diff --git a/teleport-cluster-14.2.0/values.home.yaml b/teleport-cluster-14.2.0/values.home.yaml deleted file mode 100644 index 32e3a02..0000000 --- a/teleport-cluster-14.2.0/values.home.yaml +++ /dev/null @@ -1,686 +0,0 @@ -################################################## -# Values that must always be provided by the user. -################################################## - -# `clusterName` controls the name used to refer to the Teleport cluster, along with -# the externally-facing public address to use to access it. In most setups this must -# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is -# used as the cluster's public address by default. -# -# Note: When using a fully qualified domain name as your `clusterName`, you will also -# need to configure the DNS provider for this domain to point to the external -# load balancer address of your Teleport cluster. -# -# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan. -# If you need to change it, you must redeploy a completely new cluster. -clusterName: "teleport.ervine.cloud" - -# Name for this kubernetes cluster to be used by teleport users. -kubeClusterName: "homeK8s" - -################################################## -# Values that you may need to change. -################################################## - -# Version of teleport image, if different from chart version in Chart.yaml. -# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. -# This chart is designed to run a specific teleport version (see Chart.yaml). -# You will face compatibility issues trying to run a different Teleport version with it. -# -# If you want to run Teleport version X, you should use `helm --version X` instead. -teleportVersionOverride: "" - -# The `proxyProtocol` value controls whether the Proxy pods will -# accept PROXY lines with the client's IP address when they are -# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol -# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is -# required to ensure that Teleport can properly audit the client's IP address. -# -# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this -# value should be set to "off" to prevent Teleport from accepting PROXY headers -# from untrusted sources. -# Possible values are "on" and "off". -# - "on" will enable the PROXY protocol for all connections and will require the -# L4 LB to send a PROXY header. -# - "off" will disable the PROXY protocol for all connections and denies all -# connections prefixed with a PROXY header. -# -# If proxyProtocol is unspecified, Teleport does not require PROXY header for the -# connection, but will accept it if present. This mode is considered insecure -# and should only be used for testing purposes. -# -# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/ -# for more information. -# -# proxyProtocol: on - -# The `teleport-cluster` charts deploys two sets of pods: auth and proxy. -# `auth` contains values specific for the auth pods. You can use it to -# set specific values for auth pods, taking precedence over chart-scoped values. -# For example, to override the [`postStart`](#postStart) value only for auth pods: -# -# auth: -# postStart: ["curl", "http://hook"] -# imagePullPolicy: Always -auth: - # auth.teleportConfig contains YAML teleport configuration for auth pods - # The configuration will be merged with the chart-generated configuration - # and will take precedence in case of conflict. - # - # See the Teleport Configuration Reference for the list of supported fields: - # https://goteleport.com/docs/reference/config/ - # - # teleportConfig: - # teleport: - # cache: - # enabled: false - # auth_service: - # client_idle_timeout: 2h - # client_idle_timeout_message: "Connection closed after 2hours without activity" - teleportConfig: {} - -# proxy contains values specific for the proxy pods -# You can override chart-scoped values, for example -# proxy: -# postStart: ["curl", "http://hook"] -# imagePullPolicy: Always -proxy: - # proxy.teleportConfig contains YAML teleport configuration for proxy pods - # The configuration will be merged with the chart-generated configuration - # and will take precedence in case of conflict - # - # See the Teleport Configuration Reference for the list of supported fields: - # https://goteleport.com/docs/reference/config/ - # - # teleportConfig: - # teleport: - # cache: - # enabled: false - # proxy_service: - # https_keypairs: - # - key_file: /my-custom-mount/key.pem - # cert_file: /my-custom-mount/cert.pem - teleportConfig: {} - -authentication: - # Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise. - type: local - - # Sets the authenticator connector for SSO or the default connector for "local" authentication. - # See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/). - # See Passwordless for local - # (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default). - # Defaults to "local". - connectorName: "" - - # Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`. - # Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/. - localAuth: true - - # Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ? - # Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort". - # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes. - lockingMode: "" - - # Second factor requirements for users of the Teleport cluster. - # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`. - # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'. - # - # WARNING: - # If you set `publicAddr` for users to access the cluster under a domain different - # to clusterName you must manually set the webauthn Relying - # Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier - # If you don't, RP ID will default to `clusterName` and users will fail - # to register second factors. - # - # You can do this by setting the value - # `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. - # - # RP ID must be both a valid domain, and part of the full domain users are connecting to. - # For example, if users are accessing the cluster with the domain - # "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". - # - # Changing the RP ID will invalidate all already registered webauthn second factors. - secondFactor: "on" - - # (Optional) When using webauthn this allows to restrict which vendor and key models can be used. - # webauthn: - # attestationAllowedCas: - # - /path/to/allowed_ca.pem - # - | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # attestationDeniedCas: - # - /path/to/denied_ca.pem - # - | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - -# Deprecated way to set the authentication type, `authentication.type` should be preferred. -# authenticationType: local - -# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred. -# authenticationSecondFactor: -# secondFactor: "otp" - -# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port. -# Default mode will not utilize TLS routing and operate in backwards-compatibility mode. -# -# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP -# -# Possible values are 'separate' and 'multiplex' -proxyListenerMode: "multiplex" - -# Optional setting for configuring session recording. -# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml -sessionRecording: "" - -# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443) -# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB) -# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM) -# These settings will not apply if proxyListenerMode is set to "multiplex". -separatePostgresListener: false -separateMongoListener: false - -# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default. -# -# WARNING: -# If you set `publicAddr` for users to access the cluster under a domain different -# to clusterName, you must manually set the webauthn Relying -# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier -# If you don't, RP ID will default to `clusterName` and users will fail -# to register second factors. -# -# You can do this by setting the value -# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. -# -# RP ID must be both a valid domain, and part of the full domain users are connecting to. -# For example, if users are accessing the cluster with the domain -# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". -# -# Changing the RP ID will invalidate all already registered webauthn second factors. -# -# Public cluster addresses, including port (e.g. teleport.example.com:443) -# Defaults to `clusterName` on port 443. -publicAddr: [] -# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026. -# Only used when `proxyListenerMode` is not 'multiplex'. -kubePublicAddr: [] -# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017. -# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true. -mongoPublicAddr: [] -# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036. -# Only used when `proxyListenerMode` is not 'multiplex'. -mysqlPublicAddr: [] -# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432. -# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true. -postgresPublicAddr: [] -# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023. -# Only used when `proxyListenerMode` is not 'multiplex'. -sshPublicAddr: [] -# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024. -# Only used when `proxyListenerMode` is not 'multiplex'. -tunnelPublicAddr: [] - -# ACME is a protocol for getting Web X.509 certificates -# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations. -# For HA configurations, see either the "highAvailability.certManager" or "tls" values. -# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt. -# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI. -# This section is mutually exclusive with the "tls" value below. -acme: false -# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement) -acmeEmail: "" -# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server. -acmeURI: "" - -# Set enterprise to true to use enterprise image -# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this: -# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem -enterprise: false - -# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation -# when deploying multiple releases in the same cluster. -# installCRDs: - -# Configuration of the optional Teleport operator -operator: - # Set enabled to true to add the Kubernetes Teleport Operator - enabled: true - # Kubernetes Teleport Operator image - image: public.ecr.aws/gravitational/teleport-operator - # Resources to request for the operator container - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # requests: - # cpu: "0.5" - # memory: "1Gi" - # limits: - # memory: "1Gi" - -# If true, create & use Pod Security Policy resources -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. -# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ -podSecurityPolicy: - enabled: false - -# Labels is a map of key-value pairs about this cluster -labels: {} - -# Mode to deploy the chart in. The default is "standalone". Options: -# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage. -# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1) -# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2) -# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3) -# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4) -# (1) To use "aws" mode, you must also configure the "aws" section below. -# (2) To use "gcp" mode, you must also configure the "gcp" section below. -# (3) To use "azure" mode, you must also configure the "azure" section below. -# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig. -# `scratch` usage is strongly discouraged, this is a last resort option and -# everything should be doable with `standalone` mode + overrides through -# `auth.teleportConfig` and `proxy.teleportConfig`. -chartMode: standalone - -# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify -# if the teleport.yaml configuration is valid and will block the deployment if it is not -validateConfigOnDeploy: true - -# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster. -# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the -# Helm chart user is responsible for configuring working join_params on the proxy. -createProxyToken: true - -# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) -# This CRD is managed by the prometheus-operator and allows workload to -# get monitored. To use this value, you need to run a `prometheus-operator` -# in the cluster for this value to take effect. -# See https://prometheus-operator.dev/docs/prologue/introduction/ -podMonitor: - # Whether the chart should deploy a PodMonitor. - # Disabled by default as it requires the PodMonitor CRD to be installed. - enabled: true - # additionalLabels to put on the PodMonitor. - # This is used to be selected by a specific prometheus instance. - # Defaults to {prometheus: default} which seems to be the common default prometheus selector - additionalLabels: - prometheus: k8s - # interval is the interval between two metrics scrapes. Defaults to 30s - interval: 30s - -###################################################################### -# Persistence settings (only used in "standalone" and "scratch" modes) -# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters -# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details. -# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23. -###################################################################### -persistence: - # Enable persistence using a PersistentVolumeClaim - enabled: true - # Leave blank to automatically create a PersistentVolumeClaim for Teleport storage. - # If you would like to use a pre-existing PersistentVolumeClaim, put its name here. - existingClaimName: "" - # Size of persistent volume to request when created by Teleport. - # Ignored if existingClaimName is provided. - volumeSize: 10Gi - -################################################## -# AWS-specific settings (only used in "aws" mode) -################################################## -aws: - # The AWS region where the DynamoDB tables are located. - region: "" - # The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. - backendTable: "" - # The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. - # This MUST NOT be the same table name as used for 'backendTable' as the schemas are different. - auditLogTable: "" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets. - sessionRecordingBucket: "" - # Whether or not to turn on DynamoDB backups - backups: false - - # Whether Teleport should configure DynamoDB's autoscaling. - # Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling. - # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling - dynamoAutoScaling: false - - # DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`. - # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling - readMinCapacity: null # Integer - readMaxCapacity: null # Integer - readTargetValue: null # Float - writeMinCapacity: null # Integer - writeMaxCapacity: null # Integer - writeTargetValue: null # Float - -################################################## -# GCP-specific settings (only used in "gcp" mode) -################################################## -gcp: - # The project name being used for the GCP account where Teleport is running. - # See https://support.google.com/googleapi/answer/7014113?hl=en - projectId: "" - # The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist. - # Either of the following must be true: - # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections - # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. - backendTable: "" - # The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist. - # Either of the following must be true: - # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections - # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. - # This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different. - auditLogTable: "" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used. - sessionRecordingBucket: "" - # The name of the Kubernetes secret used to store the Google credentials. - # You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use. - # You can override this to a blank value if the worker node running Teleport already has a service account which grants access. - credentialSecretName: teleport-gcp-credentials - -##################################################### -# Azure-specific