UPdate teleport to version 17
This commit is contained in:
Jonny Ervine
parent
823120c033
commit
5afa9c2439
@ -1,13 +1,13 @@
|
||||
apiVersion: v2
|
||||
appVersion: 16.0.4
|
||||
appVersion: 16.4.6
|
||||
dependencies:
|
||||
- alias: operator
|
||||
name: teleport-operator
|
||||
repository: ""
|
||||
version: 16.0.4
|
||||
version: 16.4.6
|
||||
description: Teleport is an access platform for your infrastructure
|
||||
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
|
||||
keywords:
|
||||
- Teleport
|
||||
name: teleport-cluster
|
||||
version: 16.0.4
|
||||
version: 16.4.6
|
||||
@ -37,15 +37,16 @@ or by installing [cert-manager](https://cert-manager.io/docs/) and setting the `
|
||||
|
||||
### Replicated setup guides
|
||||
|
||||
- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/aws/)
|
||||
- [Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/gcp/)
|
||||
- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/custom/)
|
||||
- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/aws/)
|
||||
- [Running an HA Teleport cluster in Kubernetes using an Google Cloud GKE cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/gcp/)
|
||||
- [Running an HA Teleport cluster in Kubernetes using an Azure AKS cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/azure/)
|
||||
- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/custom/)
|
||||
|
||||
### Creating first user
|
||||
|
||||
The first user can be created by executing a command in one of the auth pods.
|
||||
|
||||
```shell
|
||||
```code
|
||||
kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access
|
||||
```
|
||||
|
||||
@ -59,7 +60,7 @@ helm uninstall --namespace teleport-cluster teleport-cluster
|
||||
|
||||
## Documentation
|
||||
|
||||
See https://goteleport.com/docs/kubernetes-access/helm/guides/ for guides on setting up HA Teleport clusters
|
||||
See https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/ for guides on setting up HA Teleport clusters
|
||||
in EKS or GKE, plus a comprehensive chart reference.
|
||||
|
||||
## Contributing to the chart
|
||||
@ -1,8 +1,8 @@
|
||||
apiVersion: v2
|
||||
appVersion: 16.0.4
|
||||
appVersion: 16.4.6
|
||||
description: Teleport Operator provides management of select Teleport resources.
|
||||
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
|
||||
keywords:
|
||||
- Teleport
|
||||
name: teleport-operator
|
||||
version: 16.0.4
|
||||
version: 16.4.6
|
||||
@ -13,7 +13,7 @@ operator version is deployed, use the `--version` Helm flag.
|
||||
|
||||
The chart can be deployed in two ways:
|
||||
- in standalone mode by running
|
||||
```shell
|
||||
```code
|
||||
helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token
|
||||
```
|
||||
See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details.
|
||||
@ -36,7 +36,7 @@ spec:
|
||||
description: AccessList resource definition v1 from Teleport
|
||||
properties:
|
||||
audit:
|
||||
description: audit describes the frequency that this access list must
|
||||
description: audit describes the frequency that this Access List must
|
||||
be audited.
|
||||
nullable: true
|
||||
properties:
|
||||
@ -74,16 +74,16 @@ spec:
|
||||
type: object
|
||||
description:
|
||||
description: description is an optional plaintext description of the
|
||||
access list.
|
||||
Access List.
|
||||
type: string
|
||||
grants:
|
||||
description: grants describes the access granted by membership to
|
||||
this access list.
|
||||
this Access List.
|
||||
nullable: true
|
||||
properties:
|
||||
roles:
|
||||
description: roles are the roles that are granted to users who
|
||||
are members of the access list.
|
||||
are members of the Access List.
|
||||
items:
|
||||
type: string
|
||||
nullable: true
|
||||
@ -94,13 +94,13 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: traits are the traits that are granted to users who
|
||||
are members of the access list.
|
||||
are members of the Access List.
