From 9467c59c8d3d52c7be131f9f5ae5f49e1775dd74 Mon Sep 17 00:00:00 2001 From: Jonny Ervine Date: Sat, 9 Sep 2023 15:54:27 +0800 Subject: [PATCH] Add teleport --- teleport-kube-agent/.lint/affinity.yaml | 24 + teleport-kube-agent/.lint/all-v6.yaml | 27 + teleport-kube-agent/.lint/annotations.yaml | 20 + teleport-kube-agent/.lint/aws-databases.yaml | 15 + .../.lint/azure-databases.yaml | 26 + .../.lint/backwards-compatibility.yaml | 3 + teleport-kube-agent/.lint/ca-pin.yaml | 5 + teleport-kube-agent/.lint/clusterrole.yaml | 7 + teleport-kube-agent/.lint/db.yaml | 9 + teleport-kube-agent/.lint/dnsconfig.yaml | 15 + teleport-kube-agent/.lint/dynamic-app.yaml | 6 + teleport-kube-agent/.lint/dynamic-db.yaml | 6 + .../.lint/existing-data-volume.yaml | 5 + .../.lint/existing-tls-secret-with-ca.yaml | 6 + teleport-kube-agent/.lint/extra-args.yaml | 5 + teleport-kube-agent/.lint/extra-env.yaml | 7 + teleport-kube-agent/.lint/extra-labels.yaml | 37 + teleport-kube-agent/.lint/host-aliases.yaml | 11 + .../.lint/image-pull-policy-stateful.yaml | 7 + .../.lint/image-pull-policy.yaml | 5 + .../.lint/imagepullsecrets.yaml | 7 + teleport-kube-agent/.lint/initcontainers.yaml | 17 + .../.lint/join-params-iam.yaml | 5 + .../.lint/join-params-token.yaml | 5 + teleport-kube-agent/.lint/log-basic.yaml | 6 + teleport-kube-agent/.lint/log-extra.yaml | 8 + teleport-kube-agent/.lint/log-legacy.yaml | 4 + teleport-kube-agent/.lint/node-selector.yaml | 5 + teleport-kube-agent/.lint/pdb.yaml | 7 + teleport-kube-agent/.lint/podmonitor.yaml | 7 + .../.lint/priority-class-name.yaml | 4 + .../.lint/probe-timeout-seconds.yaml | 7 + teleport-kube-agent/.lint/resources.yaml | 13 + .../.lint/security-context-empty.yaml | 6 + .../.lint/service-account-name.yaml | 5 + teleport-kube-agent/.lint/stateful.yaml | 6 + teleport-kube-agent/.lint/tolerations.yaml | 13 + teleport-kube-agent/.lint/updater.yaml | 6 + teleport-kube-agent/.lint/v10.yaml | 5 + teleport-kube-agent/.lint/v11.yaml | 5 + teleport-kube-agent/.lint/volumes.yaml | 11 + teleport-kube-agent/Chart.yaml | 9 + teleport-kube-agent/README.md | 245 ++ teleport-kube-agent/aws-and-manual-db.yaml | 21 + teleport-kube-agent/templates/NOTES.txt | 53 + teleport-kube-agent/templates/_config.tpl | 116 + teleport-kube-agent/templates/_helpers.tpl | 46 + .../templates/admin_clusterrolebinding.yaml | 24 + .../templates/clusterrole.yaml | 31 + .../templates/clusterrolebinding.yaml | 18 + teleport-kube-agent/templates/config.yaml | 16 + .../templates/delete_hook.yaml | 95 + teleport-kube-agent/templates/deployment.yaml | 216 ++ teleport-kube-agent/templates/hook.yaml | 97 + teleport-kube-agent/templates/pdb.yaml | 21 + teleport-kube-agent/templates/podmonitor.yaml | 31 + teleport-kube-agent/templates/psp.yaml | 70 + teleport-kube-agent/templates/role.yaml | 14 + .../templates/rolebinding.yaml | 17 + teleport-kube-agent/templates/secret.yaml | 19 + .../templates/serviceaccount.yaml | 15 + .../templates/statefulset.yaml | 239 ++ .../templates/updater/_helpers.tpl | 7 + .../templates/updater/deployment.yaml | 113 + .../templates/updater/role.yaml | 95 + .../templates/updater/rolebinding.yaml | 22 + .../templates/updater/serviceaccount.yaml | 16 + teleport-kube-agent/tests/README.md | 23 + .../admin_clusterrolebinding_test.yaml.snap | 28 + .../__snapshot__/clusterrole_test.yaml.snap | 57 + .../clusterrolebinding_test.yaml.snap | 31 + .../tests/__snapshot__/config_test.yaml.snap | 1130 ++++++++ .../__snapshot__/deployment_test.yaml.snap | 1950 +++++++++++++ .../tests/__snapshot__/job_test.yaml.snap | 205 ++ .../tests/__snapshot__/pdb_test.yaml.snap | 30 + .../tests/__snapshot__/psp_test.yaml.snap | 123 + .../tests/__snapshot__/role_test.yaml.snap | 37 + .../__snapshot__/rolebinding_test.yaml.snap | 33 + .../tests/__snapshot__/secret_test.yaml.snap | 82 + .../serviceaccount_test.yaml.snap | 20 + .../__snapshot__/statefulset_test.yaml.snap | 2490 +++++++++++++++++ .../updater_deployment_test.yaml.snap | 117 + .../__snapshot__/updater_role_test.yaml.snap | 76 + .../tests/admin_clusterrolebinding_test.yaml | 35 + .../tests/clusterrole_test.yaml | 23 + .../tests/clusterrolebinding_test.yaml | 23 + teleport-kube-agent/tests/config_test.yaml | 291 ++ .../tests/deployment_test.yaml | 687 +++++ teleport-kube-agent/tests/job_test.yaml | 208 ++ teleport-kube-agent/tests/pdb_test.yaml | 26 + .../tests/podmonitor_test.yaml | 43 + teleport-kube-agent/tests/psp_test.yaml | 55 + teleport-kube-agent/tests/role_test.yaml | 34 + .../tests/rolebinding_test.yaml | 34 + teleport-kube-agent/tests/secret_test.yaml | 101 + .../tests/serviceaccount_test.yaml | 33 + .../tests/statefulset_test.yaml | 721 +++++ .../tests/updater_deployment_test.yaml | 227 ++ .../tests/updater_role_test.yaml | 39 + .../tests/updater_rolebinding_test.yaml | 49 + teleport-kube-agent/values.schema.json | 647 +++++ teleport-kube-agent/values.yaml | 452 +++ 102 files changed, 12224 insertions(+) create mode 100644 teleport-kube-agent/.lint/affinity.yaml create mode 100644 teleport-kube-agent/.lint/all-v6.yaml create mode 100644 teleport-kube-agent/.lint/annotations.yaml create mode 100644 teleport-kube-agent/.lint/aws-databases.yaml create mode 100644 teleport-kube-agent/.lint/azure-databases.yaml create mode 100644 teleport-kube-agent/.lint/backwards-compatibility.yaml create mode 100644 teleport-kube-agent/.lint/ca-pin.yaml create mode 100644 teleport-kube-agent/.lint/clusterrole.yaml create mode 100644 teleport-kube-agent/.lint/db.yaml create mode 100644 teleport-kube-agent/.lint/dnsconfig.yaml create mode 100644 teleport-kube-agent/.lint/dynamic-app.yaml create mode 100644 teleport-kube-agent/.lint/dynamic-db.yaml create mode 100644 teleport-kube-agent/.lint/existing-data-volume.yaml create mode 100644 teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml create mode 100644 teleport-kube-agent/.lint/extra-args.yaml create mode 100644 teleport-kube-agent/.lint/extra-env.yaml create mode 100644 teleport-kube-agent/.lint/extra-labels.yaml create mode 100644 teleport-kube-agent/.lint/host-aliases.yaml create mode 100644 teleport-kube-agent/.lint/image-pull-policy-stateful.yaml create mode 100644 teleport-kube-agent/.lint/image-pull-policy.yaml create mode 100644 teleport-kube-agent/.lint/imagepullsecrets.yaml create mode 100644 teleport-kube-agent/.lint/initcontainers.yaml create mode 100644 teleport-kube-agent/.lint/join-params-iam.yaml create mode 100644 teleport-kube-agent/.lint/join-params-token.yaml create mode 100644 teleport-kube-agent/.lint/log-basic.yaml create mode 100644 teleport-kube-agent/.lint/log-extra.yaml create mode 100644 teleport-kube-agent/.lint/log-legacy.yaml create mode 100644 teleport-kube-agent/.lint/node-selector.yaml create mode 100644 teleport-kube-agent/.lint/pdb.yaml create mode 100644 teleport-kube-agent/.lint/podmonitor.yaml create mode 100644 teleport-kube-agent/.lint/priority-class-name.yaml create mode 100644 teleport-kube-agent/.lint/probe-timeout-seconds.yaml create mode 100644 teleport-kube-agent/.lint/resources.yaml create mode 100644 teleport-kube-agent/.lint/security-context-empty.yaml create mode 100644 teleport-kube-agent/.lint/service-account-name.yaml create mode 100644 teleport-kube-agent/.lint/stateful.yaml create mode 100644 teleport-kube-agent/.lint/tolerations.yaml create mode 100644 teleport-kube-agent/.lint/updater.yaml create mode 100644 teleport-kube-agent/.lint/v10.yaml create mode 100644 teleport-kube-agent/.lint/v11.yaml create mode 100644 teleport-kube-agent/.lint/volumes.yaml create mode 100644 teleport-kube-agent/Chart.yaml create mode 100644 teleport-kube-agent/README.md create mode 100644 teleport-kube-agent/aws-and-manual-db.yaml create mode 100644 teleport-kube-agent/templates/NOTES.txt create mode 100644 teleport-kube-agent/templates/_config.tpl create mode 100644 teleport-kube-agent/templates/_helpers.tpl create mode 100644 teleport-kube-agent/templates/admin_clusterrolebinding.yaml create mode 100644 teleport-kube-agent/templates/clusterrole.yaml create mode 100644 teleport-kube-agent/templates/clusterrolebinding.yaml create mode 100644 teleport-kube-agent/templates/config.yaml create mode 100644 teleport-kube-agent/templates/delete_hook.yaml create mode 100644 teleport-kube-agent/templates/deployment.yaml create mode 100644 teleport-kube-agent/templates/hook.yaml create mode 100644 teleport-kube-agent/templates/pdb.yaml create mode 100644 teleport-kube-agent/templates/podmonitor.yaml create mode 100644 teleport-kube-agent/templates/psp.yaml create mode 100644 teleport-kube-agent/templates/role.yaml create mode 100644 teleport-kube-agent/templates/rolebinding.yaml create mode 100644 teleport-kube-agent/templates/secret.yaml create mode 100644 teleport-kube-agent/templates/serviceaccount.yaml create mode 100644 teleport-kube-agent/templates/statefulset.yaml create mode 100644 teleport-kube-agent/templates/updater/_helpers.tpl create mode 100644 teleport-kube-agent/templates/updater/deployment.yaml create mode 100644 teleport-kube-agent/templates/updater/role.yaml create mode 100644 teleport-kube-agent/templates/updater/rolebinding.yaml create mode 100644 teleport-kube-agent/templates/updater/serviceaccount.yaml create mode 100644 teleport-kube-agent/tests/README.md create mode 100644 teleport-kube-agent/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/role_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/rolebinding_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap create mode 100644 teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap create mode 100644 teleport-kube-agent/tests/admin_clusterrolebinding_test.yaml create mode 100644 teleport-kube-agent/tests/clusterrole_test.yaml create mode 100644 teleport-kube-agent/tests/clusterrolebinding_test.yaml create mode 100644 teleport-kube-agent/tests/config_test.yaml create mode 100644 teleport-kube-agent/tests/deployment_test.yaml create mode 100644 teleport-kube-agent/tests/job_test.yaml create mode 100644 teleport-kube-agent/tests/pdb_test.yaml create mode 100644 teleport-kube-agent/tests/podmonitor_test.yaml create mode 100644 teleport-kube-agent/tests/psp_test.yaml create mode 100644 teleport-kube-agent/tests/role_test.yaml create mode 100644 teleport-kube-agent/tests/rolebinding_test.yaml create mode 100644 teleport-kube-agent/tests/secret_test.yaml create mode 100644 teleport-kube-agent/tests/serviceaccount_test.yaml create mode 100644 teleport-kube-agent/tests/statefulset_test.yaml create mode 100644 teleport-kube-agent/tests/updater_deployment_test.yaml create mode 100644 teleport-kube-agent/tests/updater_role_test.yaml create mode 100644 teleport-kube-agent/tests/updater_rolebinding_test.yaml create mode 100644 teleport-kube-agent/values.schema.json create mode 100644 teleport-kube-agent/values.yaml diff --git a/teleport-kube-agent/.lint/affinity.yaml b/teleport-kube-agent/.lint/affinity.yaml new file mode 100644 index 0000000..a961974 --- /dev/null +++ b/teleport-kube-agent/.lint/affinity.yaml @@ -0,0 +1,24 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 diff --git a/teleport-kube-agent/.lint/all-v6.yaml b/teleport-kube-agent/.lint/all-v6.yaml new file mode 100644 index 0000000..7b8f28b --- /dev/null +++ b/teleport-kube-agent/.lint/all-v6.yaml @@ -0,0 +1,27 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube,app,db +kubeClusterName: test-kube-cluster-name +labels: + cluster: testing +apps: + - name: grafana + uri: http://localhost:3000 + labels: + environment: test +databases: + - name: aurora + uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" + protocol: "postgres" + labels: + database: staging +annotations: + config: + kubernetes.io/config: "test-annotation" + kubernetes.io/config-different: 2 + deployment: + kubernetes.io/deployment: "test-annotation" + kubernetes.io/deployment-different: 3 + pod: + kubernetes.io/pod: "test-annotation" + kubernetes.io/pod-different: 4 diff --git a/teleport-kube-agent/.lint/annotations.yaml b/teleport-kube-agent/.lint/annotations.yaml new file mode 100644 index 0000000..50f5b21 --- /dev/null +++ b/teleport-kube-agent/.lint/annotations.yaml @@ -0,0 +1,20 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +annotations: + config: + kubernetes.io/config: "test-annotation" + kubernetes.io/config-different: 2 + deployment: + kubernetes.io/deployment: "test-annotation" + kubernetes.io/deployment-different: 3 + pod: + kubernetes.io/pod: "test-annotation" + kubernetes.io/pod-different: 4 + secret: + kubernetes.io/secret: "test-annotation" + kubernetes.io/secret-different: 6 + serviceAccount: + kubernetes.io/serviceaccount: "test-annotation" + kubernetes.io/serviceaccount-different: 5 diff --git a/teleport-kube-agent/.lint/aws-databases.yaml b/teleport-kube-agent/.lint/aws-databases.yaml new file mode 100644 index 0000000..948a839 --- /dev/null +++ b/teleport-kube-agent/.lint/aws-databases.yaml @@ -0,0 +1,15 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +awsDatabases: +- types: ["rds"] + regions: ["us-east-1"] + tags: + "*": "*" +- types: ["rds"] + regions: ["us-west-2"] + tags: + "env": "development" +annotations: + serviceAccount: + eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role diff --git a/teleport-kube-agent/.lint/azure-databases.yaml b/teleport-kube-agent/.lint/azure-databases.yaml new file mode 100644 index 0000000..a9b87e3 --- /dev/null +++ b/teleport-kube-agent/.lint/azure-databases.yaml @@ -0,0 +1,26 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +azureDatabases: +- types: ["mysql", "postgres"] + tags: + "*": "*" +- types: ["mysql"] + tags: + "env": ["dev", "staging"] + "origin": "alice" + regions: ["eastus", "centralus"] + subscriptions: ["subID1", "subID2"] + resource_groups: ["group1", "group2"] +# environment variables can be used to authenticate as the Azure service principal +extraEnv: +- name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: teleport-azure-client-secret + key: client_secret + optional: false +- name: AZURE_TENANT_ID + value: "11111111-2222-3333-4444-555555555555" +- name: AZURE_CLIENT_ID + value: "11111111-2222-3333-4444-555555555555" diff --git a/teleport-kube-agent/.lint/backwards-compatibility.yaml b/teleport-kube-agent/.lint/backwards-compatibility.yaml new file mode 100644 index 0000000..c452f86 --- /dev/null +++ b/teleport-kube-agent/.lint/backwards-compatibility.yaml @@ -0,0 +1,3 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name diff --git a/teleport-kube-agent/.lint/ca-pin.yaml b/teleport-kube-agent/.lint/ca-pin.yaml new file mode 100644 index 0000000..f5b536b --- /dev/null +++ b/teleport-kube-agent/.lint/ca-pin.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +caPin: ["sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1"] diff --git a/teleport-kube-agent/.lint/clusterrole.yaml b/teleport-kube-agent/.lint/clusterrole.yaml new file mode 100644 index 0000000..228db73 --- /dev/null +++ b/teleport-kube-agent/.lint/clusterrole.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +clusterRoleName: teleport-kube-agent-test +clusterRoleBindingName: teleport-kube-agent-test +serviceAccountName: teleport-kube-agent-test diff --git a/teleport-kube-agent/.lint/db.yaml b/teleport-kube-agent/.lint/db.yaml new file mode 100644 index 0000000..7850322 --- /dev/null +++ b/teleport-kube-agent/.lint/db.yaml @@ -0,0 +1,9 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +databases: +- name: aurora + uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" + protocol: "postgres" + labels: + database: staging diff --git a/teleport-kube-agent/.lint/dnsconfig.yaml b/teleport-kube-agent/.lint/dnsconfig.yaml new file mode 100644 index 0000000..0900fcc --- /dev/null +++ b/teleport-kube-agent/.lint/dnsconfig.yaml @@ -0,0 +1,15 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +dnsPolicy: ClusterFirstWithHostNet +dnsConfig: + nameservers: + - 1.2.3.4 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 diff --git a/teleport-kube-agent/.lint/dynamic-app.yaml b/teleport-kube-agent/.lint/dynamic-app.yaml new file mode 100644 index 0000000..78a8573 --- /dev/null +++ b/teleport-kube-agent/.lint/dynamic-app.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: app +appResources: + - labels: + "*": "*" diff --git a/teleport-kube-agent/.lint/dynamic-db.yaml b/teleport-kube-agent/.lint/dynamic-db.yaml new file mode 100644 index 0000000..a17bfd8 --- /dev/null +++ b/teleport-kube-agent/.lint/dynamic-db.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +databaseResources: + - labels: + "*": "*" diff --git a/teleport-kube-agent/.lint/existing-data-volume.yaml b/teleport-kube-agent/.lint/existing-data-volume.yaml new file mode 100644 index 0000000..511aa2f --- /dev/null +++ b/teleport-kube-agent/.lint/existing-data-volume.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +existingDataVolume: teleport-kube-agent-data diff --git a/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml b/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml new file mode 100644 index 0000000..a8e2a46 --- /dev/null +++ b/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +tls: + existingCASecretName: "helm-lint-existing-tls-secret-ca" diff --git a/teleport-kube-agent/.lint/extra-args.yaml b/teleport-kube-agent/.lint/extra-args.yaml new file mode 100644 index 0000000..8353439 --- /dev/null +++ b/teleport-kube-agent/.lint/extra-args.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +extraArgs: ['--debug'] diff --git a/teleport-kube-agent/.lint/extra-env.yaml b/teleport-kube-agent/.lint/extra-env.yaml new file mode 100644 index 0000000..7f3ee92 --- /dev/null +++ b/teleport-kube-agent/.lint/extra-env.