settings (only used in "azure" mode) -##################################################### -azure: - # The fully qualified hostname of the Postgres database cluster hosted in Azure. - # It should follow the format ".postgres.database.azure.com". - databaseHost: "" - # The Postgres user Teleport must use to connect to the backend and audit - # databases. - databaseUser: "" - # The Postgres database to use for backend storage. - backendDatabase: "teleport_backend" - # The Postgres database to use for audit log storage. - # This MUST NOT be the same database as used for 'backendDatabase'. - auditLogDatabase: "teleport_audit" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The fully qualified domain name of the Azure Blob Storage account to use for - # recorded session storage. This account must already exist. - # It should follow the format ".blob.core.windows.net" - sessionRecordingStorageAccount: "" - # Azure client ID is used by the Kubernetes Service Account to know which - # Application it should impersonate. This can be unset only if the clientID is - # passed through other means (e.g. environment variable) - clientID: "" - # Controls the `pool_max_conns` setting passed to PostgreSQL. This is the - # max amount of connections Teleport can open to the database. This can affect - # performance on large clusters and depends on various factors like the - # database size, the number of CPU cores available for Teleport, GOMAXPROCS - # and the database latency. - # This only applies to the core backend connections, not the audit log ones. - # 0 means the parameter is not set and the client's default is used (recommended) - databasePoolMaxConnections: 0 - -# `highAvailability` contains settings controlling how Teleport pods are -# replicated and scheduled. This allows Teleport to run in a highly-available -# fashion: Teleport should sustain the crash/loss of a machine without interrupting -# the service. -# -# For auth pods: -# When using "standalone" or "scratch" mode, you must use highly-available storage -# (etcd, DynamoDB or Firestore) for multiple replicas to be supported. -# Manually configuring NFS-based storage or ReadWriteMany volume claims -# is NOT supported and will result in errors. Using Teleport's built-in -# ACME client (as opposed to using cert-manager or passing certs through a secret) -# is not supported with multiple replicas. -# For proxy pods: -# Proxy pods need to be provided a certificate to be replicated (either via -# `tls.existingSecretName` or via `highAvailability.certManager`). -# If proxy pods are replicable, they will default to 2 replicas, -# even if `highAvailability.replicaCount` is 1. To force a single proxy replica, -# set `proxy.highAvailability.replicaCount: 1`. -highAvailability: - # Controls the amount of pod replicas. The `highAvailability` comment describes - # the replication requirements. - # - # WARNING: You **must** meet the replication criteria, - # else the deployment will result in errors and inconsistent data. - replicaCount: 1 - # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the - # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. - # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. - # This setting only has any effect when replicaCount is greater than 1. - requireAntiAffinity: false - # If enabled will create a Pod Disruption Budget - # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # Settings for cert-manager (can be used for provisioning TLS certs in HA mode) - # These settings are mutually exclusive with the "tls" value below. - certManager: - # If set to true, use cert-manager to get certificates for Teleport to use for TLS termination - enabled: true - # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs. - addCommonName: false - # If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request. - # This setting is not enabled by default to preserve backward compatibility. - addPublicAddrs: false - # Name of the Issuer/ClusterIssuer to use for certs - # NOTE: You will always need to create this yourself when certManager.enabled is true. - issuerName: "letsencrypt-prod" - # Kind of Issuer that cert-manager should look for. - # This defaults to 'Issuer' to keep everything contained within the teleport namespace. - issuerKind: ClusterIssuer - # Group of Issuer that cert-manager should look for. - # This defaults to 'cert-manager.io' which is the default Issuer group. - issuerGroup: cert-manager.io - # Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time - # See https://github.com/gravitational/teleport/issues/13129 - minReadySeconds: 15 - -# Settings for mounting your own TLS keypair to secure Teleport's web UI. -# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above. -tls: - # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml. - # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file` - # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information. - existingSecretName: "" - # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. - # Useful for building trust when using intermediate certificate authorities. - # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. - # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem - # The filename inside the secret is important - it _must_ be ca.pem - existingCASecretName: "" - -################################################## -# Values that you shouldn't need to change. -################################################## - -# Container image for the cluster. -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport`. Those images will be -# removed with teleport 14. -image: public.ecr.aws/gravitational/teleport-distroless -# Enterprise version of the image -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport-ent`. Those images will be -# removed with teleport 14. -enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless -# Optional array of imagePullSecrets, to use when pulling from a private registry -imagePullSecrets: [] -# Teleport logging configuration -log: - # Log level for the Teleport process. - # Available log levels are: DEBUG, INFO, WARNING, ERROR. - # The default is INFO, which is recommended in production. - # DEBUG is useful during first-time setup or to see more detailed logs for debugging. - level: INFO - # Log output - # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' - # Other supported values: 'stdout', 'stderr' and 'syslog' - output: stderr - # Log format configuration - # Possible output values are 'json' and 'text' (default). - format: text - # Possible extra_fields values include: timestamp, component, caller, and level. - # All extra fields are included by default. - extraFields: ["timestamp", "level", "component", "caller"] - -################################## -# Extra Kubernetes configuration # -################################## - -# nodeSelector to apply for pod assignment -# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector -nodeSelector: {} - -# Affinity for pod assignment -# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other. -affinity: {} - -# Kubernetes annotations to apply -# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -annotations: - # Annotations for the ConfigMap - config: {} - # Annotations for the Deployment - deployment: {} - # Annotations for each Pod in the Deployment - pod: {} - # Annotations for the Service object - service: {} - # Annotations for the ServiceAccount object - serviceAccount: {} - # Annotations for the certificate secret generated by cert-manager v1.5+ when - # highAvailability.certManager.enabled is true - certSecret: {} - # Annotations for the Ingress object - ingress: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" - nginx.ingress.kubernetes.io/affinity: "cookie" - nginx.ingress.kubernetes.io/session-cookie-name: "http-cookie" - nginx.ingress.kubernetes.io/session-cookie-expires: "172800" - nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" - -# Kubernetes service account to create/use. -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If not set and serviceAccount.create is true, the name is generated using the release name. - # If create is false, the name will be used to reference an existing service account. - name: "" - # To set annotations on the service account, use the annotations.serviceAccount value. - -# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. -rbac: - # Specifies whether a ClusterRole and ClusterRoleBinding should be created. - # Set to false if your cluster level resources are managed separately. - create: true - -# Options for the Teleport proxy service -# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP. -# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed. -# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true -service: - type: ClusterIP - # Additional entries here will be added to the service spec. - spec: {} - # loadBalancerIP: "1.2.3.4" - -# Options for ingress -# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent -# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer. -# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport. -# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details. -ingress: - enabled: true - # Setting suppressAutomaticWildcards to true will not automatically add *. as a hostname served - # by the Ingress. This may be desirable if you don't use Teleport Application Access. - suppressAutomaticWildcards: false - # Additional entries here will be added to the ingress spec. - spec: {} - # ingressClassName: nginx - -# Extra arguments to pass to 'teleport start' for the main Teleport pod -extraArgs: [] - -# Extra environment to be configured on the Teleport pod -extraEnv: [] - -# Extra containers to be added to the Teleport pod -extraContainers: [] -# - name: nscenter -# command: -# - /bin/bash -# - -c -# - sleep infinity & wait -# image: praqma/network-multitool -# imagePullPolicy: IfNotPresent -# securityContext: -# privileged: true -# runAsNonRoot: false - -# Extra volumes to mount into the Teleport pods -# https://kubernetes.io/docs/concepts/storage/volumes/ -extraVolumes: [] -# - name: myvolume -# secret: -# secretName: testSecret - -# Extra volume mounts corresponding to the volumes mounted above -extraVolumeMounts: [] -# - name: myvolume -# mountPath: /path/on/host - -# Allow the imagePullPolicy to be overridden -imagePullPolicy: IfNotPresent - -# A list of initContainers to run before each Teleport pod starts -# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ -initContainers: [] -# - name: "teleport-init" -# image: "alpine" -# args: ["echo test"] - -# If set, will run the command as a postStart handler -# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ -postStart: - command: [] - -# Resources to request for the teleport container -# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -resources: {} -# requests: -# cpu: "1" -# memory: "2Gi" - -# Security context to add to the container -securityContext: {} - # runAsUser: 99 - -# Priority class name to add to the deployment -priorityClassName: "" - -# Tolerations for pod assignment -# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] - -# Timeouts for the readiness and liveness probes -# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ -probeTimeoutSeconds: 1 - -# Kubernetes termination grace period -# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution -# -# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook. -terminationGracePeriodSeconds: 60 diff --git a/teleport-cluster-14.2.0/.lint/acme-off.yaml b/teleport-cluster-14.3.0/.lint/acme-off.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/acme-off.yaml rename to teleport-cluster-14.3.0/.lint/acme-off.yaml diff --git a/teleport-cluster-14.2.0/.lint/acme-on.yaml b/teleport-cluster-14.3.0/.lint/acme-on.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/acme-on.yaml rename to teleport-cluster-14.3.0/.lint/acme-on.yaml diff --git a/teleport-cluster-14.2.0/.lint/acme-uri-staging.yaml b/teleport-cluster-14.3.0/.lint/acme-uri-staging.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/acme-uri-staging.yaml rename to teleport-cluster-14.3.0/.lint/acme-uri-staging.yaml diff --git a/teleport-cluster-14.2.0/.lint/affinity.yaml b/teleport-cluster-14.3.0/.lint/affinity.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/affinity.yaml rename to teleport-cluster-14.3.0/.lint/affinity.yaml diff --git a/teleport-cluster-14.2.0/.lint/annotations.yaml b/teleport-cluster-14.3.0/.lint/annotations.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/annotations.yaml rename to teleport-cluster-14.3.0/.lint/annotations.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-connector-name.yaml b/teleport-cluster-14.3.0/.lint/auth-connector-name.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-connector-name.yaml rename to teleport-cluster-14.3.0/.lint/auth-connector-name.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-disable-local.yaml b/teleport-cluster-14.3.0/.lint/auth-disable-local.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-disable-local.yaml rename to teleport-cluster-14.3.0/.lint/auth-disable-local.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-locking-mode.yaml b/teleport-cluster-14.3.0/.lint/auth-locking-mode.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-locking-mode.yaml rename to teleport-cluster-14.3.0/.lint/auth-locking-mode.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-passwordless.yaml b/teleport-cluster-14.3.0/.lint/auth-passwordless.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-passwordless.yaml rename to teleport-cluster-14.3.0/.lint/auth-passwordless.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-type-legacy.yaml b/teleport-cluster-14.3.0/.lint/auth-type-legacy.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-type-legacy.yaml rename to teleport-cluster-14.3.0/.lint/auth-type-legacy.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-type.yaml b/teleport-cluster-14.3.0/.lint/auth-type.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-type.yaml rename to teleport-cluster-14.3.0/.lint/auth-type.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-webauthn-legacy.yaml b/teleport-cluster-14.3.0/.lint/auth-webauthn-legacy.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-webauthn-legacy.yaml rename to teleport-cluster-14.3.0/.lint/auth-webauthn-legacy.yaml diff --git a/teleport-cluster-14.2.0/.lint/auth-webauthn.yaml b/teleport-cluster-14.3.0/.lint/auth-webauthn.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/auth-webauthn.yaml rename to teleport-cluster-14.3.0/.lint/auth-webauthn.yaml diff --git a/teleport-cluster-14.2.0/.lint/aws-dynamodb-autoscaling.yaml b/teleport-cluster-14.3.0/.lint/aws-dynamodb-autoscaling.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/aws-dynamodb-autoscaling.yaml rename to teleport-cluster-14.3.0/.lint/aws-dynamodb-autoscaling.yaml diff --git a/teleport-cluster-14.2.0/.lint/aws-ha-acme.yaml b/teleport-cluster-14.3.0/.lint/aws-ha-acme.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/aws-ha-acme.yaml rename to teleport-cluster-14.3.0/.lint/aws-ha-acme.yaml diff --git a/teleport-cluster-14.2.0/.lint/aws-ha-antiaffinity.yaml b/teleport-cluster-14.3.0/.lint/aws-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/aws-ha-antiaffinity.yaml rename to teleport-cluster-14.3.0/.lint/aws-ha-antiaffinity.yaml diff --git a/teleport-cluster-14.2.0/.lint/aws-ha-log.yaml b/teleport-cluster-14.3.0/.lint/aws-ha-log.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/aws-ha-log.yaml rename to teleport-cluster-14.3.0/.lint/aws-ha-log.yaml diff --git a/teleport-cluster-14.2.0/.lint/aws-ha.yaml b/teleport-cluster-14.3.0/.lint/aws-ha.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/aws-ha.yaml rename to teleport-cluster-14.3.0/.lint/aws-ha.yaml diff --git a/teleport-cluster-14.2.0/.lint/aws.yaml b/teleport-cluster-14.3.0/.lint/aws.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/aws.yaml rename to teleport-cluster-14.3.0/.lint/aws.yaml diff --git a/teleport-cluster-14.2.0/.lint/azure.yaml b/teleport-cluster-14.3.0/.lint/azure.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/azure.yaml rename to teleport-cluster-14.3.0/.lint/azure.yaml diff --git a/teleport-cluster-14.2.0/.lint/cert-manager.yaml b/teleport-cluster-14.3.0/.lint/cert-manager.