|
||||
type: object
|
||||
type: object
|
||||
membership_requires:
|
||||
description: membership_requires describes the requirements for a
|
||||
user to be a member of the access list. For a membership to an access
|
||||
list to be effective, the user must meet the requirements of Membership_requires
|
||||
user to be a member of the Access List. For a membership to an Access
|
||||
List to be effective, the user must meet the requirements of Membership_requires
|
||||
and must be in the members list.
|
||||
nullable: true
|
||||
properties:
|
||||
@ -122,12 +122,12 @@ spec:
|
||||
type: object
|
||||
owner_grants:
|
||||
description: owner_grants describes the access granted by owners to
|
||||
this access list.
|
||||
this Access List.
|
||||
nullable: true
|
||||
properties:
|
||||
roles:
|
||||
description: roles are the roles that are granted to users who
|
||||
are members of the access list.
|
||||
are members of the Access List.
|
||||
items:
|
||||
type: string
|
||||
nullable: true
|
||||
@ -138,11 +138,11 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: traits are the traits that are granted to users who
|
||||
are members of the access list.
|
||||
are members of the Access List.
|
||||
type: object
|
||||
type: object
|
||||
owners:
|
||||
description: owners is a list of owners of the access list.
|
||||
description: owners is a list of owners of the Access List.
|
||||
items:
|
||||
properties:
|
||||
description:
|
||||
@ -161,7 +161,7 @@ spec:
|
||||
type: array
|
||||
ownership_requires:
|
||||
description: ownership_requires describes the requirements for a user
|
||||
to be an owner of the access list. For ownership of an access list
|
||||
to be an owner of the Access List. For ownership of an Access List
|
||||
to be effective, the user must meet the requirements of ownership_requires
|
||||
and must be in the owners list.
|
||||
nullable: true
|
||||
@ -183,8 +183,8 @@ spec:
|
||||
type: object
|
||||
type: object
|
||||
title:
|
||||
description: title is a plaintext short description of the access
|
||||
list.
|
||||
description: title is a plaintext short description of the Access
|
||||
List.
|
||||
type: string
|
||||
type: object
|
||||
status:
|
||||
@ -55,9 +55,18 @@ spec:
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
insecure_allowed_cidr_ranges:
|
||||
description: a list of CIDRs allowed for HTTP or HTTPS client
|
||||
redirect URLs
|
||||
items:
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
type: object
|
||||
client_secret:
|
||||
description: ClientSecret is the Github OAuth app client secret.
|
||||
description: ClientSecret is the Github OAuth app client secret. This
|
||||
field supports secret lookup. See the operator documentation for
|
||||
more details.
|
||||
type: string
|
||||
display:
|
||||
description: Display is the connector display name.
|
||||
@ -65,7 +65,7 @@ spec:
|
||||
type: array
|
||||
client_id:
|
||||
description: ClientID is the id of the authentication client (Teleport
|
||||
Auth server).
|
||||
Auth Service).
|
||||
type: string
|
||||
client_redirect_settings:
|
||||
description: ClientRedirectSettings defines which client redirect
|
||||
@ -80,9 +80,18 @@ spec:
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
insecure_allowed_cidr_ranges:
|
||||
description: a list of CIDRs allowed for HTTP or HTTPS client
|
||||
redirect URLs
|
||||
items:
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
type: object
|
||||
client_secret:
|
||||
description: ClientSecret is used to authenticate the client.
|
||||
description: ClientSecret is used to authenticate the client. This
|
||||
field supports secret lookup. See the operator documentation for
|
||||
more details.
|
||||
type: string
|
||||
display:
|
||||
description: Display is the friendly name for this provider.
|
||||
@ -70,8 +70,8 @@ spec:
|
||||
type: array
|
||||
aws_role:
|
||||
description: AWSRole is used for the EC2 join method and is
|
||||
the ARN of the AWS role that the auth server will assume in
|
||||
order to call the ec2 API.