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +extraEnv: +- name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" diff --git a/teleport-kube-agent/.lint/extra-labels.yaml b/teleport-kube-agent/.lint/extra-labels.yaml new file mode 100644 index 0000000..293e8b3 --- /dev/null +++ b/teleport-kube-agent/.lint/extra-labels.yaml @@ -0,0 +1,37 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster +extraLabels: + role: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "role" + roleBinding: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "rolebinding" + clusterRole: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "clusterrole" + clusterRoleBinding: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "clusterrolebinding" + config: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "config" + deployment: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "deployment" + pod: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "pod" + podDisruptionBudget: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "poddisruptionbudget" + podSecurityPolicy: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "podsecuritypolicy" + secret: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "secret" + serviceAccount: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "serviceaccount" diff --git a/teleport-kube-agent/.lint/host-aliases.yaml b/teleport-kube-agent/.lint/host-aliases.yaml new file mode 100644 index 0000000..21faa71 --- /dev/null +++ b/teleport-kube-agent/.lint/host-aliases.yaml @@ -0,0 +1,11 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +hostAliases: + - ip: "127.0.0.1" + hostnames: + - "foo.local" + - "bar.local" + - ip: "10.1.2.3" + hostnames: + - "foo.remote" + - "bar.remote" diff --git a/teleport-kube-agent/.lint/image-pull-policy-stateful.yaml b/teleport-kube-agent/.lint/image-pull-policy-stateful.yaml new file mode 100644 index 0000000..83995f0 --- /dev/null +++ b/teleport-kube-agent/.lint/image-pull-policy-stateful.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +storage: + enabled: true + storageClassName: "aws-gp2" +imagePullPolicy: Always diff --git a/teleport-kube-agent/.lint/image-pull-policy.yaml b/teleport-kube-agent/.lint/image-pull-policy.yaml new file mode 100644 index 0000000..c5e389c --- /dev/null +++ b/teleport-kube-agent/.lint/image-pull-policy.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +imagePullPolicy: Always diff --git a/teleport-kube-agent/.lint/imagepullsecrets.yaml b/teleport-kube-agent/.lint/imagepullsecrets.yaml new file mode 100644 index 0000000..cb5ce1e --- /dev/null +++ b/teleport-kube-agent/.lint/imagepullsecrets.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +image: public.ecr.aws/gravitational/teleport +imagePullSecrets: +- name: myRegistryKeySecretName diff --git a/teleport-kube-agent/.lint/initcontainers.yaml b/teleport-kube-agent/.lint/initcontainers.yaml new file mode 100644 index 0000000..a8d7a2a --- /dev/null +++ b/teleport-kube-agent/.lint/initcontainers.yaml @@ -0,0 +1,17 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +initContainers: +- name: "teleport-init" + image: "alpine" + args: ["echo test"] +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi diff --git a/teleport-kube-agent/.lint/join-params-iam.yaml b/teleport-kube-agent/.lint/join-params-iam.yaml new file mode 100644 index 0000000..13d38c6 --- /dev/null +++ b/teleport-kube-agent/.lint/join-params-iam.yaml @@ -0,0 +1,5 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +joinParams: + tokenName: iam-token + method: iam diff --git a/teleport-kube-agent/.lint/join-params-token.yaml b/teleport-kube-agent/.lint/join-params-token.yaml new file mode 100644 index 0000000..5e476c1 --- /dev/null +++ b/teleport-kube-agent/.lint/join-params-token.yaml @@ -0,0 +1,5 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +joinParams: + tokenName: xxxxxxx-secret-token-xxxxxxx + method: token diff --git a/teleport-kube-agent/.lint/log-basic.yaml b/teleport-kube-agent/.lint/log-basic.yaml new file mode 100644 index 0000000..46d87a7 --- /dev/null +++ b/teleport-kube-agent/.lint/log-basic.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +log: + format: json + level: INFO diff --git a/teleport-kube-agent/.lint/log-extra.yaml b/teleport-kube-agent/.lint/log-extra.yaml new file mode 100644 index 0000000..656190d --- /dev/null +++ b/teleport-kube-agent/.lint/log-extra.yaml @@ -0,0 +1,8 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +log: + format: json + level: DEBUG + output: /var/lib/teleport/test.log + extraFields: ["level", "timestamp", "component", "caller"] diff --git a/teleport-kube-agent/.lint/log-legacy.yaml b/teleport-kube-agent/.lint/log-legacy.yaml new file mode 100644 index 0000000..8d3767b --- /dev/null +++ b/teleport-kube-agent/.lint/log-legacy.yaml @@ -0,0 +1,4 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +logLevel: DEBUG diff --git a/teleport-kube-agent/.lint/node-selector.yaml b/teleport-kube-agent/.lint/node-selector.yaml new file mode 100644 index 0000000..a9f3d5c --- /dev/null +++ b/teleport-kube-agent/.lint/node-selector.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +nodeSelector: + gravitational.io/k8s-role: node diff --git a/teleport-kube-agent/.lint/pdb.yaml b/teleport-kube-agent/.lint/pdb.yaml new file mode 100644 index 0000000..e898684 --- /dev/null +++ b/teleport-kube-agent/.lint/pdb.yaml @@ -0,0 +1,7 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +highAvailability: + replicaCount: 3 + podDisruptionBudget: + enabled: true + minAvailable: 2 diff --git a/teleport-kube-agent/.lint/podmonitor.yaml b/teleport-kube-agent/.lint/podmonitor.yaml new file mode 100644 index 0000000..2cdb90b --- /dev/null +++ b/teleport-kube-agent/.lint/podmonitor.yaml @@ -0,0 +1,7 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +podMonitor: + enabled: true + additionalLabels: + prometheus: default + interval: 30s diff --git a/teleport-kube-agent/.lint/priority-class-name.yaml b/teleport-kube-agent/.lint/priority-class-name.yaml new file mode 100644 index 0000000..1f0baeb --- /dev/null +++ b/teleport-kube-agent/.lint/priority-class-name.yaml @@ -0,0 +1,4 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster +priorityClassName: teleport-kube-agent diff --git a/teleport-kube-agent/.lint/probe-timeout-seconds.yaml b/teleport-kube-agent/.lint/probe-timeout-seconds.yaml new file mode 100644 index 0000000..306f64c --- /dev/null +++ b/teleport-kube-agent/.lint/probe-timeout-seconds.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster-name +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +probeTimeoutSeconds: 5 diff --git a/teleport-kube-agent/.lint/resources.yaml b/teleport-kube-agent/.lint/resources.yaml new file mode 100644 index 0000000..bd0ccf4 --- /dev/null +++ b/teleport-kube-agent/.lint/resources.yaml @@ -0,0 +1,13 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi diff --git a/teleport-kube-agent/.lint/security-context-empty.yaml b/teleport-kube-agent/.lint/security-context-empty.yaml new file mode 100644 index 0000000..4f2c972 --- /dev/null +++ b/teleport-kube-agent/.lint/security-context-empty.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: helm-lint +securityContext: null +initSecurityContext: null diff --git a/teleport-kube-agent/.lint/service-account-name.yaml b/teleport-kube-agent/.lint/service-account-name.yaml new file mode 100644 index 0000000..fbc76f9 --- /dev/null +++ b/teleport-kube-agent/.lint/service-account-name.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +serviceAccountName: teleport-kube-agent-sa diff --git a/teleport-kube-agent/.lint/stateful.yaml b/teleport-kube-agent/.lint/stateful.yaml new file mode 100644 index 0000000..5424307 --- /dev/null +++ b/teleport-kube-agent/.lint/stateful.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +storage: + enabled: true + storageClassName: "aws-gp2" diff --git a/teleport-kube-agent/.lint/tolerations.yaml b/teleport-kube-agent/.lint/tolerations.yaml new file mode 100644 index 0000000..87abf13 --- /dev/null +++ b/teleport-kube-agent/.lint/tolerations.yaml @@ -0,0 +1,13 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +tolerations: +- key: "dedicated" + operator: "Equal" + value: "teleport" + effect: "NoExecute" +- key: "dedicated" + operator: "Equal" + value: "teleport" + effect: "NoSchedule" diff --git a/teleport-kube-agent/.lint/updater.yaml b/teleport-kube-agent/.lint/updater.yaml new file mode 100644 index 0000000..8519cd8 --- /dev/null +++ b/teleport-kube-agent/.lint/updater.yaml @@ -0,0 +1,6 @@ +proxyAddr: proxy.example.com:3080 +roles: "custom" +updater: + enabled: true + versionServer: https://my-custom-version-server/v1 + releaseChannel: custom/preview diff --git a/teleport-kube-agent/.lint/v10.yaml b/teleport-kube-agent/.lint/v10.yaml new file mode 100644 index 0000000..887242a --- /dev/null +++ b/teleport-kube-agent/.lint/v10.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster-name +teleportVersionOverride: "10.3.5-dev" diff --git a/teleport-kube-agent/.lint/v11.yaml b/teleport-kube-agent/.lint/v11.yaml new file mode 100644 index 0000000..b308f63 --- /dev/null +++ b/teleport-kube-agent/.lint/v11.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster-name +teleportVersionOverride: "11.0.1-dev" diff --git a/teleport-kube-agent/.lint/volumes.yaml b/teleport-kube-agent/.lint/volumes.yaml new file mode 100644 index 0000000..1f55235 --- /dev/null +++ b/teleport-kube-agent/.lint/volumes.yaml @@ -0,0 +1,11 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +extraVolumeMounts: +- name: "my-mount" + mountPath: "/path/to/mount" +extraVolumes: +- name: "my-mount" + secret: + secretName: "mySecret" diff --git a/teleport-kube-agent/Chart.yaml b/teleport-kube-agent/Chart.yaml new file mode 100644 index 0000000..c559b3e --- /dev/null +++ b/teleport-kube-agent/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +appVersion: 13.3.8 +description: Teleport provides a secure SSH, Kubernetes, database and application + remote access solution that doesn't get in the way. +icon: https://goteleport.com/images/logos/logo-teleport-square.svg +keywords: +- Teleport +name: teleport-kube-agent +version: 13.3.8 diff --git a/teleport-kube-agent/README.md b/teleport-kube-agent/README.md new file mode 100644 index 0000000..903398c --- /dev/null +++ b/teleport-kube-agent/README.md @@ -0,0 +1,245 @@ +# Teleport Agent chart + +This chart is a Teleport agent used to register any or all of the following services +with an existing Teleport cluster: +- Teleport Kubernetes access +- Teleport Application access +- Teleport Database access + +To use it, you will need: +- an existing Teleport cluster (at least proxy and auth services) +- a reachable proxy endpoint (`$PROXY_ENDPOINT` e.g. `teleport.example.com:3080` or `teleport.example.com:443`) +- a reachable reverse tunnel port on the proxy (e.g. `teleport.example.com:3024`). The address is automatically + retrieved from the Teleport proxy configuration. +- either a static or dynamic join token for the Teleport Cluster + - a [static join token](https://goteleport.com/docs/setup/admin/adding-nodes/#adding-nodes-to-the-cluster) + for this Teleport cluster (`$JOIN_TOKEN`) is used by default. + - optionally a [dynamic join token](https://goteleport.com/docs/setup/admin/adding-nodes/#short-lived-dynamic-tokens) can + be used on Kubernetes clusters that support persistent volumes. Set `storage.enabled=true` and + `storage.storageClassName=` in the helm configuration to use persistent + volumes. + + +## Combining roles + +You can combine multiple roles as a comma-separated list: `--set roles=kube\,db\,app` + +Note that commas must be escaped if the values are provided on the command line. This is due to the way that +Helm parses arguments. + +You must also provide the settings for each individual role which is enabled as detailed below. + +## Backwards compatibility + +To provide backwards compatibility with older versions of the `teleport-kube-agent` chart, if you do +not specify any value for `roles`, the chart will run with only the `kube` role enabled. + +## Kubernetes access + +To use Teleport Kubernetes access, you will also need: +- to choose a name for your Kubernetes cluster, distinct from other registered + clusters (`$KUBERNETES_CLUSTER_NAME`) + +To install the agent, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=kube \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set kubeClusterName=${KUBERNETES_CLUSTER_NAME?} +``` + +Set the values in the above command as appropriate for your setup. + +You can also optionally set labels for your Kubernetes cluster using the +format `--set "labels.key=value"` - for example: `--set "labels.env=development,labels.region=us-west-1"` + +To avoid specifying the auth token in plain text, it's possible to create a secret containing the token beforehand. To do so, run: + +```sh +export TELEPORT_KUBE_TOKEN=` | base64 -w0` +export TELEPORT_NAMESPACE=teleport + +cat < secrets.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: teleport-kube-agent-join-token + namespace: ${TELEPORT_NAMESPACE?} +type: Opaque +data: + auth-token: ${TELEPORT_KUBE_TOKEN?} +EOF + +$ kubectl apply -f secret.yaml + +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace ${TELEPORT_NAMESPACE?} \ + --set roles=kube \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set kubeClusterName=${KUBERNETES_CLUSTER_NAME?} +``` + +Note that due to backwards compatibility, the `labels` value **only** applies to the Teleport +Kubernetes service. To set labels for applications or databases, use the different formats +detailed below. + +## Application access + +### Dynamic Registration mode + +To use Teleport application access in [dynamic registration mode](https://goteleport.com/docs/application-access/guides/dynamic-registration/), +you will need to know the application resource selector. (`$APP_RESOURCE_KEY` and `$APP_RESOURCE_VALUE`) + +To listen for all application resources, set both variables to `*`. + +To install the agent in dynamic application registration mode, run: +```sh +$ helm install teleport-kube-agent . \ +--create-namespace \ +--namespace teleport \ +--set roles=app \ +--set proxyAddr=${PROXY_ENDPOINT?} \ +--set authToken=${JOIN_TOKEN?} \ +--set "appResources[0].labels.${APP_RESOURCE_KEY?}=${APP_RESOURCE_VALUE?}" +``` + +### Manual configuration mode + +To use Teleport Application access, you will also need: +- the name of an application that you would like to proxy (`$APP_NAME`) +- the URI to connect to the application from the node where this chart is deployed (`$APP_URI`) + +To install the agent, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=app \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set "apps[0].name=${APP_NAME?}" \ + --set "apps[0].uri=${APP_URI?}" +``` + +Set the values in the above command as appropriate for your setup. + +These are the supported values for the `apps` map: + +| Key | Description | Example | Default | Required | +| --- | --- | --- | --- | --- | +| `name` | Name of the app to be accessed | `apps[0].name=grafana` | | Yes | +| `uri` | URI of the app to be accessed | `apps[0].uri=http://localhost:3000` | | Yes | +| `public_addr` | Public address used to access the app | `apps[0].public_addr=grafana.teleport.example.com` | | No | +| `labels.[name]` | Key-value pairs to set against the app for grouping/RBAC | `apps[0].labels.env=local,apps[0].labels.region=us-west-1` | | No | +| `insecure_skip_verify` | Whether to skip validation of TLS certificates presented by backend apps | `apps[0].insecure_skip_verify=true` | `false` | No | +| `rewrite.redirect` | A list of URLs to rewrite to the public address of the app service | `apps[0].rewrite.redirect[0]=https://192.168.1.1` | | No + +You can add multiple apps using `apps[1].name`, `apps[1].uri`, `apps[2].name`, `apps[2].uri` etc. + +After installing, the new application should show up in `tsh apps ls` after a few minutes. + +## Database access + +### Dynamic Registration mode + +To use Teleport database access in [dynamic registration mode](https://goteleport.com/docs/database-access/guides/dynamic-registration/), +you will need to know the database resource selector. (`$DB_RESOURCE_KEY` and `$DB_RESOURCE_VALUE`) + +To listen for all database resources, set both variables to `*`. + +To install the agent in dynamic database registration mode, run: +```sh +$ helm install teleport-kube-agent . \ +--create-namespace \ +--namespace teleport \ +--set roles=db \ +--set proxyAddr=${PROXY_ENDPOINT?} \ +--set authToken=${JOIN_TOKEN?} \ +--set "databaseResources[0].labels.${DB_RESOURCE_KEY?}=${DB_RESOURCE_VALUE?}" +``` + +### Auto-discovery mode (AWS) + +To use Teleport database access in AWS database auto-discovery mode, you will also need: +- the database types you are attempting to auto-discover (`types`) +- the AWS region(s) you would like to run auto-discovery in (`regions`) +- the AWS resource tags if you want to target only certain databases (`tags`) + +See the [AWS databases Helm chart reference](https://goteleport.com/docs/reference/helm-reference/teleport-kube-agent/#awsDatabases) +for an example of installing an agent with AWS database auto-discovery. + +### Auto-discovery mode (Azure) + +To use Teleport database access in Azure database auto-discovery mode, you will also need: +- the database types you are attempting to auto-discover (`types`) +- the Azure resource tags if you want to target only certain databases (`tags`) + +You can optionally specify: +- the Azure subscription(s) to auto-discover in (`subscriptions`) +- the Azure region(s) to auto-discover in (`regions`) +- the Azure resource-group(s) to auto-discover in (`resource_groups`) + +The default for each of these optional settings is `[*]`, which will auto-discover in all +subscriptions, regions, or resource groups accessible by the Teleport service +principal in Azure. + +See the [Azure databases Helm chart reference](https://goteleport.com/docs/reference/helm-reference/teleport-kube-agent/#azureDatabases) +for an example of installing an agent with Azure database auto-discovery. + +### Manual configuration mode + +To use Teleport database access, you will also need: +- the name of an database that you would like to proxy (`$DB_NAME`) +- the URI to connect to the database from the node where this chart is deployed (`$DB_URI`) +- the database protocol used for the database (`$DB_PROTOCOL`) + +To install the agent in manual database configuration mode, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=db \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set "databases[0].name=${DB_NAME?}" \ + --set "databases[0].uri=${DB_URI?}" \ + --set "databases[0].protocol=${DB_PROTOCOL?