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/cert-manager.yaml rename to teleport-cluster-14.3.0/.lint/cert-manager.yaml diff --git a/teleport-cluster-14.2.0/.lint/cert-secret.yaml b/teleport-cluster-14.3.0/.lint/cert-secret.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/cert-secret.yaml rename to teleport-cluster-14.3.0/.lint/cert-secret.yaml diff --git a/teleport-cluster-14.2.0/.lint/example-minimal-standalone.yaml b/teleport-cluster-14.3.0/.lint/example-minimal-standalone.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/example-minimal-standalone.yaml rename to teleport-cluster-14.3.0/.lint/example-minimal-standalone.yaml diff --git a/teleport-cluster-14.2.0/.lint/existing-tls-secret-with-ca.yaml b/teleport-cluster-14.3.0/.lint/existing-tls-secret-with-ca.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/existing-tls-secret-with-ca.yaml rename to teleport-cluster-14.3.0/.lint/existing-tls-secret-with-ca.yaml diff --git a/teleport-cluster-14.2.0/.lint/existing-tls-secret.yaml b/teleport-cluster-14.3.0/.lint/existing-tls-secret.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/existing-tls-secret.yaml rename to teleport-cluster-14.3.0/.lint/existing-tls-secret.yaml diff --git a/teleport-cluster-14.2.0/.lint/extra-containers.yaml b/teleport-cluster-14.3.0/.lint/extra-containers.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/extra-containers.yaml rename to teleport-cluster-14.3.0/.lint/extra-containers.yaml diff --git a/teleport-cluster-14.2.0/.lint/extra-env.yaml b/teleport-cluster-14.3.0/.lint/extra-env.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/extra-env.yaml rename to teleport-cluster-14.3.0/.lint/extra-env.yaml diff --git a/teleport-cluster-14.2.0/.lint/gcp-ha-acme.yaml b/teleport-cluster-14.3.0/.lint/gcp-ha-acme.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/gcp-ha-acme.yaml rename to teleport-cluster-14.3.0/.lint/gcp-ha-acme.yaml diff --git a/teleport-cluster-14.2.0/.lint/gcp-ha-antiaffinity.yaml b/teleport-cluster-14.3.0/.lint/gcp-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/gcp-ha-antiaffinity.yaml rename to teleport-cluster-14.3.0/.lint/gcp-ha-antiaffinity.yaml diff --git a/teleport-cluster-14.2.0/.lint/gcp-ha-log.yaml b/teleport-cluster-14.3.0/.lint/gcp-ha-log.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/gcp-ha-log.yaml rename to teleport-cluster-14.3.0/.lint/gcp-ha-log.yaml diff --git a/teleport-cluster-14.2.0/.lint/gcp-ha-workload.yaml b/teleport-cluster-14.3.0/.lint/gcp-ha-workload.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/gcp-ha-workload.yaml rename to teleport-cluster-14.3.0/.lint/gcp-ha-workload.yaml diff --git a/teleport-cluster-14.2.0/.lint/gcp-ha.yaml b/teleport-cluster-14.3.0/.lint/gcp-ha.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/gcp-ha.yaml rename to teleport-cluster-14.3.0/.lint/gcp-ha.yaml diff --git a/teleport-cluster-14.2.0/.lint/gcp.yaml b/teleport-cluster-14.3.0/.lint/gcp.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/gcp.yaml rename to teleport-cluster-14.3.0/.lint/gcp.yaml diff --git a/teleport-cluster-14.2.0/.lint/imagepullsecrets.yaml b/teleport-cluster-14.3.0/.lint/imagepullsecrets.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/imagepullsecrets.yaml rename to teleport-cluster-14.3.0/.lint/imagepullsecrets.yaml diff --git a/teleport-cluster-14.2.0/.lint/ingress-publicaddr.yaml b/teleport-cluster-14.3.0/.lint/ingress-publicaddr.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/ingress-publicaddr.yaml rename to teleport-cluster-14.3.0/.lint/ingress-publicaddr.yaml diff --git a/teleport-cluster-14.2.0/.lint/ingress.yaml b/teleport-cluster-14.3.0/.lint/ingress.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/ingress.yaml rename to teleport-cluster-14.3.0/.lint/ingress.yaml diff --git a/teleport-cluster-14.2.0/.lint/initcontainers.yaml b/teleport-cluster-14.3.0/.lint/initcontainers.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/initcontainers.yaml rename to teleport-cluster-14.3.0/.lint/initcontainers.yaml diff --git a/teleport-cluster-14.2.0/.lint/kube-cluster-name.yaml b/teleport-cluster-14.3.0/.lint/kube-cluster-name.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/kube-cluster-name.yaml rename to teleport-cluster-14.3.0/.lint/kube-cluster-name.yaml diff --git a/teleport-cluster-14.2.0/.lint/log-basic.yaml b/teleport-cluster-14.3.0/.lint/log-basic.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/log-basic.yaml rename to teleport-cluster-14.3.0/.lint/log-basic.yaml diff --git a/teleport-cluster-14.2.0/.lint/log-extra.yaml b/teleport-cluster-14.3.0/.lint/log-extra.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/log-extra.yaml rename to teleport-cluster-14.3.0/.lint/log-extra.yaml diff --git a/teleport-cluster-14.2.0/.lint/log-legacy.yaml b/teleport-cluster-14.3.0/.lint/log-legacy.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/log-legacy.yaml rename to teleport-cluster-14.3.0/.lint/log-legacy.yaml diff --git a/teleport-cluster-14.2.0/.lint/node-selector.yaml b/teleport-cluster-14.3.0/.lint/node-selector.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/node-selector.yaml rename to teleport-cluster-14.3.0/.lint/node-selector.yaml diff --git a/teleport-cluster-14.2.0/.lint/operator.yaml b/teleport-cluster-14.3.0/.lint/operator.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/operator.yaml rename to teleport-cluster-14.3.0/.lint/operator.yaml diff --git a/teleport-cluster-14.2.0/.lint/pdb.yaml b/teleport-cluster-14.3.0/.lint/pdb.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/pdb.yaml rename to teleport-cluster-14.3.0/.lint/pdb.yaml diff --git a/teleport-cluster-14.2.0/.lint/persistence-legacy.yaml b/teleport-cluster-14.3.0/.lint/persistence-legacy.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/persistence-legacy.yaml rename to teleport-cluster-14.3.0/.lint/persistence-legacy.yaml diff --git a/teleport-cluster-14.2.0/.lint/podmonitor.yaml b/teleport-cluster-14.3.0/.lint/podmonitor.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/podmonitor.yaml rename to teleport-cluster-14.3.0/.lint/podmonitor.yaml diff --git a/teleport-cluster-14.2.0/.lint/priority-class-name.yaml b/teleport-cluster-14.3.0/.lint/priority-class-name.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/priority-class-name.yaml rename to teleport-cluster-14.3.0/.lint/priority-class-name.yaml diff --git a/teleport-cluster-14.2.0/.lint/probe-timeout-seconds.yaml b/teleport-cluster-14.3.0/.lint/probe-timeout-seconds.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/probe-timeout-seconds.yaml rename to teleport-cluster-14.3.0/.lint/probe-timeout-seconds.yaml diff --git a/teleport-cluster-14.2.0/.lint/proxy-listener-mode-multiplex.yaml b/teleport-cluster-14.3.0/.lint/proxy-listener-mode-multiplex.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/proxy-listener-mode-multiplex.yaml rename to teleport-cluster-14.3.0/.lint/proxy-listener-mode-multiplex.yaml diff --git a/teleport-cluster-14.2.0/.lint/proxy-listener-mode-separate.yaml b/teleport-cluster-14.3.0/.lint/proxy-listener-mode-separate.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/proxy-listener-mode-separate.yaml rename to teleport-cluster-14.3.0/.lint/proxy-listener-mode-separate.yaml diff --git a/teleport-cluster-14.2.0/.lint/public-addresses.yaml b/teleport-cluster-14.3.0/.lint/public-addresses.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/public-addresses.yaml rename to teleport-cluster-14.3.0/.lint/public-addresses.yaml diff --git a/teleport-cluster-14.2.0/.lint/resources.yaml b/teleport-cluster-14.3.0/.lint/resources.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/resources.yaml rename to teleport-cluster-14.3.0/.lint/resources.yaml diff --git a/teleport-cluster-14.2.0/.lint/security-context-empty.yaml b/teleport-cluster-14.3.0/.lint/security-context-empty.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/security-context-empty.yaml rename to teleport-cluster-14.3.0/.lint/security-context-empty.yaml diff --git a/teleport-cluster-14.2.0/.lint/security-context.yaml b/teleport-cluster-14.3.0/.lint/security-context.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/security-context.yaml rename to teleport-cluster-14.3.0/.lint/security-context.yaml diff --git a/teleport-cluster-14.2.0/.lint/separate-mongo-listener.yaml b/teleport-cluster-14.3.0/.lint/separate-mongo-listener.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/separate-mongo-listener.yaml rename to teleport-cluster-14.3.0/.lint/separate-mongo-listener.yaml diff --git a/teleport-cluster-14.2.0/.lint/separate-postgres-listener.yaml b/teleport-cluster-14.3.0/.lint/separate-postgres-listener.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/separate-postgres-listener.yaml rename to teleport-cluster-14.3.0/.lint/separate-postgres-listener.yaml diff --git a/teleport-cluster-14.2.0/.lint/service-account.yaml b/teleport-cluster-14.3.0/.lint/service-account.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/service-account.yaml rename to teleport-cluster-14.3.0/.lint/service-account.yaml diff --git a/teleport-cluster-14.2.0/.lint/service.yaml b/teleport-cluster-14.3.0/.lint/service.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/service.yaml rename to teleport-cluster-14.3.0/.lint/service.yaml diff --git a/teleport-cluster-14.2.0/.lint/session-recording.yaml b/teleport-cluster-14.3.0/.lint/session-recording.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/session-recording.yaml rename to teleport-cluster-14.3.0/.lint/session-recording.yaml diff --git a/teleport-cluster-14.2.0/.lint/standalone-custom-storage-class.yaml b/teleport-cluster-14.3.0/.lint/standalone-custom-storage-class.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/standalone-custom-storage-class.yaml rename to teleport-cluster-14.3.0/.lint/standalone-custom-storage-class.yaml diff --git a/teleport-cluster-14.2.0/.lint/standalone-customsize.yaml b/teleport-cluster-14.3.0/.lint/standalone-customsize.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/standalone-customsize.yaml rename to teleport-cluster-14.3.0/.lint/standalone-customsize.yaml diff --git a/teleport-cluster-14.2.0/.lint/standalone-existingpvc.yaml b/teleport-cluster-14.3.0/.lint/standalone-existingpvc.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/standalone-existingpvc.yaml rename to teleport-cluster-14.3.0/.lint/standalone-existingpvc.yaml diff --git a/teleport-cluster-14.2.0/.lint/tolerations.yaml b/teleport-cluster-14.3.0/.lint/tolerations.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/tolerations.yaml rename to teleport-cluster-14.3.0/.lint/tolerations.yaml diff --git a/teleport-cluster-14.2.0/.lint/version-override.yaml b/teleport-cluster-14.3.0/.lint/version-override.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/version-override.yaml rename to teleport-cluster-14.3.0/.lint/version-override.yaml diff --git a/teleport-cluster-14.2.0/.lint/volumes.yaml b/teleport-cluster-14.3.0/.lint/volumes.yaml similarity index 100% rename from teleport-cluster-14.2.0/.lint/volumes.yaml rename to teleport-cluster-14.3.0/.lint/volumes.yaml diff --git a/teleport-cluster-14.2.0/Chart.yaml b/teleport-cluster-14.3.0/Chart.yaml similarity index 84% rename from teleport-cluster-14.2.0/Chart.yaml rename to teleport-cluster-14.3.0/Chart.yaml index d8ce69d..d215736 100644 --- a/teleport-cluster-14.2.0/Chart.yaml +++ b/teleport-cluster-14.3.0/Chart.yaml @@ -1,13 +1,13 @@ apiVersion: v2 -appVersion: 14.2.0 +appVersion: 14.3.0 dependencies: - condition: installCRDs,operator.enabled name: teleport-operator repository: "" - version: 14.2.0 + version: 14.3.0 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-cluster -version: 14.2.0 +version: 14.3.0 diff --git a/teleport-cluster-14.2.0/README.md b/teleport-cluster-14.3.0/README.md similarity index 100% rename from teleport-cluster-14.2.0/README.md rename to teleport-cluster-14.3.0/README.md diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/Chart.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/Chart.yaml similarity index 85% rename from teleport-cluster-14.2.0/charts/teleport-operator/Chart.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/Chart.yaml index 2d264d9..08584e1 100644 --- a/teleport-cluster-14.2.0/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster-14.3.0/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 14.2.0 +appVersion: 14.3.0 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-operator -version: 14.2.0 +version: 14.3.0 diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml similarity index 100% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml similarity index 100% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml similarity index 100% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml similarity index 100% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml similarity index 95% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml index af6aa9c..dda4dd5 100644 --- a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml @@ -181,6 +181,16 @@ spec: must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server. type: string + enterprise_slug: + description: EnterpriseSlug allows the slug of a GitHub Enterprise + organisation to be included in the expected issuer of the OIDC + tokens. This is for compatibility with the `include_enterprise_slug` + option in GHE. This field should be set to the slug of your + enterprise if this is enabled. If this is not enabled, then + this field must be left empty. This field cannot be specified + if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise + for more information about customised issuer values. + type: string type: object gitlab: description: GitLab allows the configuration of options specific to diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml similarity index 100% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml similarity index 100% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml diff --git a/teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml b/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml similarity index 100% rename from teleport-cluster-14.2.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml rename to teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml diff --git a/teleport-cluster-14.2.0/templates/NOTES.txt b/teleport-cluster-14.3.0/templates/NOTES.txt similarity index 100% rename from teleport-cluster-14.2.0/templates/NOTES.txt rename to teleport-cluster-14.3.0/templates/NOTES.txt diff --git a/teleport-cluster-14.2.0/templates/_helpers.tpl b/teleport-cluster-14.3.0/templates/_helpers.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/_helpers.tpl rename to teleport-cluster-14.3.0/templates/_helpers.tpl diff --git a/teleport-cluster-14.2.0/templates/auth/_config.aws.tpl b/teleport-cluster-14.3.0/templates/auth/_config.aws.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/_config.aws.tpl rename to teleport-cluster-14.3.0/templates/auth/_config.aws.tpl diff --git a/teleport-cluster-14.2.0/templates/auth/_config.azure.tpl b/teleport-cluster-14.3.0/templates/auth/_config.azure.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/_config.azure.tpl rename to teleport-cluster-14.3.0/templates/auth/_config.azure.tpl diff --git a/teleport-cluster-14.2.0/templates/auth/_config.common.tpl b/teleport-cluster-14.3.0/templates/auth/_config.common.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/_config.common.tpl rename to teleport-cluster-14.3.0/templates/auth/_config.common.tpl diff --git a/teleport-cluster-14.2.0/templates/auth/_config.gcp.tpl b/teleport-cluster-14.3.0/templates/auth/_config.gcp.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/_config.gcp.tpl rename to teleport-cluster-14.3.0/templates/auth/_config.gcp.tpl diff --git a/teleport-cluster-14.2.0/templates/auth/_config.scratch.tpl b/teleport-cluster-14.3.0/templates/auth/_config.scratch.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/_config.scratch.tpl rename to teleport-cluster-14.3.0/templates/auth/_config.scratch.tpl diff --git a/teleport-cluster-14.2.0/templates/auth/_config.standalone.tpl b/teleport-cluster-14.3.0/templates/auth/_config.standalone.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/_config.standalone.tpl rename to teleport-cluster-14.3.0/templates/auth/_config.standalone.tpl diff --git a/teleport-cluster-14.2.0/templates/auth/clusterrole.yaml b/teleport-cluster-14.3.0/templates/auth/clusterrole.