|
||||
the ARN of the AWS role that the Auth Service will assume
|
||||
in order to call the ec2 API.
|
||||
type: string
|
||||
type: object
|
||||
nullable: true
|
||||
@ -192,7 +192,7 @@ spec:
|
||||
against host. This value should be the hostname of the GHES
|
||||
instance, and should not include the scheme or a path. The instance
|
||||
must be accessible over HTTPS at this hostname and the certificate
|
||||
must be trusted by the Auth Server.
|
||||
must be trusted by the Auth Service.
|
||||
type: string
|
||||
enterprise_slug:
|
||||
description: EnterpriseSlug allows the slug of a GitHub Enterprise
|
||||
@ -257,9 +257,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
join_method:
|
||||
description: JoinMethod is the joining method required in order to
|
||||
use this token. Supported joining methods include "token", "ec2",
|
||||
and "iam".
|
||||
description: 'JoinMethod is the joining method required in order to
|
||||
use this token. Supported joining methods include: azure, circleci,
|
||||
ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm'
|
||||
type: string
|
||||
kubernetes:
|
||||
description: Kubernetes allows the configuration of options specific
|
||||
@ -341,6 +341,51 @@ spec:
|
||||
set when using this token to enroll themselves in the cluster. Currently,
|
||||
only node-join scripts create a configuration according to the suggestion.
|
||||
type: object
|
||||
terraform_cloud:
|
||||
description: TerraformCloud allows the configuration of options specific
|
||||
to the "terraform_cloud" join method.
|
||||
nullable: true
|
||||
properties:
|
||||
allow:
|
||||
description: Allow is a list of Rules, nodes using this token
|
||||
must match one allow rule to use this token.
|
||||
items:
|
||||
properties:
|
||||
organization_id:
|
||||
type: string
|
||||
organization_name:
|
||||
type: string
|
||||
project_id:
|
||||
type: string
|
||||
project_name:
|
||||
type: string
|
||||
run_phase:
|
||||
type: string
|
||||
workspace_id:
|
||||
type: string
|
||||
workspace_name:
|
||||
type: string
|
||||
type: object
|
||||
nullable: true
|
||||
type: array
|
||||
audience:
|
||||
description: Audience is the JWT audience as configured in the
|
||||
TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform
|
||||
Cloud. If unset, defaults to the Teleport cluster name. For
|
||||
example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is
|
||||
set in Terraform Cloud, this value should be `foo`. If the variable
|
||||
is set to match the cluster name, it does not need to be set
|
||||
here.
|
||||
type: string
|
||||
hostname:
|
||||
description: Hostname is the hostname of the Terraform Enterprise
|
||||
instance expected to issue JWTs allowed by this token. This
|
||||
may be unset for regular Terraform Cloud use, in which case
|
||||
it will be assumed to be `app.terraform.io`. Otherwise, it must
|
||||
both match the `iss` (issuer) field included in JWTs, and provide
|
||||
standard JWKS endpoints.
|
||||
type: string
|
||||
type: object
|
||||
tpm:
|
||||
description: TPM allows the configuration of options specific to the
|
||||
"tpm" join method.
|
||||
@ -298,7 +298,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -824,7 +824,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -1133,9 +1133,12 @@ spec:
|
||||
created on a Windows desktop
|
||||
type: boolean
|
||||
create_host_user:
|
||||
description: CreateHostUser allows users to be automatically created
|
||||
on a host
|
||||
description: 'Deprecated: use CreateHostUserMode instead.'
|
||||
type: boolean
|
||||
create_host_user_default_shell:
|
||||
description: CreateHostUserDefaultShell is used to configure the
|
||||
default shell for newly provisioned host users.
|
||||
type: string
|
||||
create_host_user_mode:
|
||||
description: CreateHostUserMode allows users to be automatically
|
||||
created on a host when not set to off. 0 is "unspecified"; 1
|
||||
@ -1155,7 +1158,6 @@ spec:
|
||||
device_trust_mode:
|
||||
description: DeviceTrustMode is the device authorization mode
|
||||
used for the resources associated with the role. See DeviceTrust.Mode.
