       type: string
                   type: object
                 nullable: true
@@ -192,7 +192,7 @@ spec:
                       against host.  This value should be the hostname of the GHES
                       instance, and should not include the scheme or a path. The instance
                       must be accessible over HTTPS at this hostname and the certificate
-                      must be trusted by the Auth Server.
+                      must be trusted by the Auth Service.
                     type: string
                   enterprise_slug:
                     description: EnterpriseSlug allows the slug of a GitHub Enterprise
@@ -257,9 +257,9 @@ spec:
                     type: string
                 type: object
               join_method:
-                description: JoinMethod is the joining method required in order to
+                description: 'JoinMethod is the joining method required in order to
-                  use this token. Supported joining methods include "token", "ec2",
+                  use this token. Supported joining methods include: azure, circleci,
-                  and "iam".
+                  ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm'
                 type: string
               kubernetes:
                 description: Kubernetes allows the configuration of options specific
@@ -341,6 +341,51 @@ spec:
                   set when using this token to enroll themselves in the cluster. Currently,
                   only node-join scripts create a configuration according to the suggestion.
                 type: object
+              terraform_cloud:
+                description: TerraformCloud allows the configuration of options specific
+                  to the "terraform_cloud" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        organization_id:
+                          type: string
+                        organization_name:
+                          type: string
+                        project_id:
+                          type: string
+                        project_name:
+                          type: string
+                        run_phase:
+                          type: string
+                        workspace_id:
+                          type: string
+                        workspace_name:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  audience:
+                    description: Audience is the JWT audience as configured in the
+                      TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform
+                      Cloud. If unset, defaults to the Teleport cluster name. For
+                      example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is
+                      set in Terraform Cloud, this value should be `foo`. If the variable
+                      is set to match the cluster name, it does not need to be set
+                      here.
+                    type: string
+                  hostname:
+                    description: Hostname is the hostname of the Terraform Enterprise
+                      instance expected to issue JWTs allowed by this token. This
+                      may be unset for regular Terraform Cloud use, in which case
+                      it will be assumed to be `app.terraform.io`. Otherwise, it must
+                      both match the `iss` (issuer) field included in JWTs, and provide
+                      standard JWKS endpoints.
+                    type: string
+                type: object
               tpm:
                 description: TPM allows the configuration of options specific to the
                   "tpm" join method.

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml

@@ -298,7 +298,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -824,7 +824,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -1133,9 +1133,12 @@ spec:
                       created on a Windows desktop
                     type: boolean
                   create_host_user:
-                    description: CreateHostUser allows users to be automatically created
+                    description: 'Deprecated: use CreateHostUserMode instead.'
-                      on a host
                     type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
                   create_host_user_mode:
                     description: CreateHostUserMode allows users to be automatically
                       created on a host when not set to off. 0 is "unspecified"; 1
@@ -1155,7 +1158,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on
@@ -1211,6 +1213,16 @@ spec:
                       sessions per connection.
                     format: int64
                     type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
                   permit_x11_forwarding:
                     description: PermitX11Forwarding authorizes use of X11 forwarding.
                     type: boolean
@@ -1242,8 +1254,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
+                    description: RequestAccess defines the request strategy (optional|note|always)
-                      (optional|note|always) where optional is the default.
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells
@@ -1630,7 +1642,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -2156,7 +2168,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -2465,9 +2477,12 @@ spec:
                       created on a Windows desktop
                     type: boolean
                   create_host_user:
-                    description: CreateHostUser allows users to be automatically created
+                    description: 'Deprecated: use CreateHostUserMode instead.'
-                      on a host
                     type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
                   create_host_user_mode:
                     description: CreateHostUserMode allows users to be automatically
                       created on a host when not set to off. 0 is "unspecified"; 1
@@ -2487,7 +2502,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on
@@ -2543,6 +2557,16 @@ spec:
                       sessions per connection.
                     format: int64
                     type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
                   permit_x11_forwarding:
                     description: PermitX11Forwarding authorizes use of X11 forwarding.
                     type: boolean
@@ -2574,8 +2598,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
+                    description: RequestAccess defines the request strategy (optional|note|always)
-                      (optional|note|always) where optional is the default.
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml

@@ -301,7 +301,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -827,7 +827,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -1136,9 +1136,12 @@ spec:
                       created on a Windows desktop
                     type: boolean
                   create_host_user:
-                    description: CreateHostUser allows users to be automatically created
+                    description: 'Deprecated: use CreateHostUserMode instead.'
-                      on a host
                     type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
                   create_host_user_mode:
                     description: CreateHostUserMode allows users to be automatically
                       created on a host when not set to off. 0 is "unspecified"; 1
@@ -1158,7 +1161,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on
@@ -1214,6 +1216,16 @@ spec:
                       sessions per connection.
                     format: int64
                     type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
                   permit_x11_forwarding:
                     description: PermitX11Forwarding authorizes use of X11 forwarding.
                     type: boolean
@@ -1245,8 +1257,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
+                    description: RequestAccess defines the request strategy (optional|note|always)
-                      (optional|note|always) where optional is the default.
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml

@@ -301,7 +301,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -827,7 +827,7 @@ spec:
                             type: string
                           type: array
                         description: Annotations is a collection of annotations to
-                          be programmatically appended to pending access requests
+                          be programmatically appended to pending Access Requests
                           at the time of their creation. These annotations serve as
                           a mechanism to propagate extra information to plugins.  Since
                           these annotations support variable interpolation syntax,
@@ -1136,9 +1136,12 @@ spec:
                       created on a Windows desktop
                     type: boolean
                   create_host_user:
-                    description: CreateHostUser allows users to be automatically created
+                    description: 'Deprecated: use CreateHostUserMode instead.'
-                      on a host
                     type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
                   create_host_user_mode:
                     description: CreateHostUserMode allows users to be automatically
                       created on a host when not set to off. 0 is "unspecified"; 1
@@ -1158,7 +1161,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on
@@ -1214,6 +1216,16 @@ spec:
                       sessions per connection.
                     format: int64
                     type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
                   permit_x11_forwarding:
                     description: PermitX11Forwarding authorizes use of X11 forwarding.
                     type: boolean
@@ -1245,8 +1257,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
+                    description: RequestAccess defines the request strategy (optional|note|always)
-                      (optional|note|always) where optional is the default.
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml

@@ -95,6 +95,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               display:
                 description: Display controls how this connector is displayed.

teleport-cluster-16.4.6/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml

@@ -119,8 +119,12 @@ spec:
                 type: object
               trusted_device_ids:
                 description: TrustedDeviceIDs contains the IDs of trusted devices
-                  enrolled by the user. Managed by the Device Trust subsystem, avoid
+                  enrolled by the user.  Note that SSO users are transient and thus
-                  manual edits.
+                  may contain an empty TrustedDeviceIDs field, even though the user->device
+                  association exists under the Device Trust subsystem. Do not rely
+                  on this field to determine device associations or ownership, it
+                  exists for legacy/informative purposes only.  Managed by the Device
+                  Trust subsystem, avoid manual edits.
                 items:
                   type: string
                 nullable: true

teleport-cluster-16.4.6/charts/teleport-operator/templates/crds.yaml

@@ -2,7 +2,7 @@
 and creates them if needed. It also adds common labels, like any other
 Helm-deployed resource.
 
-We cannot rely on the "crds/" Helm directory as Helm's startegy is "fire and forget".
+We cannot rely on the "crds/" Helm directory as Helm's strategy is "fire and forget".
 We have no way to update the CRDs after the initial deployment. As Teleport keeps
 adding new field to existing CRs, we need a deployment strategy that supports
 updating CRDs.

teleport-cluster-16.4.6/charts/teleport-operator/templates/role.yaml

@@ -6,6 +6,7 @@ metadata:
   name: {{ include "teleport-cluster.operator.fullname" . }}
   namespace: {{ .Release.Namespace }}
 rules:
+  # Rights to manage the Teleport CRs
   - apiGroups:
       - "resources.teleport.dev"
     resources:
@@ -41,6 +42,7 @@ rules:
       - patch
       - update
       - watch
+  # Used to perform leader election when running with multiple replicas
   - apiGroups:
       - "coordination.k8s.io"
     resources:
@@ -49,11 +51,19 @@ rules:
       - create
       - get
       - update
+  # Ability to emit reconciliation events
   - apiGroups:
       - ""
     resources:
       - events
     verbs:
       - create
+  # Ability to lookup sensitive values from secrets rather than CRs
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs:
+      - "get"
 {{- end -}}
 {{- end -}}