}" +``` + +Set the values in the above command as appropriate for your setup. + +These are the supported values for the `databases` map: + +| Key | Description | Example | Default | Required | +| --- | --- | --- | --- | --- | +| `name` | Name of the database to be accessed | `databases[0].name=aurora` | | Yes | +| `uri` | URI of the database to be accessed | `databases[0].uri=postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432` | | Yes | +| `protocol` | Database protocol | `databases[0].protocol=postgres` | | Yes | +| `description` | Free-form description of the database proxy instance | `databases[0].description='AWS Aurora instance of PostgreSQL 13.0'` | | No | +| `aws.region` | AWS-specific region configuration (only used for RDS/Aurora) | `databases[0].aws.region=us-east-1` | | No | +| `labels.[name]` | Key-value pairs to set against the database for grouping/RBAC | `databases[0].labels.db=postgres-dev,apps[0].labels.region=us-east-1` | | No | + +You can add multiple databases using `databases[1].name`, `databases[1].uri`, `databases[1].protocol`, +`databases[2].name`, `databases[2].uri`, `databases[2].protocol` etc. + +After installing, the new database should show up in `tsh db ls` after a few minutes. + +## Troubleshooting + +If the service for a given role doesn't show up, look into the agent logs with: + +```sh +$ kubectl logs -n teleport deployment/teleport-kube-agent +``` + +## Contributing to the chart + +Please read [CONTRIBUTING.md](../CONTRIBUTING.md) before raising a pull request to this chart. diff --git a/teleport-kube-agent/aws-and-manual-db.yaml b/teleport-kube-agent/aws-and-manual-db.yaml new file mode 100644 index 0000000..7e85f65 --- /dev/null +++ b/teleport-kube-agent/aws-and-manual-db.yaml @@ -0,0 +1,21 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +awsDatabases: +- types: ["rds"] + regions: ["us-east-1"] + tags: + "*": "*" +- types: ["rds"] + regions: ["us-west-2"] + tags: + "env": "development" +databases: +- name: aurora + uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" + protocol: "postgres" + labels: + database: staging +annotations: + serviceAccount: + eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role diff --git a/teleport-kube-agent/templates/NOTES.txt b/teleport-kube-agent/templates/NOTES.txt new file mode 100644 index 0000000..9a35a1e --- /dev/null +++ b/teleport-kube-agent/templates/NOTES.txt @@ -0,0 +1,53 @@ +{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }} +SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm +doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12 +the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older. +Instead, we recommend you to configure Pod Security AdmissionControllers for +the namespace "{{.Release.Namespace}}" by adding the label +`pod-security.kubernetes.io/enforce: baseline` on the namespace resource. + +See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ + +To remove this warning, explicitly set "podSecurityPolicy.enabled=false". +{{- end }} + +{{- if .Values.teleportVersionOverride }} + +DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. +This chart is designed to run Teleport version {{ .Chart.AppVersion }}. +You will face compatibility issues trying to run a different Teleport version with it. + +If you want to run Teleport version {{.Values.teleportVersionOverride}}, +you should use `helm --version {{.Values.teleportVersionOverride}}` instead. +{{- end }} +{{- if contains "-gke." .Capabilities.KubeVersion.Version -}} +{{- $groupName := (coalesce .Values.adminClusterRoleBinding.name "cluster-admin") }} + +WARNING: GKE Autopilot clusters forbid users from impersonating system-wide identities. +This means you won't be able to use the `system:masters` Kubernetes Group in +the Teleport Roles for GKE Autopilot clusters. + +Given that you installed Teleport on a GKE cluster, we recommend you use the +Kubernetes Group `{{ $groupName }}` instead of `system:masters` in the Teleport Roles +for GKE Autopilot clusters. + +To do so, you can use the following Teleport Role resource: + + kind: role + metadata: + name: gke-kube-access + version: v6 + spec: + allow: + kubernetes_labels: + '*': '*' + kubernetes_groups: + - "{{ $groupName }}" + +This chart automatically created the `{{ $groupName }}` Kubernetes Group for you and +assigned it admin privileges on the Kubernetes cluster. + +Consult the built-in security features that GKE Autopilot enforces: +https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-security#built-in-security + +{{- end }} diff --git a/teleport-kube-agent/templates/_config.tpl b/teleport-kube-agent/templates/_config.tpl new file mode 100644 index 0000000..7d34788 --- /dev/null +++ b/teleport-kube-agent/templates/_config.tpl @@ -0,0 +1,116 @@ +{{- define "teleport-kube-agent.config" -}} +{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}} +{{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }} +version: v3 +{{- end }} +teleport: + join_params: + method: "{{ .Values.joinParams.method }}" + token_name: "/etc/teleport-secrets/auth-token" + {{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }} + proxy_server: {{ required "proxyAddr is required in chart values" .Values.proxyAddr }} + {{- else }} + auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"] + {{- end }} + {{- if .Values.caPin }} + ca_pin: {{- toYaml .Values.caPin | nindent 8 }} + {{- end }} + log: + severity: {{ $logLevel }} + output: {{ .Values.log.output }} + format: + output: {{ .Values.log.format }} + extra_fields: {{ .Values.log.extraFields | toJson }} + +kubernetes_service: + {{- if or (contains "kube" (.Values.roles | toString)) (empty .Values.roles) }} + enabled: true + kube_cluster_name: {{ required "kubeClusterName is required in chart values when kube role is enabled, see README" .Values.kubeClusterName }} + {{- if .Values.labels }} + labels: {{- toYaml .Values.labels | nindent 8 }} + {{- end }} + {{- else }} + enabled: false + {{- end }} + +app_service: + {{- if contains "app" (.Values.roles | toString) }} + enabled: true + {{- if not (or (.Values.apps) (.Values.appResources)) }} + {{- fail "at least one of 'apps' and 'appResources' is required in chart values when app role is enabled, see README" }} + {{- end }} + {{- if .Values.apps }} + {{- range $app := .Values.apps }} + {{- if not (hasKey $app "name") }} + {{- fail "'name' is required for all 'apps' in chart values when app role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $app "uri") }} + {{- fail "'uri' is required for all 'apps' in chart values when app role is enabled, see README" }} + {{- end }} + {{- end }} + apps: + {{- toYaml .Values.apps | nindent 8 }} + {{- end }} + {{- if .Values.appResources }} + resources: + {{- toYaml .Values.appResources | nindent 8 }} + {{- end }} + {{- else }} + enabled: false + {{- end }} + +db_service: + {{- if contains "db" (.Values.roles | toString) }} + enabled: true + {{- if not (or (.Values.awsDatabases) (.Values.azureDatabases) (.Values.databases) (.Values.databaseResources)) }} + {{- fail "at least one of 'awsDatabases', 'azureDatabases', 'databases' or 'databaseResources' is required in chart values when db role is enabled, see README" }} + {{- end }} + {{- if .Values.awsDatabases }} + aws: + {{- range $awsDb := .Values.awsDatabases }} + {{- if not (hasKey $awsDb "types") }} + {{- fail "'types' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $awsDb "regions") }} + {{- fail "'regions' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $awsDb "tags") }} + {{- fail "'tags' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- end }} + {{- toYaml .Values.awsDatabases | nindent 6 }} + {{- end }} + {{- if .Values.azureDatabases }} + azure: + {{- toYaml .Values.azureDatabases | nindent 6 }} + {{- end}} + {{- if .Values.databases }} + databases: + {{- range $db := .Values.databases }} + {{- if not (hasKey $db "name") }} + {{- fail "'name' is required for all 'databases' in chart values when db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $db "uri") }} + {{- fail "'uri' is required for all 'databases' is required in chart values when db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $db "protocol") }} + {{- fail "'protocol' is required for all 'databases' in chart values when db role is enabled, see README" }} + {{- end }} + {{- end }} + {{- toYaml .Values.databases | nindent 6 }} + {{- end }} + {{- if .Values.databaseResources }} + resources: + {{- toYaml .Values.databaseResources | nindent 6 }} + {{- end }} +{{- else }} + enabled: false +{{- end }} + +auth_service: + enabled: false +ssh_service: + enabled: false +proxy_service: + enabled: false +{{- end -}} diff --git a/teleport-kube-agent/templates/_helpers.tpl b/teleport-kube-agent/templates/_helpers.tpl new file mode 100644 index 0000000..8827f34 --- /dev/null +++ b/teleport-kube-agent/templates/_helpers.tpl @@ -0,0 +1,46 @@ +{{- define "teleport.kube.agent.isUpgrade" -}} +{{- /* Checks if action is an upgrade from an old release that didn't support Secret storage */}} +{{- if .Release.IsUpgrade }} + {{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace .Release.Name ) -}} + {{- if ($deployment) }} +true + {{- else if .Values.unitTestUpgrade }} +true + {{- end }} +{{- end }} +{{- end -}} +{{/* +Create the name of the service account to use +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name +*/}} +{{- define "teleport-kube-agent.serviceAccountName" -}} +{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName .Release.Name -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the post-delete hook +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name-delete-hook +*/}} +{{- define "teleport-kube-agent.deleteHookServiceAccountName" -}} +{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName (printf "%s-delete-hook" .Release.Name) -}} +{{- end -}} + +{{- define "teleport-kube-agent.version" -}} +{{- if .Values.teleportVersionOverride -}} + {{- .Values.teleportVersionOverride -}} +{{- else -}} + {{- .Chart.Version -}} +{{- end -}} +{{- end -}} + +{{- define "teleport-kube-agent.baseImage" -}} +{{- if .Values.enterprise -}} + {{- .Values.enterpriseImage -}} +{{- else -}} + {{- .Values.image -}} +{{- end -}} +{{- end -}} + +{{- define "teleport-kube-agent.image" -}} +{{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }} +{{- end -}} diff --git a/teleport-kube-agent/templates/admin_clusterrolebinding.yaml b/teleport-kube-agent/templates/admin_clusterrolebinding.yaml new file mode 100644 index 0000000..cd3fe98 --- /dev/null +++ b/teleport-kube-agent/templates/admin_clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* GKE Autopilot clusters forbid users from impersonating system:masters +Groups. This is a security measure released under the GKE Warden authz module +https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-security#built-in-security +Because of this limitation, users are unable to specify kubernetes_groups=["system:masters"] +in Teleport, so we create a Kubernetes Group called cluster-admin when we detect +that the underlying cluster is a GKE cluster. */}} +{{- if or (contains "-gke." .Capabilities.KubeVersion.Version) (.Values.adminClusterRoleBinding.create) -}} +{{- $groupName := (coalesce .Values.adminClusterRoleBinding.name "cluster-admin") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-k8s-cluster-group +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +# This is the built-in cluster-admin role that exists in all K8S clusters. +# We are binding the cluster-admin role to the cluster-admin group. +# See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ $groupName }} +{{- end }} diff --git a/teleport-kube-agent/templates/clusterrole.yaml b/teleport-kube-agent/templates/clusterrole.yaml new file mode 100644 index 0000000..c6f3c73 --- /dev/null +++ b/teleport-kube-agent/templates/clusterrole.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.clusterRoleName | default .Release.Name }} +{{- if .Values.extraLabels.clusterRole }} + labels: + {{- toYaml .Values.extraLabels.clusterRole | nindent 4 }} +{{- end }} +rules: +- apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "authorization.k8s.io" + resources: + - selfsubjectaccessreviews + verbs: + - create +{{- end -}} diff --git a/teleport-kube-agent/templates/clusterrolebinding.yaml b/teleport-kube-agent/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..af2a7b1 --- /dev/null +++ b/teleport-kube-agent/templates/clusterrolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.clusterRoleBindingName | default .Release.Name }} +{{- if .Values.extraLabels.clusterRoleBinding }} + labels: + {{- toYaml .Values.extraLabels.clusterRoleBinding | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.clusterRoleName | default .Release.Name }} +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/teleport-kube-agent/templates/config.yaml b/teleport-kube-agent/templates/config.yaml new file mode 100644 index 0000000..d97ebae --- /dev/null +++ b/teleport-kube-agent/templates/config.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.config }} + labels: + {{- toYaml .Values.extraLabels.config | nindent 4 }} +{{- end }} + {{- if .Values.annotations.config }} + annotations: + {{- toYaml .Values.annotations.config | nindent 4 }} + {{- end }} +data: + teleport.yaml: | + {{- mustMergeOverwrite (include "teleport-kube-agent.config" . | fromYaml) .Values.teleportConfig | toYaml | nindent 4 -}} diff --git a/teleport-kube-agent/templates/delete_hook.yaml b/teleport-kube-agent/templates/delete_hook.yaml new file mode 100644 index 0000000..0b8cd06 --- /dev/null +++ b/teleport-kube-agent/templates/delete_hook.yaml @@ -0,0 +1,95 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +--- +{{- end }} +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: [""] + resources: ["secrets",] + verbs: ["get", "delete", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-delete-hook +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} +--- +{{- end }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: {{ .Release.Name }}-delete-hook + spec: +{{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.imagePullSecrets | nindent 6 }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }} + restartPolicy: OnFailure +{{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} +{{- end }} + containers: + - name: post-delete-job + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: {{ .Release.Name }} + image: {{ include "teleport-kube-agent.image" . | quote }} + {{- if .Values.imagePullPolicy }} + imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} + {{- end }} + command: ["teleport"] + args: ["kube-state", "delete"] + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} diff --git a/teleport-kube-agent/templates/deployment.yaml b/teleport-kube-agent/templates/deployment.yaml new file mode 100644 index 0000000..30b7924 --- /dev/null +++ b/teleport-kube-agent/templates/deployment.yaml @@ -0,0 +1,216 @@ +# +# Warning to maintainers, any changes to this file that are not specific to the Deployment need to also be duplicated +# in the statefulset.yaml file. +# +{{- if and (not .Values.storage.enabled) (include "teleport.kube.agent.isUpgrade" . ) }} +{{- $replicaCount := (coalesce .Values.replicaCount .Values.highAvailability.replicaCount "1") }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + {{- if .Values.extraLabels.deployment }} + {{- toYaml .Values.extraLabels.deployment | nindent 4 }} + {{- end }} + {{- if .Values.annotations.deployment }} + annotations: + {{- toYaml .Values.annotations.deployment | nindent 4 }} + {{- end }} +spec: + replicas: {{ $replicaCount }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + annotations: + # ConfigMap checksum, to recreate the pod on config changes. + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} +{{- if .Values.annotations.pod }} + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} + spec: + {{- if .Values.dnsConfig }} + dnsConfig: {{- toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} + {{- end }} + {{- if or .Values.affinity (gt (int $replicaCount) 1) }} + affinity: + {{- if .Values.affinity }} + {{- if .Values.highAvailability.requireAntiAffinity }} + {{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }} + {{- end }} + {{- toYaml .Values.affinity | nindent 8 }} + {{- else }} + podAntiAffinity: + {{- if .Values.highAvailability.requireAntiAffinity }} + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- else if gt (int $replicaCount) 1 }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} + {{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.imagePullSecrets | nindent 6 }} +{{- end }} +{{- if .Values.initContainers }} + initContainers: {{- toYaml .Values.initContainers | nindent 6 }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if .Values.initSecurityContext }} + securityContext: {{- toYaml .Values.initSecurityContext | nindent 10 }} + {{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true + - mountPath: /var/lib/teleport + name: "data" + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} + {{- end }} +{{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + containers: + - name: "teleport" + image: {{ include "teleport-kube-agent.image" . | quote }} + {{- if .Values.imagePullPolicy }} + imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} + {{- end }} + env: + # This variable is set for telemetry purposes. + # Telemetry is opt-in for oss users and controlled at the auth level. + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + {{- if .Values.updater.enabled }} + - name: TELEPORT_EXT_UPGRADER + value: kube + {{- end }} + {{- if (gt (len .Values.extraEnv) 0) }} + {{- toYaml .Values.extraEnv | nindent 8 }} + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} + args: + - "--diag-addr=0.0.0.0:3000" + {{- if .Values.insecureSkipProxyTLSVerify }} + - "--insecure" + {{- end }} + {{- if .Values.extraArgs }} + {{- toYaml .Values.extraArgs | nindent 8 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} + ports: + - name: diag + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to start + periodSeconds: 5 # poll health every 5s + failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} + readinessProbe: + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to register + periodSeconds: 5 # poll health every 5s + failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} +{{- if .