|
||||
Reserved for future use, not yet used by Teleport.
|
||||
type: string
|
||||
disconnect_expired_cert:
|
||||
description: DisconnectExpiredCert sets disconnect clients on
|
||||
@ -1211,6 +1213,16 @@ spec:
|
||||
sessions per connection.
|
||||
format: int64
|
||||
type: integer
|
||||
mfa_verification_interval:
|
||||
description: MFAVerificationInterval optionally defines the maximum
|
||||
duration that can elapse between successive MFA verifications.
|
||||
This variable is used to ensure that users are periodically
|
||||
prompted to verify their identity, enhancing security by preventing
|
||||
prolonged sessions without re-authentication when using tsh
|
||||
proxy * derivatives. It's only effective if the session requires
|
||||
MFA. If not set, defaults to `max_session_ttl`.
|
||||
format: duration
|
||||
type: string
|
||||
permit_x11_forwarding:
|
||||
description: PermitX11Forwarding authorizes use of X11 forwarding.
|
||||
type: boolean
|
||||
@ -1242,8 +1254,8 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
request_access:
|
||||
description: RequestAccess defines the access request strategy
|
||||
(optional|note|always) where optional is the default.
|
||||
description: RequestAccess defines the request strategy (optional|note|always)
|
||||
where optional is the default.
|
||||
type: string
|
||||
request_prompt:
|
||||
description: RequestPrompt is an optional message which tells
|
||||
@ -1630,7 +1642,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -2156,7 +2168,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -2465,9 +2477,12 @@ spec:
|
||||
created on a Windows desktop
|
||||
type: boolean
|
||||
create_host_user:
|
||||
description: CreateHostUser allows users to be automatically created
|
||||
on a host
|
||||
description: 'Deprecated: use CreateHostUserMode instead.'
|
||||
type: boolean
|
||||
create_host_user_default_shell:
|
||||
description: CreateHostUserDefaultShell is used to configure the
|
||||
default shell for newly provisioned host users.
|
||||
type: string
|
||||
create_host_user_mode:
|
||||
description: CreateHostUserMode allows users to be automatically
|
||||
created on a host when not set to off. 0 is "unspecified"; 1
|
||||
@ -2487,7 +2502,6 @@ spec:
|
||||
device_trust_mode:
|
||||
description: DeviceTrustMode is the device authorization mode
|
||||
used for the resources associated with the role. See DeviceTrust.Mode.
|
||||
Reserved for future use, not yet used by Teleport.
|
||||
type: string
|
||||
disconnect_expired_cert:
|
||||
description: DisconnectExpiredCert sets disconnect clients on
|
||||
@ -2543,6 +2557,16 @@ spec:
|
||||
sessions per connection.
|
||||
format: int64
|
||||
type: integer
|
||||
mfa_verification_interval:
|
||||
description: MFAVerificationInterval optionally defines the maximum
|
||||
duration that can elapse between successive MFA verifications.
|
||||
This variable is used to ensure that users are periodically
|
||||
prompted to verify their identity, enhancing security by preventing
|
||||
prolonged sessions without re-authentication when using tsh
|
||||
proxy * derivatives. It's only effective if the session requires
|
||||
MFA. If not set, defaults to `max_session_ttl`.
|
||||
format: duration
|
||||
type: string
|
||||
permit_x11_forwarding:
|
||||
description: PermitX11Forwarding authorizes use of X11 forwarding.
|
||||
type: boolean
|
||||
@ -2574,8 +2598,8 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
request_access:
|
||||
description: RequestAccess defines the access request strategy
|
||||
(optional|note|always) where optional is the default.
|
||||
description: RequestAccess defines the request strategy (optional|note|always)
|
||||
where optional is the default.