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/clusterrole.yaml rename to teleport-cluster-14.3.0/templates/auth/clusterrole.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/clusterrolebinding.yaml b/teleport-cluster-14.3.0/templates/auth/clusterrolebinding.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/clusterrolebinding.yaml rename to teleport-cluster-14.3.0/templates/auth/clusterrolebinding.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/config.yaml b/teleport-cluster-14.3.0/templates/auth/config.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/config.yaml rename to teleport-cluster-14.3.0/templates/auth/config.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/deployment.yaml b/teleport-cluster-14.3.0/templates/auth/deployment.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/deployment.yaml rename to teleport-cluster-14.3.0/templates/auth/deployment.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/pdb.yaml b/teleport-cluster-14.3.0/templates/auth/pdb.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/pdb.yaml rename to teleport-cluster-14.3.0/templates/auth/pdb.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/predeploy_config.yaml b/teleport-cluster-14.3.0/templates/auth/predeploy_config.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/predeploy_config.yaml rename to teleport-cluster-14.3.0/templates/auth/predeploy_config.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/predeploy_job.yaml b/teleport-cluster-14.3.0/templates/auth/predeploy_job.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/predeploy_job.yaml rename to teleport-cluster-14.3.0/templates/auth/predeploy_job.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/pvc.yaml b/teleport-cluster-14.3.0/templates/auth/pvc.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/pvc.yaml rename to teleport-cluster-14.3.0/templates/auth/pvc.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/service-previous-version.yaml b/teleport-cluster-14.3.0/templates/auth/service-previous-version.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/service-previous-version.yaml rename to teleport-cluster-14.3.0/templates/auth/service-previous-version.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/service.yaml b/teleport-cluster-14.3.0/templates/auth/service.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/service.yaml rename to teleport-cluster-14.3.0/templates/auth/service.yaml diff --git a/teleport-cluster-14.2.0/templates/auth/serviceaccount.yaml b/teleport-cluster-14.3.0/templates/auth/serviceaccount.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/auth/serviceaccount.yaml rename to teleport-cluster-14.3.0/templates/auth/serviceaccount.yaml diff --git a/teleport-cluster-14.2.0/templates/podmonitor.yaml b/teleport-cluster-14.3.0/templates/podmonitor.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/podmonitor.yaml rename to teleport-cluster-14.3.0/templates/podmonitor.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/_config.aws.tpl b/teleport-cluster-14.3.0/templates/proxy/_config.aws.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/_config.aws.tpl rename to teleport-cluster-14.3.0/templates/proxy/_config.aws.tpl diff --git a/teleport-cluster-14.2.0/templates/proxy/_config.azure.tpl b/teleport-cluster-14.3.0/templates/proxy/_config.azure.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/_config.azure.tpl rename to teleport-cluster-14.3.0/templates/proxy/_config.azure.tpl diff --git a/teleport-cluster-14.2.0/templates/proxy/_config.common.tpl b/teleport-cluster-14.3.0/templates/proxy/_config.common.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/_config.common.tpl rename to teleport-cluster-14.3.0/templates/proxy/_config.common.tpl diff --git a/teleport-cluster-14.2.0/templates/proxy/_config.gcp.tpl b/teleport-cluster-14.3.0/templates/proxy/_config.gcp.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/_config.gcp.tpl rename to teleport-cluster-14.3.0/templates/proxy/_config.gcp.tpl diff --git a/teleport-cluster-14.2.0/templates/proxy/_config.scratch.tpl b/teleport-cluster-14.3.0/templates/proxy/_config.scratch.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/_config.scratch.tpl rename to teleport-cluster-14.3.0/templates/proxy/_config.scratch.tpl diff --git a/teleport-cluster-14.2.0/templates/proxy/_config.standalone.tpl b/teleport-cluster-14.3.0/templates/proxy/_config.standalone.tpl similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/_config.standalone.tpl rename to teleport-cluster-14.3.0/templates/proxy/_config.standalone.tpl diff --git a/teleport-cluster-14.2.0/templates/proxy/certificate.yaml b/teleport-cluster-14.3.0/templates/proxy/certificate.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/certificate.yaml rename to teleport-cluster-14.3.0/templates/proxy/certificate.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/config.yaml b/teleport-cluster-14.3.0/templates/proxy/config.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/config.yaml rename to teleport-cluster-14.3.0/templates/proxy/config.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/deployment.yaml b/teleport-cluster-14.3.0/templates/proxy/deployment.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/deployment.yaml rename to teleport-cluster-14.3.0/templates/proxy/deployment.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/ingress.yaml b/teleport-cluster-14.3.0/templates/proxy/ingress.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/ingress.yaml rename to teleport-cluster-14.3.0/templates/proxy/ingress.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/pdb.yaml b/teleport-cluster-14.3.0/templates/proxy/pdb.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/pdb.yaml rename to teleport-cluster-14.3.0/templates/proxy/pdb.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/predeploy_config.yaml b/teleport-cluster-14.3.0/templates/proxy/predeploy_config.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/predeploy_config.yaml rename to teleport-cluster-14.3.0/templates/proxy/predeploy_config.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/predeploy_job.yaml b/teleport-cluster-14.3.0/templates/proxy/predeploy_job.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/predeploy_job.yaml rename to teleport-cluster-14.3.0/templates/proxy/predeploy_job.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/service.yaml b/teleport-cluster-14.3.0/templates/proxy/service.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/service.yaml rename to teleport-cluster-14.3.0/templates/proxy/service.yaml diff --git a/teleport-cluster-14.2.0/templates/proxy/serviceaccount.yaml b/teleport-cluster-14.3.0/templates/proxy/serviceaccount.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/proxy/serviceaccount.yaml rename to teleport-cluster-14.3.0/templates/proxy/serviceaccount.yaml diff --git a/teleport-cluster-14.2.0/templates/psp.yaml b/teleport-cluster-14.3.0/templates/psp.yaml similarity index 100% rename from teleport-cluster-14.2.0/templates/psp.yaml rename to teleport-cluster-14.3.0/templates/psp.yaml diff --git a/teleport-cluster-14.2.0/tests/README.md b/teleport-cluster-14.3.0/tests/README.md similarity index 100% rename from teleport-cluster-14.2.0/tests/README.md rename to teleport-cluster-14.3.0/tests/README.md diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/auth_config_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/auth_config_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/auth_config_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/auth_deployment_test.yaml.snap similarity index 99% rename from teleport-cluster-14.2.0/tests/__snapshot__/auth_deployment_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/auth_deployment_test.yaml.snap index 14d5a57..d7b1104 100644 --- a/teleport-cluster-14.2.0/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster-14.3.0/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -1,6 +1,6 @@ should add an operator side-car when operator is enabled: 1: | - image: public.ecr.aws/gravitational/teleport-operator:14.2.0 + image: public.ecr.aws/gravitational/teleport-operator:14.3.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -174,7 +174,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -271,7 +271,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -357,7 +357,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/ingress_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/ingress_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/ingress_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/ingress_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/predeploy_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/predeploy_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/predeploy_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/predeploy_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/proxy_certificate_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/proxy_certificate_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/proxy_certificate_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/proxy_certificate_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/proxy_config_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/proxy_config_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/proxy_config_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/proxy_deployment_test.yaml.snap similarity index 99% rename from teleport-cluster-14.2.0/tests/__snapshot__/proxy_deployment_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/proxy_deployment_test.yaml.snap index e8362a0..26489d6 100644 --- a/teleport-cluster-14.2.0/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster-14.3.0/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -5,7 +5,7 @@ should provision initContainer correctly when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update - args: - echo test @@ -62,7 +62,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -123,7 +123,7 @@ should set nodeSelector when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update nodeSelector: environment: security @@ -174,7 +174,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -242,7 +242,7 @@ should set resources when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -343,7 +343,7 @@ should set securityContext for initContainers when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -383,7 +383,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -451,7 +451,7 @@ should set securityContext when set in values: - wait - no-resolve - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.2.0 + image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/proxy_service_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/proxy_service_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/proxy_service_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/proxy_service_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/__snapshot__/psp_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/psp_test.yaml.snap similarity index 100% rename from teleport-cluster-14.2.0/tests/__snapshot__/psp_test.yaml.snap rename to teleport-cluster-14.3.0/tests/__snapshot__/psp_test.yaml.snap diff --git a/teleport-cluster-14.2.0/tests/auth_clusterrole_test.yaml b/teleport-cluster-14.3.0/tests/auth_clusterrole_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/auth_clusterrole_test.yaml rename to teleport-cluster-14.3.0/tests/auth_clusterrole_test.yaml diff --git a/teleport-cluster-14.2.0/tests/auth_clusterrolebinding_test.yaml b/teleport-cluster-14.3.0/tests/auth_clusterrolebinding_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/auth_clusterrolebinding_test.yaml rename to teleport-cluster-14.3.0/tests/auth_clusterrolebinding_test.yaml diff --git a/teleport-cluster-14.2.0/tests/auth_config_test.yaml b/teleport-cluster-14.3.0/tests/auth_config_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/auth_config_test.yaml rename to teleport-cluster-14.3.0/tests/auth_config_test.yaml diff --git a/teleport-cluster-14.2.0/tests/auth_deployment_test.yaml b/teleport-cluster-14.3.0/tests/auth_deployment_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/auth_deployment_test.yaml rename to teleport-cluster-14.3.0/tests/auth_deployment_test.yaml diff --git a/teleport-cluster-14.2.0/tests/auth_pdb_test.yaml b/teleport-cluster-14.3.0/tests/auth_pdb_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/auth_pdb_test.yaml rename to teleport-cluster-14.3.0/tests/auth_pdb_test.yaml diff --git a/teleport-cluster-14.2.0/tests/auth_pvc_test.yaml b/teleport-cluster-14.3.0/tests/auth_pvc_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/auth_pvc_test.yaml rename to teleport-cluster-14.3.0/tests/auth_pvc_test.yaml diff --git a/teleport-cluster-14.2.0/tests/auth_serviceaccount_test.yaml b/teleport-cluster-14.3.0/tests/auth_serviceaccount_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/auth_serviceaccount_test.yaml rename to teleport-cluster-14.3.0/tests/auth_serviceaccount_test.yaml diff --git a/teleport-cluster-14.2.0/tests/ingress_test.yaml b/teleport-cluster-14.3.0/tests/ingress_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/ingress_test.yaml rename to teleport-cluster-14.3.0/tests/ingress_test.yaml diff --git a/teleport-cluster-14.2.0/tests/podmonitor_test.yaml b/teleport-cluster-14.3.0/tests/podmonitor_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/podmonitor_test.yaml rename to teleport-cluster-14.3.0/tests/podmonitor_test.yaml diff --git a/teleport-cluster-14.2.0/tests/predeploy_test.yaml b/teleport-cluster-14.3.0/tests/predeploy_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/predeploy_test.yaml rename to teleport-cluster-14.3.0/tests/predeploy_test.yaml diff --git a/teleport-cluster-14.2.0/tests/proxy_certificate_test.yaml b/teleport-cluster-14.3.0/tests/proxy_certificate_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/proxy_certificate_test.yaml rename to teleport-cluster-14.3.0/tests/proxy_certificate_test.yaml diff --git a/teleport-cluster-14.2.0/tests/proxy_config_test.yaml b/teleport-cluster-14.3.0/tests/proxy_config_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/proxy_config_test.yaml rename to teleport-cluster-14.3.0/tests/proxy_config_test.yaml diff --git a/teleport-cluster-14.2.0/tests/proxy_deployment_test.yaml b/teleport-cluster-14.3.0/tests/proxy_deployment_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/proxy_deployment_test.yaml rename to teleport-cluster-14.3.0/tests/proxy_deployment_test.yaml diff --git a/teleport-cluster-14.2.0/tests/proxy_pdb_test.yaml b/teleport-cluster-14.3.0/tests/proxy_pdb_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/proxy_pdb_test.yaml rename to teleport-cluster-14.3.0/tests/proxy_pdb_test.yaml diff --git a/teleport-cluster-14.2.0/tests/proxy_service_test.yaml b/teleport-cluster-14.3.0/tests/proxy_service_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/proxy_service_test.yaml rename to teleport-cluster-14.3.0/tests/proxy_service_test.yaml diff --git a/teleport-cluster-14.2.0/tests/proxy_serviceaccount_test.yaml b/teleport-cluster-14.3.0/tests/proxy_serviceaccount_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/proxy_serviceaccount_test.yaml rename to teleport-cluster-14.3.0/tests/proxy_serviceaccount_test.yaml diff --git a/teleport-cluster-14.2.0/tests/psp_test.yaml b/teleport-cluster-14.3.0/tests/psp_test.yaml similarity index 100% rename from teleport-cluster-14.2.0/tests/psp_test.yaml rename to teleport-cluster-14.3.0/tests/psp_test.yaml diff --git a/teleport-cluster-14.3.0/values.home.yaml b/teleport-cluster-14.3.0/values.home.yaml new file mode 100644 index 0000000..c94313d --- /dev/null +++ b/teleport-cluster-14.3.0/values.home.yaml @@ -0,0 +1,32 @@ +clusterName: "teleport.ervine.cloud" +kubeClusterName: "homeK8s" +proxyListenerMode: "multiplex" +operator: + enabled: true +podSecurityPolicy: + enabled: false +podMonitor: + enabled: true + additionalLabels: + prometheus: k8s +highAvailability: + certManager: + enabled: true + addCommonName: false + addPublicAddrs: false + issuerName: "letsencrypt-prod" + issuerKind: ClusterIssuer +annotations: + ingress: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-name: "http-cookie" + nginx.ingress.kubernetes.io/session-cookie-expires: "172800" + nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" +service: + type: ClusterIP +ingress: + enabled: true diff --git a/teleport-cluster/values.home.yaml.old b/teleport-cluster-14.3.0/values.home.yaml.old similarity index 100% rename from teleport-cluster/values.home.yaml.old rename to teleport-cluster-14.3.0/values.home.yaml.old diff --git a/teleport-cluster-14.2.0/values.schema.json b/teleport-cluster-14.3.0/values.schema.json similarity index 100% rename from teleport-cluster-14.2.0/values.schema.json rename to teleport-cluster-14.3.0/values.schema.json diff --git a/teleport-cluster-14.2.0/values.yaml b/teleport-cluster-14.3.0/values.yaml similarity index 98% rename from teleport-cluster-14.2.0/values.yaml rename to teleport-cluster-14.3.0/values.yaml index 1a11af3..045802f 100644 --- a/teleport-cluster-14.2.0/values.yaml +++ b/teleport-cluster-14.3.0/values.yaml @@ -55,9 +55,10 @@ teleportVersionOverride: "" # proxyProtocol: on # The `teleport-cluster` charts deploys two sets of pods: auth and proxy. -# `auth` contains values specific for the auth pods. You can use it to -# set specific values for auth pods, taking precedence over chart-scoped values. -# For example, to override the [`postStart`](#postStart) value only for auth pods: +# +# `auth` allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service. +# This is merged with chart-scoped values and takes precedence in case of conflict. +# For example: # # auth: # postStart: ["curl", "http://hook"] @@ -79,11 +80,15 @@ auth: # client_idle_timeout_message: "Connection closed after 2hours without activity" teleportConfig: {} -# proxy contains values specific for the proxy pods -# You can override chart-scoped values, for example +# `proxy` allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service. +# This is merged with chart-scoped values and takes precedence in case of conflict. +# For example: # proxy: # postStart: ["curl", "http://hook"] # imagePullPolicy: Always +# annotations: +# service: +# external-dns.alpha.kubernetes.io/hostname: "teleport.example.com" proxy: # proxy.teleportConfig contains YAML teleport configuration for proxy pods # The configuration will be merged with the chart-generated configuration diff --git a/teleport-cluster/Chart.yaml b/teleport-cluster/Chart.yaml index d215736..8f4176c 100644 --- a/teleport-cluster/Chart.yaml +++ b/teleport-cluster/Chart.yaml @@ -1,13 +1,14 @@ apiVersion: v2 -appVersion: 14.3.0 +appVersion: 15.0.1 dependencies: -- condition: installCRDs,operator.enabled +- alias: operator + condition: installCRDs,operator.enabled name: teleport-operator repository: "" - version: 14.3.0 + version: 15.0.1 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-cluster -version: 14.3.0 +version: 15.0.1 diff --git a/teleport-cluster/README.md b/teleport-cluster/README.md index 27e6235..b239357 100644 --- a/teleport-cluster/README.md +++ b/teleport-cluster/README.md @@ -1,13 +1,16 @@ # Teleport Cluster -This chart sets up a single node Teleport cluster. -It uses a persistent volume claim for storage. -Great for getting started with Teleport. +This chart sets up a Teleport cluster composed of at least 1 Proxy instance +and 1 Auth instance. When applicable, the chart will default to 2 pods to +provide high-availability. ## Important Notices - The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x -- Teleport does mutual TLS to authenticate clients. It currently does not support running behind a L7 LoadBalancer, like a Kubernetes `Ingress`. It requires being exposed through a L4 LoadBalancer (Kubernetes `Service`). +- Teleport does mutual TLS to authenticate clients. Establishing mTLS through a L7 + LoadBalancer, like a Kubernetes `Ingress` [requires ALPN support](https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies). + Exposing Teleport through a `Service` with type `LoadBalancer` is still recommended + because its the most flexible and least complex setup. ## Getting Started diff --git a/teleport-cluster/charts/teleport-operator/.lint/annotations.yaml b/teleport-cluster/charts/teleport-operator/.lint/annotations.yaml new file mode 100644 index 0000000..dc3a4c8 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/.lint/annotations.yaml @@ -0,0 +1,14 @@ +annotations: + deployment: + kubernetes.io/deployment: "test-annotation" + kubernetes.io/deployment-different: 3 + pod: + kubernetes.io/pod: "test-annotation" + kubernetes.io/pod-different: 4 + serviceAccount: + kubernetes.io/serviceaccount: "test-annotation" + kubernetes.io/serviceaccount-different: 6 + +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +teleportClusterName: "example.teleport.sh" diff --git a/teleport-cluster/charts/teleport-operator/.lint/cloud-join.yaml b/teleport-cluster/charts/teleport-operator/.lint/cloud-join.yaml new file mode 100644 index 0000000..16ba976 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/.lint/cloud-join.yaml @@ -0,0 +1,3 @@ +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +teleportClusterName: "example.teleport.sh" diff --git a/teleport-cluster/charts/teleport-operator/.lint/disabled.yaml b/teleport-cluster/charts/teleport-operator/.lint/disabled.yaml new file mode 100644 index 0000000..bc11441 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/.lint/disabled.yaml @@ -0,0 +1 @@ +enabled: false diff --git a/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml b/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml new file mode 100644 index 0000000..354a5e2 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml @@ -0,0 +1,6 @@ +tls: + existingCASecretName: helm-lint-existing-tls-secret-ca + +teleportAddress: "teleport.example.com:3080" +token: "my-operator-bot" +teleportClusterName: "teleport.example.com" diff --git a/teleport-cluster/charts/teleport-operator/.lint/non-kubernetes-joining.yaml b/teleport-cluster/charts/teleport-operator/.lint/non-kubernetes-joining.yaml new file mode 100644 index 0000000..4000fc8 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/.lint/non-kubernetes-joining.yaml @@ -0,0 +1,3 @@ +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +joinMethod: "iam" diff --git a/teleport-cluster/charts/teleport-operator/.lint/resources.yaml b/teleport-cluster/charts/teleport-operator/.lint/resources.yaml new file mode 100644 index 0000000..acf9ab5 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/.lint/resources.yaml @@ -0,0 +1,13 @@ +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +teleportClusterName: "example.teleport.sh" diff --git a/teleport-cluster/charts/teleport-operator/Chart.yaml b/teleport-cluster/charts/teleport-operator/Chart.yaml index 08584e1..11eac1a 100644 --- a/teleport-cluster/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 14.3.0 +appVersion: 15.0.1 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-operator -version: 14.3.0 +version: 15.0.1 diff --git a/teleport-cluster/charts/teleport-operator/README.md b/teleport-cluster/charts/teleport-operator/README.md new file mode 100644 index 0000000..d0b87ed --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/README.md @@ -0,0 +1,28 @@ +# Teleport Operator + +This chart deploys the Teleport Kubernetes Operator. The operator allows to manage +Teleport resources from inside Kubernetes. + +## Important notice + +The chart version follows the Teleport and Teleport Kube Operator version. e.g. +chart v15.0.1 runs the operator version 15.0.1 by default. To control which +operator version is deployed, use the `--version` Helm flag. + +## Deployment + +The chart can be deployed in two ways: +- in standalone mode by running + ```shell + helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token + ``` + See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details. +- as a dependency of the `teleport-cluster` Helm chart by adding `--set operator.enabled=true`. See + [the operator within teleport-cluster chart guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-helm/). + +## Values and reference + +The `values.yaml` is documented through comment or via +[the reference docs](https://goteleport.com/docs/reference/helm-reference/teleport-operator/). + +Please make sure you are looking at the correct version when looking at the values reference. diff --git a/teleport-cluster/charts/teleport-operator/templates/_helpers.tpl b/teleport-cluster/charts/teleport-operator/templates/_helpers.tpl new file mode 100644 index 0000000..39be389 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/_helpers.tpl @@ -0,0 +1,77 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "teleport-cluster.operator.name" -}} + {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +This is a modified version of the default fully qualified app name helper. +We diverge by always honouring "nameOverride" when it's set, as opposed to the +default behaviour of shortening if `nameOverride` is included in chart name. +This is done to avoid naming conflicts when including th chart in `teleport-cluster` +*/}} +{{- define "teleport-cluster.operator.fullname" -}} + {{- if .Values.fullnameOverride }} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- if .Values.nameOverride }} + {{- printf "%s-%s" .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- if contains .Chart.Name .Release.Name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Create the name of the service account to use +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name +*/}} +{{- define "teleport-cluster.operator.serviceAccountName" -}} +{{- coalesce .Values.serviceAccount.name (include "teleport-cluster.operator.fullname" .) -}} +{{- end -}} + +{{- define "teleport-cluster.version" -}} +{{- coalesce .Values.teleportVersionOverride .Chart.Version }} +{{- end -}} + +{{- define "teleport-cluster.majorVersion" -}} +{{- (semver (include "teleport-cluster.version" .)).Major -}} +{{- end -}} + +{{/* Operator selector labels */}} +{{- define "teleport-cluster.operator.selectorLabels" -}} +app.kubernetes.io/name: '{{ include "teleport-cluster.operator.name" . }}' +app.kubernetes.io/instance: '{{ .Release.Name }}' +app.kubernetes.io/component: 'operator' +{{- end -}} + +{{/* Operator all labels */}} +{{- define "teleport-cluster.operator.labels" -}} +{{ include "teleport-cluster.operator.selectorLabels" . }} +helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' +app.kubernetes.io/managed-by: '{{ .Release.Service }}' +app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}' +teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}' +{{- end -}} + +{{/* Teleport auth or proxy address */}} +{{- define "teleport-cluster.operator.teleportAddress" -}} +{{- $clusterAddr := include "teleport-cluster.auth.serviceFQDN" . -}} +{{- if empty $clusterAddr -}} + {{- required "The `teleportAddress` value is mandatory when deploying a standalone operator." .Values.teleportAddress -}} + {{- if and (eq .Values.joinMethod "kubernetes") (empty .Values.teleportClusterName) (not (hasSuffix ":3025" .Values.teleportAddress)) -}} + {{- fail "When joining using the Kubernetes JWKS join method, you must set the value `teleportClusterName`" -}} + {{- end -}} +{{- else -}} + {{- $clusterAddr | printf "%s:3025" -}} +{{- end -}} +{{- end -}} + +{{- /* This template is a placeholder. +If we are imported by the main chart "teleport-cluster" it is overridden*/ -}} +{{- define "teleport-cluster.auth.serviceFQDN" -}}{{- end }} diff --git a/teleport-cluster/charts/teleport-operator/templates/deployment.yaml b/teleport-cluster/charts/teleport-operator/templates/deployment.yaml new file mode 100644 index 0000000..cd6d676 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/deployment.yaml @@ -0,0 +1,155 @@ +{{- if .Values.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "teleport-cluster.operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }} + {{- if .Values.annotations.deployment }} + annotations: {{- toYaml .Values.annotations.deployment | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.highAvailability.replicaCount }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + selector: + matchLabels: {{- include "teleport-cluster.operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- if .Values.annotations.pod }} + annotations: {{- toYaml .Values.annotations.pod | nindent 8 }} + {{- end }} + labels: {{- include "teleport-cluster.operator.labels" . | nindent 8 }} + spec: + {{- if .Values.nodeSelector }} + nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: "operator" + image: '{{ .Values.image }}:{{ include "teleport-cluster.version" . }}' + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: + - /teleport-operator + - -auth-server + - '{{ include "teleport-cluster.operator.teleportAddress" . }}' + - -join-method + - '{{ .Values.joinMethod }}' + - -token + - '{{ .Values.token }}' + {{- if .Values.caPins }} + - -ca-pin + - '{{ join "," .Values.caPins }}' + {{- end }} + {{- if or (.Values.tls.existingCASecretName) (.Values.teleportClusterName) }} + env: + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} + {{- if .Values.teleportClusterName }} + - name: KUBERNETES_TOKEN_PATH + value: /var/run/secrets/teleport/serviceaccount/token + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + ports: + - name: op-metrics + containerPort: 8080 + protocol: TCP + - name: op-health + containerPort: 8081 + protocol: TCP + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: operator-serviceaccount-token + readOnly: true + {{- if .Values.teleportClusterName }} + - mountPath: /var/run/secrets/teleport/serviceaccount + name: bot-serviceaccount-token + readOnly: true + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} + automountServiceAccountToken: false + volumes: + # This projected token volume mimics the `automountServiceAccountToken` + # behaviour but defaults to a 1h TTL instead of 1y. + - name: operator-serviceaccount-token + projected: + sources: + - serviceAccountToken: + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.teleportClusterName }} + - name: bot-serviceaccount-token + projected: + sources: + - serviceAccountToken: + path: token + audience: "{{ .Values.teleportClusterName }}" + expirationSeconds: 600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: teleport-tls-ca + secret: + secretName: {{ .Values.tls.existingCASecretName }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "teleport-cluster.operator.serviceAccountName" . }} +{{- end }} diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml new file mode 100644 index 0000000..2e6e599 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml @@ -0,0 +1,291 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportaccesslists.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportAccessList + listKind: TeleportAccessListList + plural: teleportaccesslists + shortNames: + - accesslist + - accesslists + singular: teleportaccesslist + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AccessList is the Schema for the accesslists API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AccessList resource definition v1 from Teleport + properties: + audit: + description: audit describes the frequency that this access list must + be audited. + nullable: true + properties: + next_audit_date: + description: next_audit_date is when the next audit date should + be done by. + format: date-time + type: string + notifications: + description: notifications is the configuration for notifying + users. + nullable: true + properties: + start: + description: start specifies when to start notifying users + that the next audit date is coming up. + format: duration + type: string + type: object + recurrence: + description: recurrence is the recurrence definition + nullable: true + properties: + day_of_month: + description: day_of_month is the day of month that reviews + will be scheduled on. + x-kubernetes-int-or-string: true + frequency: + description: frequency is the frequency of reviews. + x-kubernetes-int-or-string: true + type: object + type: object + description: + description: description is an optional plaintext description of the + access list. + type: string + grants: + description: grants describes the access granted by membership to + this access list. + nullable: true + properties: + roles: + description: roles are the roles that are granted to users who + are members of the access list. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that are granted to users who + are members of the access list. + type: object + type: object + membership: + description: 'membership defines how list membership is applied. There + are two possible values: `explicit` (default): To be considered + ag member of the access list, a user must both meet the `membership_requires` + conditions AND be explicitly added to the list. `implicit`: Any + user meeting the `membership_requires` conditions will automatically + be cosidered a member of this list.' + type: string + membership_requires: + description: membership_requires describes the requirements for a + user to be a member of the access list. For a membership to an access + list to be effective, the user must meet the requirements of Membership_requires + and must be in the members list. + nullable: true + properties: + roles: + description: roles are the user roles that must be present for + the user to obtain access. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that must be present for the + user to obtain access. + type: object + type: object + owner_grants: + description: owner_grants describes the access granted by owners to + this access list. + nullable: true + properties: + roles: + description: roles are the roles that are granted to users who + are members of the access list. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that are granted to users who + are members of the access list. + type: object + type: object + owners: + description: owners is a list of owners of the access list. + items: + properties: + description: + description: description is the plaintext description of the + owner and why they are an owner. + type: string + ineligible_status: + description: ineligible_status describes if this owner is eligible + or not and if not, describes how they're lacking eligibility. + x-kubernetes-int-or-string: true + name: + description: name is the username of the owner. + type: string + type: object + nullable: true + type: array + ownership: + description: 'ownership defines how list ownership of this list is + determined. There are two possible values: `explicit` (default): + To be considered an owner of the access list, a user must both meet + the `ownership_requires` conditions AND be explicitly added to the + list. `implicit`: Any user meeting the `ownership_requires` conditions + will automatically be considered an owner of this list.' + type: string + ownership_requires: + description: ownership_requires describes the requirements for a user + to be an owner of the access list. For ownership of an access list + to be effective, the user must meet the requirements of ownership_requires + and must be in the owners list. + nullable: true + properties: + roles: + description: roles are the user roles that must be present for + the user to obtain access. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that must be present for the + user to obtain access. + type: object + type: object + title: + description: title is a plaintext short description of the access + list. + type: string + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml index 40bbc08..b96d4eb 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml @@ -78,50 +78,49 @@ spec: type: array type: object status: - description: TeleportGithubConnectorStatus defines the observed state - of TeleportGithubConnector + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -135,11 +134,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml index 7b5adc6..7b5928c 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml @@ -57,48 +57,49 @@ spec: type: object type: object status: + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -112,11 +113,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml index 1dc0e16..087bdc7 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml @@ -123,50 +123,49 @@ spec: type: string type: object status: - description: TeleportOIDCConnectorStatus defines the observed state of - TeleportOIDCConnector + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -180,11 +179,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml index 071d628..f6077e4 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml @@ -95,48 +95,49 @@ spec: type: integer type: object status: + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -150,11 +151,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml index dda4dd5..4aac748 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml @@ -330,50 +330,49 @@ spec: type: object type: object status: - description: TeleportProvisionTokenStatus defines the observed state of - TeleportProvisionToken + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -387,11 +386,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml index f02463b..810caf4 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml @@ -1128,49 +1128,49 @@ spec: type: object type: object status: - description: TeleportRoleStatus defines the observed state of TeleportRole + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1184,11 +1184,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2325,49 +2326,49 @@ spec: type: object type: object status: - description: TeleportRoleStatus defines the observed state of TeleportRole + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2381,11 +2382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml new file mode 100644 index 0000000..ff98950 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml @@ -0,0 +1,1221 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportrolesv6.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportRoleV6 + listKind: TeleportRoleV6List + plural: teleportrolesv6 + shortNames: + - rolev6 + - rolesv6 + singular: teleportrolev6 + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RoleV6 is the Schema for the rolesv6 API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Role resource definition v6 from Teleport + properties: + allow: + description: Allow is the set of conditions evaluated to grant access. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + deny: + description: Deny is the set of conditions evaluated to deny access. + Deny takes priority over allow. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + options: + description: Options is for OpenSSH options like agent forwarding. + properties: + cert_extensions: + description: CertExtensions specifies the key/values + items: + properties: + mode: + description: Mode is the type of extension to be used -- + currently critical-option is not supported + x-kubernetes-int-or-string: true + name: + description: Name specifies the key to be used in the cert + extension. + type: string + type: + description: Type represents the certificate type being + extended, only ssh is supported at this time. + x-kubernetes-int-or-string: true + value: + description: Value specifies the value to be used in the + cert extension. + type: string + type: object + nullable: true + type: array + cert_format: + description: CertificateFormat defines the format of the user + certificate to allow compatibility with older versions of OpenSSH. + type: string + client_idle_timeout: + description: ClientIdleTimeout sets disconnect clients on idle + timeout behavior, if set to 0 means do not disconnect, otherwise + is set to the idle duration. + format: duration + type: string + create_db_user: + description: CreateDatabaseUser enabled automatic database user + creation. + type: boolean + create_db_user_mode: + description: CreateDatabaseUserMode allows users to be automatically + created on a database when not set to off. + x-kubernetes-int-or-string: true + create_desktop_user: + description: CreateDesktopUser allows users to be automatically + created on a Windows desktop + type: boolean + create_host_user: + description: CreateHostUser allows users to be automatically created + on a host + type: boolean + create_host_user_mode: + description: CreateHostUserMode allows users to be automatically + created on a host when not set to off + x-kubernetes-int-or-string: true + desktop_clipboard: + description: DesktopClipboard indicates whether clipboard sharing + is allowed between the user's workstation and the remote desktop. + It defaults to true unless explicitly set to false. + type: boolean + desktop_directory_sharing: + description: DesktopDirectorySharing indicates whether directory + sharing is allowed between the user's workstation and the remote + desktop. It defaults to false unless explicitly set to true. + type: boolean + device_trust_mode: + description: DeviceTrustMode is the device authorization mode + used for the resources associated with the role. See DeviceTrust.Mode. + Reserved for future use, not yet used by Teleport. + type: string + disconnect_expired_cert: + description: DisconnectExpiredCert sets disconnect clients on + expired certificates. + type: boolean + enhanced_recording: + description: BPF defines what events to record for the BPF-based + session recorder. + items: + type: string + nullable: true + type: array + forward_agent: + description: ForwardAgent is SSH agent forwarding. + type: boolean + idp: + description: IDP is a set of options related to accessing IdPs + within Teleport. Requires Teleport Enterprise. + nullable: true + properties: + saml: + description: SAML are options related to the Teleport SAML + IdP. + nullable: true + properties: + enabled: + description: Enabled is set to true if this option allows + access to the Teleport SAML IdP. + type: boolean + type: object + type: object + lock: + description: Lock specifies the locking mode (strict|best_effort) + to be applied with the role. + type: string + max_connections: + description: MaxConnections defines the maximum number of concurrent + connections a user may hold. + format: int64 + type: integer + max_kubernetes_connections: + description: MaxKubernetesConnections defines the maximum number + of concurrent Kubernetes sessions a user may hold. + format: int64 + type: integer + max_session_ttl: + description: MaxSessionTTL defines how long a SSH session can + last for. + format: duration + type: string + max_sessions: + description: MaxSessions defines the maximum number of concurrent + sessions per connection. + format: int64 + type: integer + permit_x11_forwarding: + description: PermitX11Forwarding authorizes use of X11 forwarding. + type: boolean + pin_source_ip: + description: PinSourceIP forces the same client IP for certificate + generation and usage + type: boolean + port_forwarding: + description: PortForwarding defines if the certificate will have + "permit-port-forwarding" in the certificate. PortForwarding + is "yes" if not set, that's why this is a pointer + type: boolean + record_session: + description: RecordDesktopSession indicates whether desktop access + sessions should be recorded. It defaults to true unless explicitly + set to false. + nullable: true + properties: + default: + description: Default indicates the default value for the services. + type: string + desktop: + description: Desktop indicates whether desktop sessions should + be recorded. It defaults to true unless explicitly set to + false. + type: boolean + ssh: + description: SSH indicates the session mode used on SSH sessions. + type: string + type: object + request_access: + description: RequestAccess defines the access request strategy + (optional|note|always) where optional is the default. + type: string + request_prompt: + description: RequestPrompt is an optional message which tells + users what they aught to request. + type: string + require_session_mfa: + description: RequireMFAType is the type of MFA requirement enforced + for this user. + x-kubernetes-int-or-string: true + ssh_file_copy: + description: SSHFileCopy indicates whether remote file operations + via SCP or SFTP are allowed over an SSH session. It defaults + to true unless explicitly set to false. + type: boolean + type: object + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml new file mode 100644 index 0000000..aef9220 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml @@ -0,0 +1,1221 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportrolesv7.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportRoleV7 + listKind: TeleportRoleV7List + plural: teleportrolesv7 + shortNames: + - rolev7 + - rolesv7 + singular: teleportrolev7 + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RoleV7 is the Schema for the rolesv7 API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Role resource definition v7 from Teleport + properties: + allow: + description: Allow is the set of conditions evaluated to grant access. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + deny: + description: Deny is the set of conditions evaluated to deny access. + Deny takes priority over allow. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + options: + description: Options is for OpenSSH options like agent forwarding. + properties: + cert_extensions: + description: CertExtensions specifies the key/values + items: + properties: + mode: + description: Mode is the type of extension to be used -- + currently critical-option is not supported + x-kubernetes-int-or-string: true + name: + description: Name specifies the key to be used in the cert + extension. + type: string + type: + description: Type represents the certificate type being + extended, only ssh is supported at this time. + x-kubernetes-int-or-string: true + value: + description: Value specifies the value to be used in the + cert extension. + type: string + type: object + nullable: true + type: array + cert_format: + description: CertificateFormat defines the format of the user + certificate to allow compatibility with older versions of OpenSSH. + type: string + client_idle_timeout: + description: ClientIdleTimeout sets disconnect clients on idle + timeout behavior, if set to 0 means do not disconnect, otherwise + is set to the idle duration. + format: duration + type: string + create_db_user: + description: CreateDatabaseUser enabled automatic database user + creation. + type: boolean + create_db_user_mode: + description: CreateDatabaseUserMode allows users to be automatically + created on a database when not set to off. + x-kubernetes-int-or-string: true + create_desktop_user: + description: CreateDesktopUser allows users to be automatically + created on a Windows desktop + type: boolean + create_host_user: + description: CreateHostUser allows users to be automatically created + on a host + type: boolean + create_host_user_mode: + description: CreateHostUserMode allows users to be automatically + created on a host when not set to off + x-kubernetes-int-or-string: true + desktop_clipboard: + description: DesktopClipboard indicates whether clipboard sharing + is allowed between the user's workstation and the remote desktop. + It defaults to true unless explicitly set to false. + type: boolean + desktop_directory_sharing: + description: DesktopDirectorySharing indicates whether directory + sharing is allowed between the user's workstation and the remote + desktop. It defaults to false unless explicitly set to true. + type: boolean + device_trust_mode: + description: DeviceTrustMode is the device authorization mode + used for the resources associated with the role. See DeviceTrust.Mode. + Reserved for future use, not yet used by Teleport. + type: string + disconnect_expired_cert: + description: DisconnectExpiredCert sets disconnect clients on + expired certificates. + type: boolean + enhanced_recording: + description: BPF defines what events to record for the BPF-based + session recorder. + items: + type: string + nullable: true + type: array + forward_agent: + description: ForwardAgent is SSH agent forwarding. + type: boolean + idp: + description: IDP is a set of options related to accessing IdPs + within Teleport. Requires Teleport Enterprise. + nullable: true + properties: + saml: + description: SAML are options related to the Teleport SAML + IdP. + nullable: true + properties: + enabled: + description: Enabled is set to true if this option allows + access to the Teleport SAML IdP. + type: boolean + type: object + type: object + lock: + description: Lock specifies the locking mode (strict|best_effort) + to be applied with the role. + type: string + max_connections: + description: MaxConnections defines the maximum number of concurrent + connections a user may hold. + format: int64 + type: integer + max_kubernetes_connections: + description: MaxKubernetesConnections defines the maximum number + of concurrent Kubernetes sessions a user may hold. + format: int64 + type: integer + max_session_ttl: + description: MaxSessionTTL defines how long a SSH session can + last for. + format: duration + type: string + max_sessions: + description: MaxSessions defines the maximum number of concurrent + sessions per connection. + format: int64 + type: integer + permit_x11_forwarding: + description: PermitX11Forwarding authorizes use of X11 forwarding. + type: boolean + pin_source_ip: + description: PinSourceIP forces the same client IP for certificate + generation and usage + type: boolean + port_forwarding: + description: PortForwarding defines if the certificate will have + "permit-port-forwarding" in the certificate. PortForwarding + is "yes" if not set, that's why this is a pointer + type: boolean + record_session: + description: RecordDesktopSession indicates whether desktop access + sessions should be recorded. It defaults to true unless explicitly + set to false. + nullable: true + properties: + default: + description: Default indicates the default value for the services. + type: string + desktop: + description: Desktop indicates whether desktop sessions should + be recorded. It defaults to true unless explicitly set to + false. + type: boolean + ssh: + description: SSH indicates the session mode used on SSH sessions. + type: string + type: object + request_access: + description: RequestAccess defines the access request strategy + (optional|note|always) where optional is the default. + type: string + request_prompt: + description: RequestPrompt is an optional message which tells + users what they aught to request. + type: string + require_session_mfa: + description: RequireMFAType is the type of MFA requirement enforced + for this user. + x-kubernetes-int-or-string: true + ssh_file_copy: + description: SSHFileCopy indicates whether remote file operations + via SCP or SFTP are allowed over an SSH session. It defaults + to true unless explicitly set to false. + type: boolean + type: object + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml index c86cc91..caaa7f3 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml @@ -120,50 +120,49 @@ spec: type: string type: object status: - description: TeleportSAMLConnectorStatus defines the observed state of - TeleportSAMLConnector + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -177,11 +176,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml index 7e41bac..030a2b6 100644 --- a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml @@ -106,49 +106,49 @@ spec: type: array type: object status: - description: TeleportUserStatus defines the observed state of TeleportUser + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -162,11 +162,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/role.yaml b/teleport-cluster/charts/teleport-operator/templates/role.yaml new file mode 100644 index 0000000..4d4e0eb --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/role.yaml @@ -0,0 +1,55 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "teleport-cluster.operator.fullname" . }} + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "resources.teleport.dev" + resources: + - teleportroles + - teleportroles/status + - teleportrolesv6 + - teleportrolesv6/status + - teleportrolesv7 + - teleportrolesv7/status + - teleportusers + - teleportusers/status + - teleportgithubconnectors + - teleportgithubconnectors/status + - teleportoidcconnectors + - teleportoidcconnectors/status + - teleportsamlconnectors + - teleportsamlconnectors/status + - teleportloginrules + - teleportloginrules/status + - teleportprovisiontokens + - teleportprovisiontokens/status + - teleportoktaimportrules + - teleportoktaimportrules/status + - teleportaccesslists + - teleportaccesslists/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create +{{- end -}} +{{- end -}} diff --git a/teleport-cluster/charts/teleport-operator/templates/rolebinding.yaml b/teleport-cluster/charts/teleport-operator/templates/rolebinding.yaml new file mode 100644 index 0000000..a3425b5 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "teleport-cluster.operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "teleport-cluster.operator.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "teleport-cluster.operator.serviceAccountName" . }} +{{- end }} +{{- end }} diff --git a/teleport-cluster/charts/teleport-operator/templates/serviceaccount.yaml b/teleport-cluster/charts/teleport-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..13b3b0f --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.enabled }} +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-cluster.operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + {{- if .Values.annotations.serviceAccount }} + annotations: {{- toYaml .Values.annotations.serviceAccount | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml b/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml new file mode 100644 index 0000000..56f8f51 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml @@ -0,0 +1,199 @@ +suite: Operator Deployment +templates: + - deployment.yaml +tests: + - it: creates no deployment when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + + - it: creates a deployment when operator is enabled + values: + - ../.lint/cloud-join.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + values: + - ../.lint/cloud-join.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + values: + - ../.lint/cloud-join.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: RELEASE-NAME-operator + + - it: sets annotations when specified + values: + - ../.lint/annotations.yaml + asserts: + # Pod annotations + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + # Deployment annotations + - equal: + path: metadata.annotations.kubernetes\.io/deployment + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/deployment-different + value: 3 + + - it: should mount tls.existingCASecretName and set environment when set in values + values: + - ../.lint/existing-tls-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + + - it: mounts tokens through projected volumes + values: + - ../.lint/cloud-join.yaml + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - contains: + path: spec.template.spec.volumes + content: + name: operator-serviceaccount-token + projected: + sources: + - serviceAccountToken: + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: operator-serviceaccount-token + readOnly: true + + - it: should set imagePullPolicy when set in values + values: + - ../.lint/cloud-join.yaml + set: + imagePullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + + - it: should set resources when set in values + values: + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + + - it: should set security contexts by default + values: + - ../.lint/cloud-join.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + - equal: + path: spec.template.spec.securityContext + value: + seccompProfile: + type: RuntimeDefault + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + + - it: configures a dedicated token when kube JWKS joining + values: + - ../.lint/cloud-join.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: bot-serviceaccount-token + projected: + sources: + - serviceAccountToken: + audience: example.teleport.sh + expirationSeconds: 600 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.namespace + path: namespace + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/run/secrets/teleport/serviceaccount + name: bot-serviceaccount-token + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBERNETES_TOKEN_PATH + value: /var/run/secrets/teleport/serviceaccount/token diff --git a/teleport-cluster/charts/teleport-operator/tests/role_test.yaml b/teleport-cluster/charts/teleport-operator/tests/role_test.yaml new file mode 100644 index 0000000..a0dce65 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/tests/role_test.yaml @@ -0,0 +1,43 @@ +suite: Operator Role +templates: + - role.yaml +tests: + - it: creates no role when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + + - it: creates no role when rbac.create is false + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: creates a role by default + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-operator diff --git a/teleport-cluster/charts/teleport-operator/tests/rolebinding_test.yaml b/teleport-cluster/charts/teleport-operator/tests/rolebinding_test.yaml new file mode 100644 index 0000000..6794d90 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/tests/rolebinding_test.yaml @@ -0,0 +1,43 @@ +suite: Operator RoleBinding +templates: + - rolebinding.yaml +tests: + - it: creates no RoleBinding when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + + - it: creates no RoleBinding when rbac.create is false + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: creates a RoleBinding by default + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-operator diff --git a/teleport-cluster/charts/teleport-operator/tests/serviceaccount_test.yaml b/teleport-cluster/charts/teleport-operator/tests/serviceaccount_test.yaml new file mode 100644 index 0000000..38c7cae --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/tests/serviceaccount_test.yaml @@ -0,0 +1,63 @@ +suite: Operator ServiceAccount +templates: + - serviceaccount.yaml +tests: + - it: creates no ServiceAccount when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + - it: creates no ServiceAccount when rbac.create is false + set: + serviceAccount: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: creates a ServiceAccount by default + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: RELEASE-NAME-operator + + - it: does not shorten fullname if .Release.Name == .Chart.Name but there's a nameOverride + release: + name: teleport-operator + set: + nameOverride: teleport-operator + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: teleport-operator-teleport-operator + + - it: names the ServiceAccount according to serviceAccount.name + set: + serviceAccount: + name: foobar + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: foobar diff --git a/teleport-cluster/charts/teleport-operator/values.yaml b/teleport-cluster/charts/teleport-operator/values.yaml new file mode 100644 index 0000000..54ccf3c --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/values.yaml @@ -0,0 +1,201 @@ +# enabled(bool) -- controls if the operator should be enabled and deployed. +# +# - When `true`, the chart creates both the `CustomResourceDefinition` and operator `Deployment` Kubernetes resources. +# - When `false`, the chart creates the `CustomResourceDefinition` resources without the operator `Deployment`. +enabled: true + +# teleportAddress(string) -- is the address of the Teleport cluster whose resources +# are managed by the operator. The address must contain both the domain name and +# the port of the Teleport cluster. It can be either the address of the Auth Service +# or the Proxy Service. +# +# For example: +# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080` +# - joining an Auth: `teleport-auth.example.com:3025` +# - joining a Cloud-hosted Teleport: `example.teleport.sh:443` +teleportAddress: "" + +# caPins(list[string]) -- is a list of Teleport CA fingerprints that is used by the operator to +# validate the identity of the Teleport Auth server. This is only used when joining +# an Auth server directly (on port `3025`) and is ignored when joining through a Proxy +# (port `443` or `3080`). +caPins: [] + +# joinMethod(string) -- describes how the Teleport Kubernetes Operator joins the Teleport cluster. +# The operator does not store its Teleport-issued identity, it must be able to join the +# cluster again on each pod restart. To achieve this, it needs to use a delegated join +# method. `kubernetes` is the most common one. +joinMethod: "kubernetes" + +# teleportClusterName(string) -- is the name of the joined Teleport cluster. +# Setting this value is required when joining via the +# [Kubernetes JWKS](../../join-methods.mdx#kubernetes-jwks) join method. +teleportClusterName: "" + +# token(string) -- is the name of the token used by the operator to join the Teleport cluster. +token: "" + +# teleportVersionOverride(string) -- controls the Teleport Kubernetes Operator +# image version deployed by the chart. +# +# Normally, the version of the Teleport Kubernetes Operator matches the +# version of the chart. If you install chart version 15.0.0, you'll use +# Teleport Kubernetes Operator version 15.0.0. Upgrading the operator is +# done by upgrading the chart. +# +# +# `teleportVersionOverride` is intended for development and MUST NOT be +# used to control the Teleport version in a typical deployment. This +# chart is designed to run a specific Teleport version. You will face +# compatibility issues trying to run a different Teleport version with it. +# +# If you want to run Teleport version `X.Y.Z`, you should use +# `helm install --version X.Y.Z` instead. +# +# +teleportVersionOverride: "" + +nameOverride: "" +fullNameOverride: "" + +# image(string) -- sets the container image used for Teleport Kubernetes Operator +# pods run by the chart. +# +# You can override this to use your own Teleport Kubernetes Operator +# image rather than a Teleport-published image. +image: public.ecr.aws/gravitational/teleport-operator + +# annotations -- +annotations: + # annotations.deployment(object) -- contains the Kubernetes annotations + # put on the `Deployment` resource created by the chart. + deployment: {} + # annotations.pod(object) -- contains the Kubernetes annotations + # put on the `Pod` resources created by the chart. + pod: {} + # annotations.serviceAccount(object) -- contains the Kubernetes annotations + # put on the `Deployment` resource created by the chart. + serviceAccount: {} + +# serviceAccount -- +serviceAccount: + # serviceAccount.create(bool) -- controls if the chart should create the Kubernetes + # `ServiceAccount` resource for the operator. + # + # - When `true`, the chart creates a `ServiceAccount` resource for the operator. + # - When `false`, the chart does not create the `ServiceAccount` resource. + # The user is responsible for deploying and maintaining it separately. + # + # This value can be set to `false` when deploying in constrained environments + # where the user deploying the operator is not allowed to edit `ServiceAccount` + # resources. + create: true + # serviceAccount.name(string) -- controls the name of the operator Kubernetes `ServiceAccount`. + # The operator pods use by default a `ServiceAccount` named after the Helm chart release. + # This value overrides this behaviour, this is useful when `serviceAccount.create` + # is false and the operator must use an existing `ServiceAccount`. + name: "" + +# rbac -- +rbac: + # rbac.create(bool) -- controls if the chart should create RBAC Kubernetes resources. + # + # - When `true`, the chart creates both `Role` and `RoleBinding` resources for the operator. + # - When `false`, the chart does not create the `Role` and `RoleBinding` resources. + # The user is responsible for deploying and maintaining them separately. + # + # This value can be set to `false` when deploying in constrained environments + # where the user deploying the operator is not allowed to edit RBAC resources. + create: true + +# imagePullPolicy(string) -- sets the pull policy for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images) +# for more details. +imagePullPolicy: IfNotPresent + +# resources(object) -- sets the resource requests/limits for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) +# for more details. +resources: {} + +# priorityClassName(string) -- sets the priority class used by any pods created by the chart. +# The user is responsible for creating the `PriorityClass` resource before deploying the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) +# for more details. +priorityClassName: "" + +# tolerations(list) -- sets the tolerations for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +# for more details. +tolerations: [] + +# nodeSelector(object) -- sets the node selector for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +# for more details. +nodeSelector: {} + +# affinity(object) -- sets the affinities for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) +# for more details. +affinity: {} + +# imagePullSecrets(list) -- sets the image pull secrets for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod) +# for more details. +imagePullSecrets: [] + +# highAvailability -- +highAvailability: + # highAvailability.replicaCount(int) -- controls the amount of operator pod replicas deployed + # by the chart. + # + # When multiple pods are running, all pods join the Teleport cluster on + # startup but a single pod actively reconciles resources. + # + # The operator replicas elect a replica leader using + # [Kubernetes leases](https://kubernetes.io/docs/concepts/architecture/leases/). + # If the leader fails, its lease will expire and another replica will start + # reconciling resources. + replicaCount: 1 + +# tls -- +tls: + # tls.existingCASecretName(string) -- makes the operator pods trust an additional CA certificate. + # This is used to trust Proxy certificates if they're signed by a private CA. The operator + # trusts by default CAs part of Mozilla's Web PKI (the `ca-certificates` package). + # + # To use this value, you must create a Kubernetes `Secret` containing the CA + # certs in the same namespace as the Teleport Kubernetes Operator using a + # command such as: + # + # ```shell + # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem + # ``` + existingCASecretName: "" + +# podSecurityContext(object) -- sets the pod security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +# for more details. +# +# The default value supports running under the `restricted` +# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +podSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + +# securityContext(object) -- sets the container security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +# for more details. +# +# The default value supports running under the `restricted` +# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true diff --git a/teleport-cluster/templates/_helpers.tpl b/teleport-cluster/templates/_helpers.tpl index e5c2219..ba85279 100644 --- a/teleport-cluster/templates/_helpers.tpl +++ b/teleport-cluster/templates/_helpers.tpl @@ -89,3 +89,27 @@ teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}' {{- define "teleport-cluster.auth.serviceFQDN" -}} {{ include "teleport-cluster.auth.