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true + - mountPath: /var/lib/teleport + name: {{ default "data" .Values.existingDataVolume }} + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} +{{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} +{{- end }} + volumes: + - name: "config" + configMap: + name: {{ .Release.Name }} + - name: "auth-token" + secret: + secretName: {{ coalesce .Values.secretName .Values.joinTokenSecret.name }} + {{- if not .Values.existingDataVolume }} + - name: "data" + emptyDir: {} + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: "teleport-tls-ca" + secret: + secretName: {{ .Values.tls.existingCASecretName }} + {{- end }} +{{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 6 }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent.serviceAccountName" . }} +{{- end }} diff --git a/teleport-kube-agent/templates/hook.yaml b/teleport-kube-agent/templates/hook.yaml new file mode 100644 index 0000000..e6d7de5 --- /dev/null +++ b/teleport-kube-agent/templates/hook.yaml @@ -0,0 +1,97 @@ +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace .Release.Name ) -}} +{{- if $deployment }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: ["apps"] + resources: ["statefulsets"] + resourceNames: ["{{ .Release.Name }}"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["pods",] + verbs: ["get", "watch"] + - apiGroups: ["apps"] + resources: ["deployments",] + resourceNames: ["{{ .Release.Name }}"] + verbs: ["get", "delete", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-hook +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: {{ .Release.Name }}-hook + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} +{{- end }} + serviceAccountName: {{ .Release.Name }}-hook + restartPolicy: OnFailure +{{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} +{{- end }} + containers: + - name: post-install-job + image: alpine/k8s:1.26.0 + command: + - sh + - "-c" + - | + /bin/sh <<'EOF' + set -eu -o pipefail + # wait until statefulset is ready + kubectl rollout status --watch --timeout=600s statefulset/{{ .Release.Name }} + # delete deployment + kubectl delete deployment/{{ .Release.Name }} + EOF + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} +{{- end}} diff --git a/teleport-kube-agent/templates/pdb.yaml b/teleport-kube-agent/templates/pdb.yaml new file mode 100644 index 0000000..6b6e17a --- /dev/null +++ b/teleport-kube-agent/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.highAvailability.podDisruptionBudget.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.podDisruptionBudget }} + {{- toYaml .Values.extraLabels.podDisruptionBudget | nindent 4 }} +{{- end }} +spec: + minAvailable: {{ .Values.highAvailability.podDisruptionBudget.minAvailable }} + selector: + matchLabels: + app: {{ .Release.Name }} +{{- end }} diff --git a/teleport-kube-agent/templates/podmonitor.yaml b/teleport-kube-agent/templates/podmonitor.yaml new file mode 100644 index 0000000..6bc0ccd --- /dev/null +++ b/teleport-kube-agent/templates/podmonitor.yaml @@ -0,0 +1,31 @@ +{{- if.Values.podMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + {{- with .Values.podMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Release.Name }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ .Release.Name }} + podMetricsEndpoints: + - port: diag + path: /metrics + {{- with .Values.podMonitor.interval }} + interval: {{ . | quote }} + {{- end }} + podTargetLabels: + - "app.kubernetes.io/name" + - "app.kubernetes.io/instance" + - "app.kubernetes.io/component" + - "app.kubernetes.io/version" + - "teleport.dev/majorVersion" +{{- end }} diff --git a/teleport-kube-agent/templates/psp.yaml b/teleport-kube-agent/templates/psp.yaml new file mode 100644 index 0000000..bdf8b10 --- /dev/null +++ b/teleport-kube-agent/templates/psp.yaml @@ -0,0 +1,70 @@ +{{/* PSPs are deprecated in 1.22 and removed in 1.25. However Helm doesn't handle their removal properly in 1.25 + We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this + only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt. + Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}} +{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Release.Name }} +{{- if .Values.extraLabels.podSecurityPolicy }} + labels: + {{- toYaml .Values.extraLabels.podSecurityPolicy | nindent 4 }} +{{- end }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + runAsUser: + rule: MustRunAsNonRoot + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true + volumes: + - '*' + hostNetwork: false + hostIPC: false + hostPID: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-psp +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-psp +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-psp +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent.serviceAccountName" . }} +{{- end -}} diff --git a/teleport-kube-agent/templates/role.yaml b/teleport-kube-agent/templates/role.yaml new file mode 100644 index 0000000..9cffd88 --- /dev/null +++ b/teleport-kube-agent/templates/role.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.roleName | default .Release.Name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.role }} + labels: + {{- toYaml .Values.extraLabels.role | nindent 4 }} +{{- end }} +rules: +- apiGroups: [""] + # objects is "secrets" + resources: ["secrets"] + verbs: ["create", "get", "update","patch"] \ No newline at end of file diff --git a/teleport-kube-agent/templates/rolebinding.yaml b/teleport-kube-agent/templates/rolebinding.yaml new file mode 100644 index 0000000..563853e --- /dev/null +++ b/teleport-kube-agent/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.roleBindingName | default .Release.Name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.roleBinding }} + labels: + {{- toYaml .Values.extraLabels.roleBinding | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.roleName | default .Release.Name }} +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/teleport-kube-agent/templates/secret.yaml b/teleport-kube-agent/templates/secret.yaml new file mode 100644 index 0000000..0b23ec1 --- /dev/null +++ b/teleport-kube-agent/templates/secret.yaml @@ -0,0 +1,19 @@ +{{- if .Values.joinTokenSecret.create }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ coalesce .Values.secretName .Values.joinTokenSecret.name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.secret }} + labels: + {{- toYaml .Values.extraLabels.secret | nindent 4 }} +{{- end }} +{{- if .Values.annotations.secret }} + annotations: + {{- toYaml .Values.annotations.secret | nindent 4 }} +{{- end }} +type: Opaque +stringData: + auth-token: | + {{ coalesce .Values.joinParams.tokenName .Values.authToken }} +{{- end}} diff --git a/teleport-kube-agent/templates/serviceaccount.yaml b/teleport-kube-agent/templates/serviceaccount.yaml new file mode 100644 index 0000000..f75d202 --- /dev/null +++ b/teleport-kube-agent/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-kube-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.serviceAccount }} + labels: + {{- toYaml .Values.extraLabels.serviceAccount | nindent 4 }} +{{- end }} +{{- if .Values.annotations.serviceAccount }} + annotations: +{{- toYaml .Values.annotations.serviceAccount | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent/templates/statefulset.yaml b/teleport-kube-agent/templates/statefulset.yaml new file mode 100644 index 0000000..4f31010 --- /dev/null +++ b/teleport-kube-agent/templates/statefulset.yaml @@ -0,0 +1,239 @@ +# +# Warning to maintainers, any changes to this file that are not specific to the StatefulSet need to also be duplicated +# in the deployment.yaml file. +# +{{- $replicaCount := (coalesce .Values.replicaCount .Values.highAvailability.replicaCount "1") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + {{- if .Values.extraLabels.deployment }} + {{- toYaml .Values.extraLabels.deployment | nindent 4 }} + {{- end }} +spec: + serviceName: {{ .Release.Name }} + replicas: {{ $replicaCount }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + annotations: + # ConfigMap checksum, to recreate the pod on config changes. + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} +{{- if .Values.annotations.pod }} + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} + spec: + {{- if .Values.dnsConfig }} + dnsConfig: {{- toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} + {{- end }} + securityContext: + fsGroup: 9807 + {{- if or .Values.affinity (gt (int $replicaCount) 1) }} + affinity: + {{- if .Values.affinity }} + {{- if .Values.highAvailability.requireAntiAffinity }} + {{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }} + {{- end }} + {{- toYaml .Values.affinity | nindent 8 }} + {{- else }} + podAntiAffinity: + {{- if .Values.highAvailability.requireAntiAffinity }} + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- else if gt (int $replicaCount) 1 }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} + {{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.imagePullSecrets | nindent 6 }} +{{- end }} +{{- if .Values.initContainers }} + initContainers: {{- toYaml .Values.initContainers | nindent 6 }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if .Values.initSecurityContext }} + securityContext: {{- toYaml .Values.initSecurityContext | nindent 10 }} + {{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true + - mountPath: /var/lib/teleport + name: "{{ .Release.Name }}-teleport-data" + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} + {{- end }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent.serviceAccountName" . }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + containers: + - name: "teleport" + image: {{ include "teleport-kube-agent.image" . | quote }} + {{- if .Values.imagePullPolicy }} + imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} + {{- end }} + env: + # This variable is set for telemetry purposes. + # Telemetry is opt-in and controlled at the auth level. + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: {{ .Release.Name }} + {{- if .Values.updater.enabled }} + - name: TELEPORT_EXT_UPGRADER + value: kube + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} + {{- if .Values.extraEnv }} + {{- toYaml .Values.extraEnv | nindent 10 }} + {{- end }} + args: + - "--diag-addr=0.0.0.0:3000" + {{- if .Values.insecureSkipProxyTLSVerify }} + - "--insecure" + {{- end }} + {{- if .Values.extraArgs }} + {{- toYaml .Values.extraArgs | nindent 8 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} + ports: + - name: diag + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to start + periodSeconds: 5 # poll health every 5s + failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} + readinessProbe: + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to register + periodSeconds: 5 # poll health every 5s + failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} +{{- if .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true +{{- if .Values.storage.enabled }} + - mountPath: /var/lib/teleport + name: "{{ .Release.Name }}-teleport-data" +{{- else }} + - mountPath: /var/lib/teleport + name: "data" +{{- end }} +{{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true +{{- end }} +{{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} +{{- end }} + volumes: + - name: "config" + configMap: + name: {{ .Release.Name }} + - name: "auth-token" + secret: + secretName: {{ coalesce .Values.secretName .Values.joinTokenSecret.name }} +{{- if not .Values.storage.enabled }} + - name: "data" + emptyDir: {} +{{- end}} +{{- if .Values.tls.existingCASecretName }} + - name: "teleport-tls-ca" + secret: + secretName: {{ .Values.tls.existingCASecretName }} +{{- end }} +{{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 6 }} +{{- end }} +{{- if and .Values.storage.enabled }} + volumeClaimTemplates: + - metadata: + name: "{{ .Release.Name }}-teleport-data" + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: {{ .Values.storage.storageClassName }} + resources: + requests: + storage: {{ .Values.storage.requests }} +{{- end }} diff --git a/teleport-kube-agent/templates/updater/_helpers.tpl b/teleport-kube-agent/templates/updater/_helpers.tpl new file mode 100644 index 0000000..59fb0c2 --- /dev/null +++ b/teleport-kube-agent/templates/updater/_helpers.tpl @@ -0,0 +1,7 @@ +{{/* +Create the name of the service account to use +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name +*/}} +{{- define "teleport-kube-agent-updater.serviceAccountName" -}} +{{- coalesce .Values.updater.serviceAccount.name (include "teleport-kube-agent.serviceAccountName" . | printf "%s-updater") -}} +{{- end -}} diff --git a/teleport-kube-agent/templates/updater/deployment.yaml b/teleport-kube-agent/templates/updater/deployment.yaml new file mode 100644 index 0000000..b214d3f --- /dev/null +++ b/teleport-kube-agent/templates/updater/deployment.yaml @@ -0,0 +1,113 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-updater + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }}-updater +{{- if $updater.extraLabels.deployment }} + {{- toYaml $updater.extraLabels.deployment | nindent 4 }} +{{- end }} +{{- if $updater.annotations.deployment }} + annotations: {{- toYaml $updater.annotations.deployment | nindent 4 }} +{{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }}-updater + template: + metadata: + annotations: +{{- if $updater.annotations.pod }} + {{- toYaml $updater.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }}-updater +{{- if $updater.extraLabels.pod }} + {{- toYaml $updater.extraLabels.pod | nindent 8 }} +{{- end }} + spec: +{{- if $updater.affinity }} + affinity: {{- toYaml $updater.affinity | nindent 8 }} +{{- end }} +{{- if $updater.tolerations }} + tolerations: {{- toYaml $updater.tolerations | nindent 8 }} +{{- end }} +{{- if $updater.imagePullSecrets }} + imagePullSecrets: {{- toYaml $updater.imagePullSecrets | nindent 8 }} +{{- end }} +{{- if $updater.nodeSelector }} + nodeSelector: {{- toYaml $updater.nodeSelector | nindent 8 }} +{{- end }} + containers: + - name: "kube-agent-updater" + image: "{{ $updater.image }}:{{ include "teleport-kube-agent.version" . }}" +{{- if $updater.imagePullPolicy }} + imagePullPolicy: {{ toYaml $updater.imagePullPolicy }} +{{- end }} +{{- if or $updater.extraEnv $updater.tls.existingCASecretName }} + env: + {{- if (gt (len $updater.extraEnv) 0) }} + {{- toYaml $updater.extraEnv | nindent 8 }} + {{- end }} + {{- if $updater.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + # Used to track whether a Teleport agent was installed using this method. + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: true + {{- end }} +{{- end }} + args: + - "--agent-name={{ .Release.Name }}" + - "--agent-namespace={{ .Release.Namespace }}" + - "--base-image={{ include "teleport-kube-agent.baseImage" . }}" + - "--version-server={{ $updater.versionServer }}" + - "--version-channel={{ $updater.releaseChannel }}" +{{- if $updater.securityContext }} + securityContext: {{- toYaml $updater.securityContext | nindent 10 }} +{{- end }} + ports: + - name: metrics + containerPort: 8080 + protocol: TCP + - name: healthz + containerPort: 8081 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 6 # consider unready after 30s + timeoutSeconds: 5 +{{- if $updater.resources }} + resources: {{- toYaml $updater.resources | nindent 10 }} +{{- end }} +{{- if $updater.tls.existingCASecretName }} + volumeMounts: + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + volumes: + - name: "teleport-tls-ca" + secret: + secretName: {{ $updater.tls.existingCASecretName }} +{{- end }} +{{- if $updater.priorityClassName }} + priorityClassName: {{ $updater.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent-updater.serviceAccountName" . }} +{{- end -}} diff --git a/teleport-kube-agent/templates/updater/role.yaml b/teleport-kube-agent/templates/updater/role.yaml new file mode 100644 index 0000000..1260847 --- /dev/null +++ b/teleport-kube-agent/templates/updater/role.yaml @@ -0,0 +1,95 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +{{- if $updater.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-updater + namespace: {{ .Release.Namespace }} +{{- if $updater.extraLabels.role }} + labels: {{- toYaml $updater.extraLabels.role | nindent 4 }} +{{- end }} +rules: +# the updater needs to list pods to check their health +# it also needs to delete pods to unstuck Statefulset rollouts +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - watch + - list +# the updater needs to get the secret created by the agent containing the +# maintenance window +- apiGroups: + - "" + resources: + - secrets + verbs: + - watch + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + resourceNames: + - {{ .Release.Name }}-shared-state +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +# the controller in the updater must be able to watch deployments and +# statefulsets and get the one it should reconcile +- apiGroups: + - "apps" + resources: + - deployments + - statefulsets + - deployments/status + - statefulsets/status + verbs: + - get + - watch + - list +# However the updater should only update the agent it is watching +- apiGroups: + - "apps" + resources: + - deployments + - statefulsets + verbs: + - update + resourceNames: + - {{ .Release.Name }} +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resourceNames: + - {{ .Release.Name }} + resources: + - leases + verbs: + - get + - update +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent/templates/updater/rolebinding.yaml b/teleport-kube-agent/templates/updater/rolebinding.yaml new file mode 100644 index 0000000..6cacc3d --- /dev/null +++ b/teleport-kube-agent/templates/updater/rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +{{- if $updater.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-updater + namespace: {{ .Release.Namespace }} +{{- if $updater.extraLabels.roleBinding }} + labels: + {{- toYaml $updater.extraLabels.roleBinding | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-updater +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent-updater.