|
||||
type: string
|
||||
request_prompt:
|
||||
description: RequestPrompt is an optional message which tells
|
||||
@ -301,7 +301,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -827,7 +827,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -1136,9 +1136,12 @@ spec:
|
||||
created on a Windows desktop
|
||||
type: boolean
|
||||
create_host_user:
|
||||
description: CreateHostUser allows users to be automatically created
|
||||
on a host
|
||||
description: 'Deprecated: use CreateHostUserMode instead.'
|
||||
type: boolean
|
||||
create_host_user_default_shell:
|
||||
description: CreateHostUserDefaultShell is used to configure the
|
||||
default shell for newly provisioned host users.
|
||||
type: string
|
||||
create_host_user_mode:
|
||||
description: CreateHostUserMode allows users to be automatically
|
||||
created on a host when not set to off. 0 is "unspecified"; 1
|
||||
@ -1158,7 +1161,6 @@ spec:
|
||||
device_trust_mode:
|
||||
description: DeviceTrustMode is the device authorization mode
|
||||
used for the resources associated with the role. See DeviceTrust.Mode.
|
||||
Reserved for future use, not yet used by Teleport.
|
||||
type: string
|
||||
disconnect_expired_cert:
|
||||
description: DisconnectExpiredCert sets disconnect clients on
|
||||
@ -1214,6 +1216,16 @@ spec:
|
||||
sessions per connection.
|
||||
format: int64
|
||||
type: integer
|
||||
mfa_verification_interval:
|
||||
description: MFAVerificationInterval optionally defines the maximum
|
||||
duration that can elapse between successive MFA verifications.
|
||||
This variable is used to ensure that users are periodically
|
||||
prompted to verify their identity, enhancing security by preventing
|
||||
prolonged sessions without re-authentication when using tsh
|
||||
proxy * derivatives. It's only effective if the session requires
|
||||
MFA. If not set, defaults to `max_session_ttl`.
|
||||
format: duration
|
||||
type: string
|
||||
permit_x11_forwarding:
|
||||
description: PermitX11Forwarding authorizes use of X11 forwarding.
|
||||
type: boolean
|
||||
@ -1245,8 +1257,8 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
request_access:
|
||||
description: RequestAccess defines the access request strategy
|
||||
(optional|note|always) where optional is the default.
|
||||
description: RequestAccess defines the request strategy (optional|note|always)
|
||||
where optional is the default.
|
||||
type: string
|
||||
request_prompt:
|
||||
description: RequestPrompt is an optional message which tells
|
||||
@ -301,7 +301,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -827,7 +827,7 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
description: Annotations is a collection of annotations to
|
||||
be programmatically appended to pending access requests
|
||||
be programmatically appended to pending Access Requests
|
||||
at the time of their creation. These annotations serve as
|
||||
a mechanism to propagate extra information to plugins. Since
|
||||
these annotations support variable interpolation syntax,
|
||||
@ -1136,9 +1136,12 @@ spec:
|
||||
created on a Windows desktop
|
||||
type: boolean
|
||||
create_host_user:
|
||||
description: CreateHostUser allows users to be automatically created
|
||||
on a host
|
||||
description: 'Deprecated: use CreateHostUserMode instead.'
|
||||
type: boolean
|
||||
create_host_user_default_shell:
|
||||
description: CreateHostUserDefaultShell is used to configure the
|
||||
default shell for newly provisioned host users.
|
||||
type: string
|
||||
create_host_user_mode:
|
||||
description: CreateHostUserMode allows users to be automatically
|
||||
created on a host when not set to off. 0 is "unspecified"; 1
|
||||
@ -1158,7 +1161,6 @@ spec:
|
||||
device_trust_mode:
|
||||
description: DeviceTrustMode is the device authorization mode
|
||||
used for the resources associated with the role. See DeviceTrust.Mode.
|
||||
Reserved for future use, not yet used by Teleport.