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local {{- end -}} + +{{/* Matches the operator template "teleport-cluster.operator.fullname" but can be + evaluated in a "teleport-cluster" context. */}} +{{- define "teleport-cluster.auth.operatorFullName" -}} +{{- if .Values.operator.fullnameOverride }} + {{- .Values.operator.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} + {{- if .Values.operator.nameOverride }} + {{- printf "%s-%s" .Release.Name .Values.operator.nameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- if contains "teleport-operator" .Release.Name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-%s" .Release.Name "teleport-operator" | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* Matches the operator template "teleport-cluster.operator.serviceAccountName" + but can be evaluated in a "teleport-cluster" context. */}} +{{- define "teleport-cluster.auth.operatorServiceAccountName" -}} +{{- coalesce .Values.operator.serviceAccount.name (include "teleport-cluster.auth.operatorFullName" .) -}} +{{- end -}} diff --git a/teleport-cluster/templates/auth/clusterrole.yaml b/teleport-cluster/templates/auth/clusterrole.yaml index 6bf0886..4d98efc 100644 --- a/teleport-cluster/templates/auth/clusterrole.yaml +++ b/teleport-cluster/templates/auth/clusterrole.yaml @@ -24,48 +24,4 @@ rules: - selfsubjectaccessreviews verbs: - create - -{{ if .Values.operator.enabled }} -- apiGroups: - - "resources.teleport.dev" - resources: - - teleportroles - - teleportroles/status - - teleportusers - - teleportusers/status - - teleportgithubconnectors - - teleportgithubconnectors/status - - teleportoidcconnectors - - teleportoidcconnectors/status - - teleportsamlconnectors - - teleportsamlconnectors/status - - teleportloginrules - - teleportloginrules/status - - teleportprovisiontokens - - teleportprovisiontokens/status - - teleportoktaimportrules - - teleportoktaimportrules/status - verbs: - - get - - list - - patch - - update - - watch - -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - create - - get - - update - -- apiGroups: - - "" - resources: - - events - verbs: - - create -{{- end -}} {{- end -}} diff --git a/teleport-cluster/templates/auth/clusterrolebinding.yaml b/teleport-cluster/templates/auth/clusterrolebinding.yaml index ba39919..47a4f76 100644 --- a/teleport-cluster/templates/auth/clusterrolebinding.yaml +++ b/teleport-cluster/templates/auth/clusterrolebinding.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ .Release.Name }} + name: {{ .Release.Namespace }}-{{ .Release.Name }} labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -18,7 +18,7 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ .Release.Name }}-auth + name: {{ .Release.Namespace}}-{{ .Release.Name }}-auth labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/teleport-cluster/templates/auth/config.yaml b/teleport-cluster/templates/auth/config.yaml index b5b53cb..2e19cbf 100644 --- a/teleport-cluster/templates/auth/config.yaml +++ b/teleport-cluster/templates/auth/config.yaml @@ -10,8 +10,10 @@ metadata: annotations: {{- toYaml $auth.annotations.config | nindent 4 }} {{- end }} data: -{{- if $auth.createProxyToken }} +{{- if or $auth.createProxyToken .Values.operator.enabled }} apply-on-startup.yaml: |2 + {{- if $auth.createProxyToken }} + --- kind: token version: v2 metadata: @@ -23,6 +25,115 @@ data: kubernetes: allow: - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}" + {{- end }} + {{- if .Values.operator.enabled }} + --- + kind: role + metadata: + description: Automatically generated role for bot operator + labels: + teleport.internal/bot: operator + name: bot-operator + spec: + allow: + impersonate: + roles: + - operator + rules: + - resources: + - cert_authority + verbs: + - readnosecrets + deny: {} + version: v7 + --- + kind: user + metadata: + labels: + teleport.internal/bot: operator + name: bot-operator + spec: + roles: + - bot-operator + version: v2 + --- + kind: role + metadata: + name: operator + spec: + allow: + rules: + - resources: + - role + verbs: + - list + - create + - read + - update + - delete + - resources: + - user + verbs: + - list + - create + - read + - update + - delete + - resources: + - auth_connector + verbs: + - list + - create + - read + - update + - delete + - resources: + - login_rule + verbs: + - list + - create + - read + - update + - delete + - resources: + - token + verbs: + - list + - create + - read + - update + - delete + - resources: + - okta_import_rule + verbs: + - list + - create + - read + - update + - delete + - resources: + - access_list + verbs: + - list + - create + - read + - update + - delete + deny: {} + version: v7 + --- + kind: token + version: v2 + metadata: + name: "{{ .Values.operator.token }}" + spec: + roles: [Bot] + join_method: kubernetes + bot_name: operator + kubernetes: + allow: + - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.auth.operatorServiceAccountName" . }}" + {{- end }} {{- end }} teleport.yaml: |2 {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}} diff --git a/teleport-cluster/templates/auth/deployment.yaml b/teleport-cluster/templates/auth/deployment.yaml index 699d135..dcc9bc4 100644 --- a/teleport-cluster/templates/auth/deployment.yaml +++ b/teleport-cluster/templates/auth/deployment.yaml @@ -231,45 +231,6 @@ spec: {{- if $auth.extraVolumeMounts }} {{- toYaml $auth.extraVolumeMounts | nindent 8 }} {{- end }} -{{- /* Operator uses '.Values' instead of '$auth' as it will likely be moved out of the auth pods */}} -{{- if .Values.operator.enabled }} - - name: "operator" - image: '{{ .Values.operator.image }}:{{ include "teleport-cluster.version" . }}' - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - ports: - - name: op-metrics - containerPort: 8080 - protocol: TCP - - name: op-health - containerPort: 8081 - protocol: TCP - {{- if .Values.operator.resources }} - resources: {{- toYaml .Values.operator.resources | nindent 10 }} - {{- end }} - volumeMounts: - - mountPath: /etc/teleport - name: "config" - readOnly: true - - mountPath: /var/lib/teleport - name: "data" - {{- if $projectedServiceAccountToken }} - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true - {{- end }} -{{ end }} {{- if $auth.extraContainers }} {{- toYaml $auth.extraContainers | nindent 6 }} {{- end }} diff --git a/teleport-cluster/templates/proxy/deployment.yaml b/teleport-cluster/templates/proxy/deployment.yaml index 68cfbd5..0011b4c 100644 --- a/teleport-cluster/templates/proxy/deployment.yaml +++ b/teleport-cluster/templates/proxy/deployment.yaml @@ -1,5 +1,5 @@ {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} -{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName -}} +{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}} {{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} # Deployment is {{ if not $replicable }}not {{end}}replicable {{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }} diff --git a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap index 75650c0..58a9d76 100644 --- a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap @@ -25,42 +25,3 @@ adds operator permissions to ClusterRole: - selfsubjectaccessreviews verbs: - create - - apiGroups: - - resources.teleport.dev - resources: - - teleportroles - - teleportroles/status - - teleportusers - - teleportusers/status - - teleportgithubconnectors - - teleportgithubconnectors/status - - teleportoidcconnectors - - teleportoidcconnectors/status - - teleportsamlconnectors - - teleportsamlconnectors/status - - teleportloginrules - - teleportloginrules/status - - teleportprovisiontokens - - teleportprovisiontokens/status - - teleportoktaimportrules - - teleportoktaimportrules/status - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create diff --git a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap index ed8eb56..bd5c995 100644 --- a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap @@ -1,6 +1,7 @@ adds a proxy token by default: 1: | | + --- kind: token version: v2 metadata: diff --git a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap index d7b1104..d79acae 100644 --- a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -1,36 +1,3 @@ -should add an operator side-car when operator is enabled: - 1: | - image: public.ecr.aws/gravitational/teleport-operator:14.3.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: operator - ports: - - containerPort: 8080 - name: op-metrics - protocol: TCP - - containerPort: 8081 - name: op-health - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true ? should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName is set and persistence.enabled is false : 1: | @@ -41,7 +8,7 @@ should add an operator side-car when operator is enabled: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -174,7 +141,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -271,7 +238,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -357,7 +324,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap index 26489d6..ea3f3b7 100644 --- a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -4,8 +4,8 @@ should provision initContainer correctly when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update - args: - echo test @@ -62,7 +62,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -122,8 +122,8 @@ should set nodeSelector when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update nodeSelector: environment: security @@ -174,7 +174,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -241,8 +241,8 @@ should set resources when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -342,8 +342,8 @@ should set securityContext for initContainers when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -383,7 +383,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -450,8 +450,8 @@ should set securityContext when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster/tests/auth_deployment_test.yaml b/teleport-cluster/tests/auth_deployment_test.yaml index d838ca9..85526d7 100644 --- a/teleport-cluster/tests/auth_deployment_test.yaml +++ b/teleport-cluster/tests/auth_deployment_test.yaml @@ -536,17 +536,6 @@ tests: persistentVolumeClaim: claimName: RELEASE-NAME - - it: should add an operator side-car when operator is enabled - template: auth/deployment.yaml - values: - - ../.lint/operator.yaml - asserts: - - equal: - path: spec.template.spec.containers[1].name - value: operator - - matchSnapshot: - path: spec.template.spec.containers[1] - - it: should add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set and persistence.enabled is true template: auth/deployment.yaml values: @@ -762,8 +751,6 @@ tests: template: auth/deployment.yaml set: clusterName: helm-lint - operator: - enabled: true capabilities: majorVersion: 1 minorVersion: 18 @@ -795,19 +782,11 @@ tests: mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true - - notContains: - path: spec.template.spec.containers[1].volumeMounts - content: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true - it: mounts tokens through projected volumes on newer Kubernetes versions template: auth/deployment.yaml set: clusterName: helm-lint - operator: - enabled: true capabilities: majorVersion: 1 minorVersion: 21 @@ -839,12 +818,6 @@ tests: mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true - - contains: - path: spec.template.spec.containers[1].volumeMounts - content: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true - it: should add the azure workload identity label to auth pods in azure mode template: auth/deployment.yaml diff --git a/teleport-cluster/tests/proxy_deployment_test.yaml b/teleport-cluster/tests/proxy_deployment_test.yaml index c4cbfcc..2d6dda9 100644 --- a/teleport-cluster/tests/proxy_deployment_test.yaml +++ b/teleport-cluster/tests/proxy_deployment_test.yaml @@ -87,6 +87,18 @@ tests: path: spec.replicas value: 1 + - it: should have multiple replicas by default when an ingress is terminating TLS + template: proxy/deployment.yaml + set: + clusterName: helm-lint.example.com + proxyListenerMode: multiplex + ingress: + enabled: true + asserts: + - equal: + path: spec.replicas + value: 2 + - it: should set affinity when set in values template: proxy/deployment.yaml set: diff --git a/teleport-cluster/values.yaml b/teleport-cluster/values.yaml index 045802f..e0d234f 100644 --- a/teleport-cluster/values.yaml +++ b/teleport-cluster/values.yaml @@ -264,6 +264,10 @@ operator: # memory: "1Gi" # limits: # memory: "1Gi" + joinMethod: "kubernetes" + token: "teleport-operator" + # This is needed to have a sensible name and predictible service account name. + nameOverride: operator # If true, create & use Pod Security Policy resources # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ @@ -442,7 +446,8 @@ azure: # is not supported with multiple replicas. # For proxy pods: # Proxy pods need to be provided a certificate to be replicated (either via -# `tls.existingSecretName` or via `highAvailability.certManager`). +# `tls.existingSecretName` or via `highAvailability.certManager`) or be exposed +# via an ingress (`ingress.enabled`). # If proxy pods are replicable, they will default to 2 replicas, # even if `highAvailability.replicaCount` is 1. To force a single proxy replica, # set `proxy.highAvailability.replicaCount: 1`. @@ -656,10 +661,20 @@ postStart: # Resources to request for the teleport container # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +# +# DANGER: Setting CPU limits is an anti-pattern and harmful in most cases. +# Unless you enabled [the Static CPU management policy](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy), +# a multithreaded workload with CPU limits will very likely not behave the way +# you expect when approaching its CPU limit. +# +# Teleport will become unstable once throttling starts. We recommend not to set CPU limits. +# See [the GitHub PR](https://github.com/gravitational/teleport/pull/36251) for technical details. resources: {} # requests: # cpu: "1" # memory: "2Gi" +# limits: +# memory: "2Gi" # Security context to add to the container securityContext: {}