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent/templates/updater/serviceaccount.yaml b/teleport-kube-agent/templates/updater/serviceaccount.yaml new file mode 100644 index 0000000..2382e3d --- /dev/null +++ b/teleport-kube-agent/templates/updater/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +{{- if $updater.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-kube-agent-updater.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if $updater.extraLabels.serviceAccount }} + labels: {{- toYaml $updater.extraLabels.serviceAccount | nindent 4 }} +{{- end }} +{{- if $updater.annotations.serviceAccount }} + annotations: {{- toYaml $updater.annotations.serviceAccount | nindent 4 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent/tests/README.md b/teleport-kube-agent/tests/README.md new file mode 100644 index 0000000..d81e659 --- /dev/null +++ b/teleport-kube-agent/tests/README.md @@ -0,0 +1,23 @@ +## Unit tests for Helm charts + +Helm chart unit tests run here using the [helm-unittest](https://github.com/quintush/helm-unittest/) Helm plugin. + +*Note: there are multiple forks for the helm-unittest plugin. +They are not compatible and don't provide the same featureset (e.g. including templates from sub-directories). +Our tests rely on features and bugfixes that are only available on the quintush fork +(which seems to be the most maintained at the time of writing)* + +If you get a snapshot error during your testing, you should verify that your changes intended to alter the output, then run +this command from the root of your Teleport checkout to update the snapshots: + +```bash +make -C build.assets test-helm-update-snapshots +``` + +After this, re-run the tests to make sure everything is fine: + +```bash +make -C build.assets test-helm +``` + +Commit the updated snapshots along with your changes. diff --git a/teleport-kube-agent/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap new file mode 100644 index 0000000..4becab4 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap @@ -0,0 +1,28 @@ +generate a admin cluster role binding when adminClusterRoleBinding.create is true: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: admin-k8s-cluster-group + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: cluster-admin +generate a admin cluster role binding when adminClusterRoleBinding.create is true and adminClusterRoleBinding.name is set: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: admin-k8s-cluster-group + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: my-cluster-admin diff --git a/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap new file mode 100644 index 0000000..708bc3e --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap @@ -0,0 +1,57 @@ +creates a ClusterRole: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: RELEASE-NAME + rules: + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create +sets ClusterRole labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: clusterrole + name: RELEASE-NAME + rules: + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create diff --git a/teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap new file mode 100644 index 0000000..8780c90 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap @@ -0,0 +1,31 @@ +creates a ClusterRoleBinding: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: RELEASE-NAME + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE +sets ClusterRoleBinding labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: clusterrolebinding + name: RELEASE-NAME + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap new file mode 100644 index 0000000..3585d3b --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap @@ -0,0 +1,1130 @@ +does not generate a config for clusterrole.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +does not generate a config for pdb.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot and tests for annotations.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + annotations: + kubernetes.io/config: test-annotation + kubernetes.io/config-different: 2 + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot and tests for extra-labels.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: config + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for affinity.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for all-v6.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + apps: + - labels: + environment: test + name: grafana + uri: http://localhost:3000 + enabled: true + auth_service: + enabled: false + db_service: + databases: + - labels: + database: staging + name: aurora + protocol: postgres + uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 + enabled: true + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + labels: + cluster: testing + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + annotations: + kubernetes.io/config: test-annotation + kubernetes.io/config-different: 2 + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for aws-databases.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + aws: + - regions: + - us-east-1 + tags: + '*': '*' + types: + - rds + - regions: + - us-west-2 + tags: + env: development + types: + - rds + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for azure-databases.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + azure: + - tags: + '*': '*' + types: + - mysql + - postgres + - regions: + - eastus + - centralus + resource_groups: + - group1 + - group2 + subscriptions: + - subID1 + - subID2 + tags: + env: + - dev + - staging + origin: alice + types: + - mysql + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for backwards-compatibility.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for ca-pin.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + ca_pin: + - sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1 + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for db.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + databases: + - labels: + database: staging + name: aurora + protocol: postgres + uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for dynamic-app.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: true + resources: + - labels: + '*': '*' + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for dynamic-db.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: true + resources: + - labels: + '*': '*' + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for imagepullsecrets.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for initcontainers.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for join-params-iam.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: iam + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for join-params-token.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for log-basic.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: json + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for log-extra.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - level + - timestamp + - component + - caller + output: json + output: /var/lib/teleport/test.log + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for log-legacy.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for node-selector.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for pdb.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - level + - timestamp + - component + - caller + output: json + output: /var/lib/teleport/test.log + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for resources.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for stateful.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for tolerations.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for v10.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_servers: + - proxy.example.com:3080 + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for v11.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for volumes.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap new file mode 100644 index 0000000..1dd13be --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap @@ -0,0 +1,1950 @@ +sets Deployment annotations when specified if action is Upgrade: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + kubernetes.io/deployment: test-annotation + kubernetes.io/deployment-different: 3 + labels: + app: RELEASE-NAME + name: RELEASE-NAME + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: 80088923d2d7ce4344db0f2174d29d7cfb2d599424adfabf6f6818a9434794ca + kubernetes.io/pod: test-annotation + kubernetes.io/pod-different: 4 + labels: + app: RELEASE-NAME + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets Deployment labels when specified if action is Upgrade: + 1: | + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: pod + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets Pod annotations when specified if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets Pod labels when specified if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets by default a container security context if action is Upgrade: + 1: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + 2: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 +should add emptyDir for data when existingDataVolume is not set if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should add insecureSkipProxyTLSVerify to args when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + - --insecure + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should correctly configure existingDataVolume when set if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: teleport-kube-agent-data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should expose diag port if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have one replica when replicaCount is not set if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should mount extraVolumes and extraVolumeMounts if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /path/to/mount + name: my-mount + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: my-mount + secret: + secretName: mySecret +should mount tls.existingCASecretName and set environment when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should mount tls.existingCASecretName and set extra environment when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should provision initContainer correctly when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set SecurityContext if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set affinity when set in values if action is Upgrade: + 1: | + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set default serviceAccountName when not set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set dnsConfig when set in values if action is Upgrade: + 1: | + nameservers: + - 1.2.3.4 + options: + - name: ndots + value: "2" + - name: edns0 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix +should set environment when extraEnv set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set image and tag correctly if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set imagePullPolicy when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set nodeSelector if set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + nodeSelector: + gravitational.io/k8s-role: node + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set not set priorityClassName when not set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set preferred affinity when more than one replica is used if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set priorityClassName when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + priorityClassName: teleport-kube-agent + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set probeTimeoutSeconds when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set required affinity when highAvailability.requireAntiAffinity is set if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set resources when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set serviceAccountName when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: teleport-kube-agent-sa + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set tolerations when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data diff --git a/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap new file mode 100644 index 0000000..cff8b14 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -0,0 +1,205 @@ +should create ServiceAccount for post-delete hook by default: + 1: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-4" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE +? should inherit ServiceAccount name from values and not create serviceAccount if + serviceAccount.create is false and serviceAccount.name is set +: 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: lint-serviceaccount +should not create ServiceAccount for post-delete hook if serviceAccount.create is false: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-3" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - delete + - list + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-2" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-delete-hook + subjects: + - kind: ServiceAccount + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + 3: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-1" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + spec: + template: + metadata: + name: RELEASE-NAME-delete-hook + spec: + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: lint-serviceaccount +should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: lint-serviceaccount +should set nodeSelector in post-delete hook: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + nodeSelector: + gravitational.io/k8s-role: node + restartPolicy: OnFailure + serviceAccountName: RELEASE-NAME-delete-hook +should set securityContext in post-delete hook: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: RELEASE-NAME-delete-hook diff --git a/teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap new file mode 100644 index 0000000..7103d98 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap @@ -0,0 +1,30 @@ +sets PodDisruptionBudget labels when specified: + 1: | + apiVersion: policy/v1beta1 + kind: PodDisruptionBudget + metadata: + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: poddisruptionbudget + name: RELEASE-NAME + namespace: NAMESPACE + spec: + minAvailable: 2 + selector: + matchLabels: + app: RELEASE-NAME +should create a PDB when enabled in values (pdb.yaml): + 1: | + apiVersion: policy/v1beta1 + kind: PodDisruptionBudget + metadata: + labels: + app: RELEASE-NAME + name: RELEASE-NAME + namespace: NAMESPACE + spec: + minAvailable: 2 + selector: + matchLabels: + app: RELEASE-NAME diff --git a/teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap new file mode 100644 index 0000000..9432715 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap @@ -0,0 +1,123 @@ +creates a PodSecurityPolicy when enabled in values and supported: + 1: | + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + name: RELEASE-NAME + spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - '*' + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: RELEASE-NAME-psp + rules: + - apiGroups: + - policy + resourceNames: + - RELEASE-NAME + resources: + - podsecuritypolicies + verbs: + - use + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: RELEASE-NAME-psp + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-psp + subjects: + - kind: ServiceAccount + name: RELEASE-NAME +sets PodSecurityPolicy labels when specified: + 1: | + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: podsecuritypolicy + name: RELEASE-NAME + spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - '*' + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: RELEASE-NAME-psp + rules: + - apiGroups: + - policy + resourceNames: + - RELEASE-NAME + resources: + - podsecuritypolicies + verbs: + - use + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: RELEASE-NAME-psp + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-psp + subjects: + - kind: ServiceAccount + name: RELEASE-NAME diff --git a/teleport-kube-agent/tests/__snapshot__/role_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/role_test.yaml.snap new file mode 100644 index 0000000..03820af --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/role_test.yaml.snap @@ -0,0 +1,37 @@ +creates a Role: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - update + - patch +sets Role labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: role + name: RELEASE-NAME + namespace: NAMESPACE + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - update + - patch diff --git a/teleport-kube-agent/tests/__snapshot__/rolebinding_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/rolebinding_test.yaml.snap new file mode 100644 index 0000000..175158e --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/rolebinding_test.yaml.snap @@ -0,0 +1,33 @@ +creates a RoleBinding: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE +sets RoleBinding labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: rolebinding + name: RELEASE-NAME + namespace: NAMESPACE + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap new file mode 100644 index 0000000..551299d --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap @@ -0,0 +1,82 @@ +generate a secret when neither authToken nor joinParams.tokenName are provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: "" + type: Opaque +generates a secret when authToken is provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +generates a secret when joinParams.tokenName is provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +generates a secret with a custom name when authToken and joinTokenSecret.name are provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: some-other-secret-name + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +generates a secret with a custom name when authToken and secretName are provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: some-other-secret-name + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +sets Secret annotations when specified: + 1: | + apiVersion: v1 + kind: Secret + metadata: + annotations: + kubernetes.io/secret: test-annotation + kubernetes.io/secret-different: 6 + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + auth-token + type: Opaque +sets Secret labels when specified: + 1: | + apiVersion: v1 + kind: Secret + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: secret + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + auth-token + type: Opaque diff --git a/teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap new file mode 100644 index 0000000..a451b14 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap @@ -0,0 +1,20 @@ +sets ServiceAccount annotations when specified: + 1: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + kubernetes.io/serviceaccount: test-annotation + kubernetes.io/serviceaccount-different: 5 + name: RELEASE-NAME + namespace: NAMESPACE +sets ServiceAccount labels when specified: + 1: | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: serviceaccount + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap new file mode 100644 index 0000000..ba5becc --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap @@ -0,0 +1,2490 @@ +sets Pod annotations when specified: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +sets Pod labels when specified: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +sets StatefulSet labels when specified: + 1: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: deployment + name: RELEASE-NAME + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + serviceName: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: pod + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + volumeClaimTemplates: + - metadata: + name: RELEASE-NAME-teleport-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 128Mi + storageClassName: aws-gp2 +sets by default a container security context: + 1: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + 2: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 +should add insecureSkipProxyTLSVerify to args when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + - --insecure + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should add volumeClaimTemplate for data volume when using StatefulSet and action is an Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should add volumeClaimTemplate for data volume when using StatefulSet and is Fresh Install: + 1: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app: RELEASE-NAME + name: RELEASE-NAME + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + serviceName: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: 6e010c147e8d81d244e7aafdcee7e652cdb4d5640fb7f14d0e1ebb7832f943a5 + labels: + app: RELEASE-NAME + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + volumeClaimTemplates: + - metadata: + name: RELEASE-NAME-teleport-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 128Mi + storageClassName: aws-gp2 +should add volumeMount for data volume when using StatefulSet: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should expose diag port: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should generate Statefulset when storage is disabled and mode is a Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have multiple replicas when replicaCount is set (using .replicaCount, deprecated): + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should have multiple replicas when replicaCount is set (using highAvailability.replicaCount): + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should have one replica when replicaCount is not set: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should install Statefulset when storage is disabled and mode is a Fresh Install: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should mount extraVolumes and extraVolumeMounts: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + - mountPath: /path/to/mount + name: my-mount + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - name: my-mount + secret: + secretName: mySecret +should mount tls.existingCASecretName and set environment when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should mount tls.existingCASecretName and set extra environment when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should not add emptyDir for data when using StatefulSet: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should provision initContainer correctly when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set SecurityContext: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set affinity when set in values: + 1: | + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set default serviceAccountName when not set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set dnsConfig when set in values: + 1: | + nameservers: + - 1.2.3.4 + options: + - name: ndots + value: "2" + - name: edns0 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix +should set environment when extraEnv set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set image and tag correctly: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set imagePullPolicy when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set nodeSelector if set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + nodeSelector: + gravitational.io/k8s-role: node + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set preferred affinity when more than one replica is used: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set probeTimeoutSeconds when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set required affinity when highAvailability.requireAntiAffinity is set: + 1: | + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set resources when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set serviceAccountName when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: teleport-kube-agent-sa + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set storage.requests when set in values and action is an Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set storage.storageClassName when set in values and action is an Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set tolerations when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token diff --git a/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap new file mode 100644 index 0000000..5b116c0 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap @@ -0,0 +1,117 @@ +sets the affinity: + 1: | + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --agent-name=RELEASE-NAME + - --agent-namespace=NAMESPACE + - --base-image=public.ecr.aws/gravitational/teleport-distroless + - --version-server=https://my-custom-version-server/v1 + - --version-channel=custom/preview + image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: kube-agent-updater + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: healthz + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + serviceAccountName: RELEASE-NAME-updater +sets the tolerations: + 1: | + containers: + - args: + - --agent-name=RELEASE-NAME + - --agent-namespace=NAMESPACE + - --base-image=public.ecr.aws/gravitational/teleport-distroless + - --version-server=https://my-custom-version-server/v1 + - --version-channel=custom/preview + image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: kube-agent-updater + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: healthz + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + serviceAccountName: RELEASE-NAME-updater + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport diff --git a/teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap new file mode 100644 index 0000000..0c1e6a6 --- /dev/null +++ b/teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap @@ -0,0 +1,76 @@ +sets the correct role rules: + 1: | + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete + - apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - watch + - list + - apiGroups: + - "" + resourceNames: + - RELEASE-NAME-shared-state + resources: + - secrets + verbs: + - get + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - deployments/status + - statefulsets/status + verbs: + - get + - watch + - list + - apiGroups: + - apps + resourceNames: + - RELEASE-NAME + resources: + - deployments + - statefulsets + verbs: + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resourceNames: + - RELEASE-NAME + resources: + - leases + verbs: + - get + - update diff --git a/teleport-kube-agent/tests/admin_clusterrolebinding_test.yaml b/teleport-kube-agent/tests/admin_clusterrolebinding_test.yaml new file mode 100644 index 0000000..12998ef --- /dev/null +++ b/teleport-kube-agent/tests/admin_clusterrolebinding_test.yaml @@ -0,0 +1,35 @@ +suite: AdminClusterRoleBinding +templates: + - admin_clusterrolebinding.yaml +tests: + - it: don't generate a admin cluster role binding when adminClusterRoleBinding.create is false + asserts: + - hasDocuments: + count: 0 + - it: generate a admin cluster role binding when adminClusterRoleBinding.create is true + set: + adminClusterRoleBinding: + create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRoleBinding + - equal: + path: subjects[0].name + value: cluster-admin + - matchSnapshot: {} + - it: generate a admin cluster role binding when adminClusterRoleBinding.create is true and adminClusterRoleBinding.name is set + set: + adminClusterRoleBinding: + create: true + name: my-cluster-admin + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRoleBinding + - equal: + path: subjects[0].name + value: my-cluster-admin + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/clusterrole_test.yaml b/teleport-kube-agent/tests/clusterrole_test.yaml new file mode 100644 index 0000000..c589a7a --- /dev/null +++ b/teleport-kube-agent/tests/clusterrole_test.yaml @@ -0,0 +1,23 @@ +suite: ClusterRole +templates: + - clusterrole.yaml +tests: + - it: creates a ClusterRole + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRole + - matchSnapshot: {} + + - it: sets ClusterRole labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: clusterrole + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/clusterrolebinding_test.yaml b/teleport-kube-agent/tests/clusterrolebinding_test.yaml new file mode 100644 index 0000000..ce78e09 --- /dev/null +++ b/teleport-kube-agent/tests/clusterrolebinding_test.yaml @@ -0,0 +1,23 @@ +suite: ClusterRoleBinding +templates: + - clusterrolebinding.yaml +tests: + - it: creates a ClusterRoleBinding + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRoleBinding + - matchSnapshot: {} + + - it: sets ClusterRoleBinding labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: clusterrolebinding + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/config_test.yaml b/teleport-kube-agent/tests/config_test.yaml new file mode 100644 index 0000000..2ee00d9 --- /dev/null +++ b/teleport-kube-agent/tests/config_test.yaml @@ -0,0 +1,291 @@ +suite: ConfigMap +templates: + - config.yaml +tests: + - it: matches snapshot for affinity.yaml + values: + - ../.lint/affinity.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for all-v6.yaml + values: + - ../.lint/all-v6.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot and tests for extra-labels.yaml + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: config + - matchSnapshot: {} + + - it: matches snapshot and tests for annotations.yaml + values: + - ../.lint/annotations.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.annotations.kubernetes\.io/config + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/config-different + value: 2 + - matchSnapshot: {} + + - it: matches snapshot for aws-databases.yaml + values: + - ../.lint/aws-databases.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for azure-databases.yaml + values: + - ../.lint/azure-databases.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for backwards-compatibility.yaml + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for ca-pin.yaml + values: + - ../.lint/ca-pin.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: does not generate a config for clusterrole.yaml + values: + - ../.lint/clusterrole.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for db.yaml + values: + - ../.lint/db.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for dynamic-app.yaml + values: + - ../.lint/dynamic-app.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for dynamic-db.yaml + values: + - ../.lint/dynamic-db.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for imagepullsecrets.yaml + values: + - ../.lint/imagepullsecrets.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for initcontainers.yaml + values: + - ../.lint/initcontainers.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for join-params-iam.yaml + values: + - ../.lint/join-params-iam.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for join-params-token.yaml + values: + - ../.lint/join-params-token.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for log-basic.yaml + values: + - ../.lint/log-basic.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for log-extra.yaml + values: + - ../.lint/log-extra.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for log-legacy.yaml + values: + - ../.lint/log-legacy.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for node-selector.yaml + values: + - ../.lint/node-selector.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for pdb.yaml + values: + - ../.lint/log-extra.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: does not generate a config for pdb.yaml + values: + - ../.lint/pdb.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for resources.yaml + values: + - ../.lint/resources.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for stateful.yaml + values: + - ../.lint/stateful.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for tolerations.yaml + values: + - ../.lint/tolerations.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for volumes.yaml + values: + - ../.lint/volumes.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for v10.yaml + values: + - ../.lint/v10.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for v11.yaml + values: + - ../.lint/v11.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/deployment_test.yaml b/teleport-kube-agent/tests/deployment_test.yaml new file mode 100644 index 0000000..1c4926c --- /dev/null +++ b/teleport-kube-agent/tests/deployment_test.yaml @@ -0,0 +1,687 @@ +suite: Deployment +templates: + - deployment.yaml + - config.yaml +release: + upgrade: true +tests: + - it: creates a Deployment if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/all-v6.yaml + asserts: + - isKind: + of: Deployment + - hasDocuments: + count: 1 + + - it: sets Deployment labels when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: deployment + - matchSnapshot: + path: spec + + - it: sets Pod labels when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: spec.template.metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: spec.template.metadata.labels.resource + value: pod + - matchSnapshot: + path: spec.template.spec + + - it: sets Deployment annotations when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/deployment + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/deployment-different + value: 3 + - matchSnapshot: {} + + - it: sets Pod annotations when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + - matchSnapshot: + path: spec.template.spec + + - it: should have one replica when replicaCount is not set if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.replicas + value: 1 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + replicaCount: 3 + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + highAvailability: + replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should set affinity when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/affinity.yaml + asserts: + - isNotNull: + path: spec.template.spec.affinity + - matchSnapshot: + path: spec.template.spec + + - it: should set required affinity when highAvailability.requireAntiAffinity is set if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + highAvailability: + replicaCount: 2 + requireAntiAffinity: true + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set preferred affinity when more than one replica is used if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + highAvailability: + replicaCount: 3 + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set tolerations when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/tolerations.yaml + asserts: + - isNotNull: + path: spec.template.spec.tolerations + - matchSnapshot: + path: spec.template.spec + + - it: should set resources when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should set SecurityContext if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities + value: + drop: + - all + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 9807 + - matchSnapshot: + path: spec.template.spec + + - it: should set image and tag correctly if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + teleportVersionOverride: 12.2.1 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + - matchSnapshot: + path: spec.template.spec + + - it: should mount extraVolumes and extraVolumeMounts if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/volumes.