|
||||
type: string
|
||||
disconnect_expired_cert:
|
||||
description: DisconnectExpiredCert sets disconnect clients on
|
||||
@ -1214,6 +1216,16 @@ spec:
|
||||
sessions per connection.
|
||||
format: int64
|
||||
type: integer
|
||||
mfa_verification_interval:
|
||||
description: MFAVerificationInterval optionally defines the maximum
|
||||
duration that can elapse between successive MFA verifications.
|
||||
This variable is used to ensure that users are periodically
|
||||
prompted to verify their identity, enhancing security by preventing
|
||||
prolonged sessions without re-authentication when using tsh
|
||||
proxy * derivatives. It's only effective if the session requires
|
||||
MFA. If not set, defaults to `max_session_ttl`.
|
||||
format: duration
|
||||
type: string
|
||||
permit_x11_forwarding:
|
||||
description: PermitX11Forwarding authorizes use of X11 forwarding.
|
||||
type: boolean
|
||||
@ -1245,8 +1257,8 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
request_access:
|
||||
description: RequestAccess defines the access request strategy
|
||||
(optional|note|always) where optional is the default.
|
||||
description: RequestAccess defines the request strategy (optional|note|always)
|
||||
where optional is the default.
|
||||
type: string
|
||||
request_prompt:
|
||||
description: RequestPrompt is an optional message which tells
|
||||
@ -95,6 +95,13 @@ spec:
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
insecure_allowed_cidr_ranges:
|
||||
description: a list of CIDRs allowed for HTTP or HTTPS client
|
||||
redirect URLs
|
||||
items:
|
||||
type: string
|
||||
nullable: true
|
||||
type: array
|
||||
type: object
|
||||
display:
|
||||
description: Display controls how this connector is displayed.
|
||||
@ -119,8 +119,12 @@ spec:
|
||||
type: object
|
||||
trusted_device_ids:
|
||||
description: TrustedDeviceIDs contains the IDs of trusted devices
|
||||
enrolled by the user. Managed by the Device Trust subsystem, avoid
|
||||
manual edits.
|
||||
enrolled by the user. Note that SSO users are transient and thus
|
||||
may contain an empty TrustedDeviceIDs field, even though the user->device
|
||||
association exists under the Device Trust subsystem. Do not rely
|
||||
on this field to determine device associations or ownership, it
|
||||
exists for legacy/informative purposes only. Managed by the Device
|
||||
Trust subsystem, avoid manual edits.
|
||||
items:
|
||||
type: string
|
||||
nullable: true
|
||||
@ -2,7 +2,7 @@
|
||||
and creates them if needed. It also adds common labels, like any other
|
||||
Helm-deployed resource.
|
||||
|
||||
We cannot rely on the "crds/" Helm directory as Helm's startegy is "fire and forget".
|
||||
We cannot rely on the "crds/" Helm directory as Helm's strategy is "fire and forget".
|
||||
We have no way to update the CRDs after the initial deployment. As Teleport keeps
|
||||
adding new field to existing CRs, we need a deployment strategy that supports
|
||||
updating CRDs.
|
||||
@ -6,6 +6,7 @@ metadata:
|
||||
name: {{ include "teleport-cluster.operator.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
rules:
|
||||
# Rights to manage the Teleport CRs
|
||||
- apiGroups:
|
||||
- "resources.teleport.dev"
|
||||
resources:
|
||||
@ -41,6 +42,7 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
# Used to perform leader election when running with multiple replicas
|
||||
- apiGroups:
|
||||
- "coordination.k8s.io"
|
||||
resources:
|
||||
@ -49,11 +51,19 @@ rules:
|
||||
- create
|
||||
- get
|
||||
- update
|
||||
# Ability to emit reconciliation events
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
# Ability to lookup sensitive values from secrets rather than CRs
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- "secrets"
|
||||
verbs:
|
||||
- "get"
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user