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /path/to/mount + name: my-mount + - contains: + path: spec.template.spec.volumes + content: + name: my-mount + secret: + secretName: mySecret + - matchSnapshot: + path: spec.template.spec + + - it: should set imagePullPolicy when set in values if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + imagePullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - matchSnapshot: + path: spec.template.spec + + - it: should set environment when extraEnv set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + proxyAddr: helm-lint.example.com + authToken: sample-auth-token-dont-use-this + kubeClusterName: helm-lint.example.com + extraEnv: + - name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + - matchSnapshot: + path: spec.template.spec + + - it: should provision initContainer correctly when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/initcontainers.yaml + asserts: + - contains: + path: spec.template.spec.initContainers[0].args + content: "echo test" + - equal: + path: spec.template.spec.initContainers[0].name + value: "teleport-init" + - equal: + path: spec.template.spec.initContainers[0].image + value: "alpine" + - equal: + path: spec.template.spec.initContainers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.initContainers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.initContainers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.initContainers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should add insecureSkipProxyTLSVerify to args when set in values if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + insecureSkipProxyTLSVerify: true + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--insecure" + - matchSnapshot: + path: spec.template.spec + + - it: should expose diag port if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].ports + content: + name: diag + containerPort: 3000 + protocol: TCP + - matchSnapshot: + path: spec.template.spec + + - it: should set nodeSelector if set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - matchSnapshot: + path: spec.template.spec + + - it: should add emptyDir for data when existingDataVolume is not set if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: data + emptyDir: {} + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/lib/teleport + name: data + - matchSnapshot: + path: spec.template.spec + + - it: should correctly configure existingDataVolume when set if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/existing-data-volume.yaml + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: data + emptyDir: {} + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/lib/teleport + name: teleport-kube-agent-data + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set environment when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set extra environment when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/existing-tls-secret-with-ca.yaml + - ../.lint/extra-env.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - matchSnapshot: + path: spec.template.spec + + - it: should set priorityClassName when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/priority-class-name.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: teleport-kube-agent + - matchSnapshot: + path: spec.template.spec + + - it: should set not set priorityClassName when not set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - isNull: + path: spec.template.spec.priorityClassName + - matchSnapshot: + path: spec.template.spec + + - it: should set serviceAccountName when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/service-account-name.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: teleport-kube-agent-sa + - matchSnapshot: + path: spec.template.spec + + - it: should set default serviceAccountName when not set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME + - matchSnapshot: + path: spec.template.spec + + - it: should set probeTimeoutSeconds when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/probe-timeout-seconds.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds + value: 5 + - matchSnapshot: + path: spec.template.spec + + - it: should set dnsConfig when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/dnsconfig.yaml + asserts: + - notEqual: + path: spec.template.spec.dnsConfig + value: null + - matchSnapshot: + path: spec.template.spec.dnsConfig + + - it: should set dnsPolicy when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/dnsconfig.yaml + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + + - it: should not render Deployment if action is fresh install without storage + template: deployment.yaml + release: + upgrade: false + values: + - ../.lint/all-v6.yaml + set: + storage: + enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: sets by default a container security context if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/initcontainers.yaml + asserts: + - matchSnapshot: + path: spec.template.spec.initContainers[0].securityContext + - matchSnapshot: + path: spec.template.spec.containers[0].securityContext + + - it: sets no container security context when manually unset and if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/initcontainers.yaml + - ../.lint/security-context-empty.yaml + asserts: + - equal: + path: spec.template.spec.initContainers[0].securityContext + value: null + - equal: + path: spec.template.spec.containers[0].securityContext + value: null diff --git a/teleport-kube-agent/tests/job_test.yaml b/teleport-kube-agent/tests/job_test.yaml new file mode 100644 index 0000000..997dc79 --- /dev/null +++ b/teleport-kube-agent/tests/job_test.yaml @@ -0,0 +1,208 @@ +suite: Job +templates: + - delete_hook.yaml + +release: + upgrade: true +tests: + - it: should create ServiceAccount, Role, RoleBinding and Job for post-delete hook by default + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + assets: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + - containsDocument: + kind: Job + apiVersion: batch/v1 + + - it: should set securityContext in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 3 + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities + value: + drop: + - all + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 9807 + - matchSnapshot: + path: spec.template.spec + + - it: should set nodeSelector in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 3 + values: + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - matchSnapshot: + path: spec.template.spec + + - it: should create ServiceAccount for post-delete hook by default + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 0 + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + - equal: + path: metadata.name + value: RELEASE-NAME-delete-hook + - matchSnapshot: + path: spec.template.spec + + - it: should create ServiceAccount for post-delete hook with a custom name if serviceAccount.name is set and serviceAccount.create is true + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 0 + values: + - ../.lint/backwards-compatibility.yaml + set: + serviceAccount: + create: true + name: lint-serviceaccount + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + - equal: + path: metadata.name + value: lint-serviceaccount + + - it: should create Role for post-delete hook by default + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should create RoleBinding for post-delete hook by default + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should not create ServiceAccount for post-delete hook if serviceAccount.create is false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + serviceAccount: + create: false + name: lint-serviceaccount + asserts: + - not: true + containsDocument: + kind: ServiceAccount + apiVersion: v1 + - matchSnapshot: + path: spec.template.spec + + - it: should inherit ServiceAccount name from values and not create serviceAccount if serviceAccount.create is false and serviceAccount.name is set + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + serviceAccount: + create: false + name: lint-serviceaccount + asserts: + - not: true + containsDocument: + kind: ServiceAccount + apiVersion: v1 + # ServiceAccount is not created in this mode + # documentIndex: 0=Role 1=RoleBinding 2=Job + - documentIndex: 2 + equal: + path: spec.template.spec.serviceAccountName + value: lint-serviceaccount + - documentIndex: 2 + matchSnapshot: + path: spec.template.spec + + - it: should not create Role for post-delete hook if rbac.create is false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + rbac: + create: false + asserts: + - not: true + containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should not create RoleBinding for post-delete hook if rbac.create is false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + rbac: + create: false + asserts: + - not: true + containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + rbac: + create: false + serviceAccount: + create: false + name: lint-serviceaccount + asserts: + - not: true + containsDocument: + kind: ServiceAccount + apiVersion: v1 + - not: true + containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + - not: true + containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + - matchSnapshot: + path: spec.template.spec diff --git a/teleport-kube-agent/tests/pdb_test.yaml b/teleport-kube-agent/tests/pdb_test.yaml new file mode 100644 index 0000000..9486b95 --- /dev/null +++ b/teleport-kube-agent/tests/pdb_test.yaml @@ -0,0 +1,26 @@ +suite: PodDisruptionBudget +templates: + - pdb.yaml +tests: + - it: should create a PDB when enabled in values (pdb.yaml) + values: + - ../.lint/pdb.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - matchSnapshot: {} + + - it: sets PodDisruptionBudget labels when specified + values: + - ../.lint/pdb.yaml + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: poddisruptionbudget + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/podmonitor_test.yaml b/teleport-kube-agent/tests/podmonitor_test.yaml new file mode 100644 index 0000000..474f346 --- /dev/null +++ b/teleport-kube-agent/tests/podmonitor_test.yaml @@ -0,0 +1,43 @@ +suite: PodMonitor +templates: + - podmonitor.yaml +tests: + - it: does not create a PodMonitor by default + set: + proxyAddr: proxy.example.com:3080 + kubeClusterName: test-kube-cluster-name + asserts: + - hasDocuments: + count: 0 + + - it: creates a PodMonitor when enabled + set: + proxyAddr: proxy.example.com:3080 + kubeClusterName: test-kube-cluster-name + podMonitor: + enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodMonitor + + - it: configures scrape interval if provided + set: + proxyAddr: proxy.example.com:3080 + kubeClusterName: test-kube-cluster-name + podMonitor: + enabled: true + interval: 2m + asserts: + - equal: + path: spec.podMetricsEndpoints[0].interval + value: 2m + + - it: wears additional labels if provided + asserts: + - equal: + path: metadata.labels.prometheus + value: default + values: + - ../.lint/podmonitor.yaml \ No newline at end of file diff --git a/teleport-kube-agent/tests/psp_test.yaml b/teleport-kube-agent/tests/psp_test.yaml new file mode 100644 index 0000000..816d12e --- /dev/null +++ b/teleport-kube-agent/tests/psp_test.yaml @@ -0,0 +1,55 @@ +suite: PodSecurityPolicy +templates: + - psp.yaml +tests: + - it: creates a PodSecurityPolicy when enabled in values and supported + capabilities: + majorVersion: 1 + minorVersion: 22 + set: + podSecurityPolicy: + enabled: true + asserts: + - hasDocuments: + count: 3 + - documentIndex: 0 + isKind: + of: PodSecurityPolicy + - documentIndex: 1 + isKind: + of: Role + - documentIndex: 2 + isKind: + of: RoleBinding + - matchSnapshot: {} + + - it: sets PodSecurityPolicy labels when specified + capabilities: + majorVersion: 1 + minorVersion: 22 + values: + - ../.lint/extra-labels.yaml + set: + podSecurityPolicy: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - documentIndex: 0 + equal: + path: metadata.labels.resource + value: podsecuritypolicy + - matchSnapshot: {} + + - it: does not create a PodSecurityPolicy when enabled in values but not supported + capabilities: + majorVersion: 1 + minorVersion: 25 + set: + podSecurityPolicy: + enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/teleport-kube-agent/tests/role_test.yaml b/teleport-kube-agent/tests/role_test.yaml new file mode 100644 index 0000000..7a72555 --- /dev/null +++ b/teleport-kube-agent/tests/role_test.yaml @@ -0,0 +1,34 @@ +suite: Role +templates: + - role.yaml +tests: + - it: Create a Role when upgrading + release: + isupgrade: true + set: + unitTestUpgrade: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Role + + - it: creates a Role + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Role + - matchSnapshot: {} + + - it: sets Role labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: role + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/rolebinding_test.yaml b/teleport-kube-agent/tests/rolebinding_test.yaml new file mode 100644 index 0000000..bb13577 --- /dev/null +++ b/teleport-kube-agent/tests/rolebinding_test.yaml @@ -0,0 +1,34 @@ +suite: RoleBinding +templates: + - rolebinding.yaml +tests: + - it: Create a RoleBinding when upgrading + release: + isupgrade: true + set: + unitTestUpgrade: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: RoleBinding + + - it: creates a RoleBinding + asserts: + - hasDocuments: + count: 1 + - isKind: + of: RoleBinding + - matchSnapshot: {} + + - it: sets RoleBinding labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: rolebinding + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/secret_test.yaml b/teleport-kube-agent/tests/secret_test.yaml new file mode 100644 index 0000000..086e2e4 --- /dev/null +++ b/teleport-kube-agent/tests/secret_test.yaml @@ -0,0 +1,101 @@ +suite: Secret +templates: + - secret.yaml +tests: + - it: generate a secret when neither authToken nor joinParams.tokenName are provided + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - matchSnapshot: {} + - it: generates a secret when authToken is provided + set: + authToken: sample-auth-token-dont-use-this + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: teleport-kube-agent-join-token + - matchSnapshot: {} + + - it: generates a secret when joinParams.tokenName is provided + set: + joinParams: + tokenName: sample-auth-token-dont-use-this + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: teleport-kube-agent-join-token + - matchSnapshot: {} + + - it: generates a secret with a custom name when authToken and secretName are provided + set: + authToken: sample-auth-token-dont-use-this + secretName: some-other-secret-name + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: some-other-secret-name + - matchSnapshot: {} + + - it: generates a secret with a custom name when authToken and joinTokenSecret.name are provided + set: + authToken: sample-auth-token-dont-use-this + joinTokenSecret: + name: some-other-secret-name + create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: some-other-secret-name + - matchSnapshot: {} + + - it: does not create a secret when joinTokenSecret.create is false + set: + authToken: sample-auth-token-dont-use-this + joinTokenSecret: + name: some-other-secret-name + create: false + asserts: + - hasDocuments: + count: 0 + + - it: sets Secret labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: secret + - matchSnapshot: {} + + - it: sets Secret annotations when specified + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/secret + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/secret-different + value: 6 + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/serviceaccount_test.yaml b/teleport-kube-agent/tests/serviceaccount_test.yaml new file mode 100644 index 0000000..4b17670 --- /dev/null +++ b/teleport-kube-agent/tests/serviceaccount_test.yaml @@ -0,0 +1,33 @@ +suite: ServiceAccount +templates: + - serviceaccount.yaml +tests: + - it: sets ServiceAccount labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: serviceaccount + - matchSnapshot: {} + + - it: sets ServiceAccount annotations when specified + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/serviceaccount + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/serviceaccount-different + value: 5 + - matchSnapshot: {} + - it: skips ServiceAccount creation + set: + serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 \ No newline at end of file diff --git a/teleport-kube-agent/tests/statefulset_test.yaml b/teleport-kube-agent/tests/statefulset_test.yaml new file mode 100644 index 0000000..b950b97 --- /dev/null +++ b/teleport-kube-agent/tests/statefulset_test.yaml @@ -0,0 +1,721 @@ +suite: StatefulSet +templates: + - statefulset.yaml + - config.yaml +tests: + - it: creates a StatefulSet + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + elease: + isupgrade: true + asserts: + - isKind: + of: StatefulSet + - hasDocuments: + count: 1 + + - it: sets StatefulSet labels when specified + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: deployment + - matchSnapshot: {} + + - it: sets Pod labels when specified + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: spec.template.metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: spec.template.metadata.labels.resource + value: pod + - matchSnapshot: + path: spec.template.spec + + - it: sets Pod annotations when specified + template: statefulset.yaml + values: + - ../.lint/annotations.yaml + - ../.lint/stateful.yaml + asserts: + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + - matchSnapshot: + path: spec.template.spec + + - it: should have one replica when replicaCount is not set + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - equal: + path: spec.replicas + value: 1 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + highAvailability: + replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should set affinity when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/affinity.yaml + asserts: + - isNotNull: + path: spec.template.spec.affinity + - matchSnapshot: + path: spec.template.spec + + - it: should set required affinity when highAvailability.requireAntiAffinity is set + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + highAvailability: + replicaCount: 2 + requireAntiAffinity: true + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set preferred affinity when more than one replica is used + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + highAvailability: + replicaCount: 3 + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set tolerations when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/tolerations.yaml + asserts: + - isNotNull: + path: spec.template.spec.tolerations + - matchSnapshot: + path: spec.template.spec + + - it: should set resources when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should set SecurityContext + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities + value: + drop: + - all + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 9807 + - matchSnapshot: + path: spec.template.spec + + - it: should set image and tag correctly + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + teleportVersionOverride: 12.2.1 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + - matchSnapshot: + path: spec.template.spec + + - it: should mount extraVolumes and extraVolumeMounts + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/volumes.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /path/to/mount + name: my-mount + - contains: + path: spec.template.spec.volumes + content: + name: my-mount + secret: + secretName: mySecret + - matchSnapshot: + path: spec.template.spec + + - it: should mount auth token if token is provided + template: statefulset.yaml + values: + - ../.lint/join-params-token.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: auth-token + secret: + secretName: teleport-kube-agent-join-token + + - it: should set imagePullPolicy when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + imagePullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - matchSnapshot: + path: spec.template.spec + + - it: should set environment when extraEnv set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + extraEnv: + - name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + - matchSnapshot: + path: spec.template.spec + + - it: should provision initContainer correctly when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/initcontainers.yaml + asserts: + - contains: + path: spec.template.spec.initContainers[0].args + content: "echo test" + - equal: + path: spec.template.spec.initContainers[0].name + value: "teleport-init" + - equal: + path: spec.template.spec.initContainers[0].image + value: "alpine" + - equal: + path: spec.template.spec.initContainers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.initContainers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.initContainers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.initContainers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should add insecureSkipProxyTLSVerify to args when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + insecureSkipProxyTLSVerify: true + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--insecure" + - matchSnapshot: + path: spec.template.spec + + - it: should expose diag port + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].ports + content: + name: diag + containerPort: 3000 + protocol: TCP + - matchSnapshot: + path: spec.template.spec + + - it: should set nodeSelector if set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - matchSnapshot: + path: spec.template.spec + + - it: should not add emptyDir for data when using StatefulSet + template: statefulset.yaml + release: + isupgrade: true + set: + unitTestUpgrade: true + values: + - ../.lint/stateful.yaml + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: data + emptyDir: {} + - matchSnapshot: + path: spec.template.spec + + - it: should add volumeMount for data volume when using StatefulSet + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: data + mountPath: RELEASE-NAME-teleport-data + - matchSnapshot: + path: spec.template.spec + + - it: should add volumeClaimTemplate for data volume when using StatefulSet and action is an Upgrade + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + release: + isupgrade: true + asserts: + - isNotNull: + path: spec.volumeClaimTemplates[0].spec + - matchSnapshot: + path: spec.template.spec + + - it: should add volumeClaimTemplate for data volume when using StatefulSet and is Fresh Install + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + release: + isupgrade: false + asserts: + - isNotNull: + path: spec.volumeClaimTemplates + - matchSnapshot: {} + + - it: should set storage.storageClassName when set in values and action is an Upgrade + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + release: + isupgrade: true + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + storage: + storageClassName: helm-lint-storage-class + asserts: + - equal: + path: spec.volumeClaimTemplates[0].spec.storageClassName + value: helm-lint-storage-class + - matchSnapshot: + path: spec.template.spec + + - it: should set storage.requests when set in values and action is an Upgrade + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + release: + isupgrade: true + set: + storage: + requests: 256Mi + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + asserts: + - equal: + path: spec.volumeClaimTemplates[0].spec.resources.requests.storage + value: 256Mi + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set environment when set in values + template: statefulset.yaml + values: + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set extra environment when set in values + template: statefulset.yaml + values: + - ../.lint/existing-tls-secret-with-ca.yaml + - ../.lint/extra-env.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - matchSnapshot: + path: spec.template.spec + + + - it: should set serviceAccountName when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/service-account-name.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: teleport-kube-agent-sa + - matchSnapshot: + path: spec.template.spec + + - it: should set default serviceAccountName when not set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME + - matchSnapshot: + path: spec.template.spec + + - it: should set probeTimeoutSeconds when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/probe-timeout-seconds.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds + value: 5 + - matchSnapshot: + path: spec.template.spec + + - it: should set dnsConfig when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/dnsconfig.yaml + asserts: + - notEqual: + path: spec.template.spec.dnsConfig + value: null + - matchSnapshot: + path: spec.template.spec.dnsConfig + + - it: should set dnsPolicy when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/dnsconfig.yaml + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + + - it: should install Statefulset when storage is disabled and mode is a Fresh Install + template: statefulset.yaml + release: + isupgrade: false + values: + - ../.lint/stateful.yaml + set: + storage: + enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: data + mountPath: RELEASE-NAME-teleport-data + - isNull: + path: spec.volumeClaimTemplates + - matchSnapshot: + path: spec.template.spec + + - it: should generate Statefulset when storage is disabled and mode is a Upgrade + template: statefulset.yaml + release: + isupgrade: true + values: + - ../.lint/stateful.yaml + set: + unitTestUpgrade: false + storage: + enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: data + mountPath: RELEASE-NAME-teleport-data + - isNull: + path: spec.volumeClaimTemplates + - matchSnapshot: + path: spec.template.spec + + - it: sets by default a container security context + template: statefulset.yaml + values: + - ../.lint/initcontainers.yaml + asserts: + - matchSnapshot: + path: spec.template.spec.initContainers[0].securityContext + - matchSnapshot: + path: spec.template.spec.containers[0].securityContext + + - it: sets no container security context when manually unset + template: statefulset.yaml + values: + - ../.lint/initcontainers.yaml + - ../.lint/security-context-empty.yaml + asserts: + - equal: + path: spec.template.spec.initContainers[0].securityContext + value: null + - equal: + path: spec.template.spec.containers[0].securityContext + value: null + + - it: should enable maintenance schedule export when updater is enabled + template: statefulset.yaml + values: + - ../.lint/existing-tls-secret-with-ca.yaml + - ../.lint/updater.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_EXT_UPGRADER + value: kube + + - it: should set the installation method environment variable + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + + - it: should set the hostAliases when specified + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/host-aliases.yaml + asserts: + - equal: + path: spec.template.spec.hostAliases + value: + - ip: "127.0.0.1" + hostnames: + - "foo.local" + - "bar.local" + - ip: "10.1.2.3" + hostnames: + - "foo.remote" + - "bar.remote" diff --git a/teleport-kube-agent/tests/updater_deployment_test.yaml b/teleport-kube-agent/tests/updater_deployment_test.yaml new file mode 100644 index 0000000..1ec3429 --- /dev/null +++ b/teleport-kube-agent/tests/updater_deployment_test.yaml @@ -0,0 +1,227 @@ +suite: Updater Deployment +templates: + - updater/deployment.yaml +tests: + # + # Basic tests + # + - it: does not create a Deployment when updater.enabled is false (default) + asserts: + - hasDocuments: + count: 0 + - it: creates a Deployment when updater.enabled is true + values: + - ../.lint/updater.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: RELEASE-NAME-updater + namespace: NAMESPACE + # + # Testing the agent configuration + # + - it: sets the updater base image + values: + - ../.lint/updater.yaml + set: + image: repo.example.com/gravitational/teleport-distroless + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--base-image=repo.example.com/gravitational/teleport-distroless" + - it: sets the updater base entreprise image + values: + - ../.lint/updater.yaml + set: + enterprise: true + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--base-image=public.ecr.aws/gravitational/teleport-ent-distroless" + - it: sets the updater agent name + values: + - ../.lint/updater.yaml + release: + name: my-release + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--agent-name=my-release" + - it: sets the updater agent namespace + values: + - ../.lint/updater.yaml + release: + namespace: my-namespace + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--agent-namespace=my-namespace" + - it: sets the updater version server + values: + - ../.lint/updater.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--version-server=https://my-custom-version-server/v1" + - it: sets the updater release channel + values: + - ../.lint/updater.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--version-channel=custom/preview" + # + # Kubernetes-related tests + # + - it: sets the deployment annotations + values: + - ../.lint/updater.yaml + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/deployment + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/deployment-different + value: 3 + - it: sets the pod annotations + values: + - ../.lint/updater.yaml + - ../.lint/annotations.yaml + asserts: + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + - it: sets the affinity + values: + - ../.lint/updater.yaml + - ../.lint/affinity.yaml + asserts: + - isNotNull: + path: spec.template.spec.affinity + - matchSnapshot: + path: spec.template.spec + - it: sets the tolerations + values: + - ../.lint/updater.yaml + - ../.lint/tolerations.yaml + asserts: + - isNotNull: + path: spec.template.spec.tolerations + - matchSnapshot: + path: spec.template.spec + - it: sets the imagePullSecrets + values: + - ../.lint/updater.yaml + - ../.lint/imagepullsecrets.yaml + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: myRegistryKeySecretName + - it: sets the nodeSelector + values: + - ../.lint/updater.yaml + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - it: sets the updater container image and version + values: + - ../.lint/updater.yaml + set: + teleportVersionOverride: 12.2.1 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: public.ecr.aws/gravitational/teleport-kube-agent-updater:12.2.1 + - it: sets the updater container imagePullPolicy + values: + - ../.lint/updater.yaml + - ../.lint/image-pull-policy.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - it: mounts the tls CA if provided and set the env var + values: + - ../.lint/updater.yaml + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - it: sets the updater container extraEnv + values: + - ../.lint/updater.yaml + - ../.lint/extra-env.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - it: sets the pod resources + values: + - ../.lint/updater.yaml + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + - it: sets the pod priorityClass + values: + - ../.lint/updater.yaml + - ../.lint/priority-class-name.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: teleport-kube-agent + - it: sets the pod service-account + values: + - ../.lint/updater.yaml + - ../.lint/service-account-name.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: teleport-kube-agent-sa-updater + - it: sets the pod service-account (override) + values: + - ../.lint/updater.yaml + - ../.lint/service-account-name.yaml + set: + updater: + serviceAccount: + name: distinct-updater-sa + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: distinct-updater-sa diff --git a/teleport-kube-agent/tests/updater_role_test.yaml b/teleport-kube-agent/tests/updater_role_test.yaml new file mode 100644 index 0000000..c0266c7 --- /dev/null +++ b/teleport-kube-agent/tests/updater_role_test.yaml @@ -0,0 +1,39 @@ +suite: Updater Role +templates: + - updater/role.yaml +tests: + # + # Basic tests + # + - it: does not create a Role when updater.enabled is false (default) + asserts: + - hasDocuments: + count: 0 + - it: creates a Role when updater.enabled is true + values: + - ../.lint/updater.yaml + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-updater + namespace: NAMESPACE + - it: does not create a Role when updater.enabled is true but rbac creation is disabled + values: + - ../.lint/updater.yaml + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + # + # Catch-all content test + # + - it: sets the correct role rules + values: + - ../.lint/updater.yaml + asserts: + - matchSnapshot: + path: rules diff --git a/teleport-kube-agent/tests/updater_rolebinding_test.yaml b/teleport-kube-agent/tests/updater_rolebinding_test.yaml new file mode 100644 index 0000000..2b04f74 --- /dev/null +++ b/teleport-kube-agent/tests/updater_rolebinding_test.yaml @@ -0,0 +1,49 @@ +suite: Updater Role +templates: + - updater/rolebinding.yaml +tests: + # + # Basic tests + # + - it: does not create a RoleBinding when updater.enabled is false (default) + asserts: + - hasDocuments: + count: 0 + - it: creates a RoleBinding when updater.enabled is true + values: + - ../.lint/updater.yaml + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-updater + namespace: NAMESPACE + - it: does not create a RoleBinding when updater.enabled is true but rbac creation is disabled + values: + - ../.lint/updater.yaml + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + # + # Catch-all content test + # + - it: sets the correct rolebinding content + values: + - ../.lint/updater.yaml + asserts: + - equal: + path: roleRef + value: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-updater + - equal: + path: subjects + value: + - kind: ServiceAccount + name: RELEASE-NAME-updater + namespace: NAMESPACE diff --git a/teleport-kube-agent/values.schema.json b/teleport-kube-agent/values.schema.json new file mode 100644 index 0000000..cd0b57b --- /dev/null +++ b/teleport-kube-agent/values.schema.json @@ -0,0 +1,647 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "required": [ + "proxyAddr", + "roles", + "joinParams", + "kubeClusterName", + "apps", + "appResources", + "awsDatabases", + "azureDatabases", + "databases", + "databaseResources", + "teleportVersionOverride", + "insecureSkipProxyTLSVerify", + "teleportConfig", + "existingDataVolume", + "podSecurityPolicy", + "labels", + "image", + "clusterRoleName", + "clusterRoleBindingName", + "roleName", + "roleBindingName", + "podMonitor", + "serviceAccountName", + "secretName", + "log", + "affinity", + "annotations", + "extraVolumes", + "extraVolumeMounts", + "imagePullPolicy", + "initContainers", + "resources", + "tolerations", + "probeTimeoutSeconds" + ], + "properties": { + "authToken": { + "$id": "#/properties/authToken", + "type": "string", + "default": "" + }, + "proxyAddr": { + "$id": "#/properties/proxyAddr", + "type": "string", + "default": "" + }, + "roles": { + "$id": "#/properties/roles", + "type": "string", + "default": "kube" + }, + "joinParams": { + "$id": "#/properties/joinParams", + "type": "object", + "required": ["method"], + "properties": { + "tokenName": { + "$id": "#/properties/joinParams/tokenName", + "type": "string", + "default": "" + }, + "method": { + "$id": "#/properties/joinParams/method", + "type": "string", + "default": "token" + }, + "additionalProperties": false + } + }, + "kubeClusterName": { + "$id": "#/properties/kubeClusterName", + "type": "string", + "default": "" + }, + "apps": { + "$id": "#/properties/apps", + "type": "array", + "default": [], + "required": [ + "name", + "uri" + ], + "properties": { + "name": { + "$id": "#/properties/apps/name", + "type": "string", + "default": "" + }, + "uri": { + "$id": "#/properties/apps/uri", + "type": "string", + "default": "" + }, + "additionalProperties": true + } + }, + "appResources": { + "$id": "#/properties/appResources", + "type": "array", + "default": [], + "required": [ + "labels" + ], + "properties": { + "labels": { + "$id": "#/properties/appResources/labels", + "type": "object" + }, + "additionalProperties": false + } + }, + "awsDatabases": { + "$id": "#/properties/awsDatabases", + "type": "array", + "default": [], + "required": [ + "types", + "regions", + "tags" + ], + "properties": { + "types": { + "$id": "#/properties/awsDatabases/types", + "type": "array", + "default": [] + }, + "regions": { + "$id": "#/properties/awsDatabases/regions", + "type": "string", + "default": [] + }, + "tags": { + "$id": "#/properties/awsDatabases/tags", + "type": "string", + "default": [] + }, + "additionalProperties": false + } + }, + "azureDatabases": { + "$id": "#/properties/azureDatabases", + "type": "array", + "default": [], + "items": { + "type": "object", + "default": {}, + "required": [ + "types", + "tags" + ], + "properties": { + "types": { + "$id": "#/properties/azureDatabases/types", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "tags": { + "$id": "#/properties/azureDatabases/tags", + "type": "object", + "default": {}, + "additionalProperties": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + } + }, + "subscriptions": { + "$id": "#/properties/azureDatabases/subscriptions", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "regions": { + "$id": "#/properties/azureDatabases/regions", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "resource_groups": { + "$id": "#/properties/azureDatabases/resource_groups", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "additionalProperties": false + } + } + }, + "databases": { + "$id": "#/properties/databases", + "type": "array", + "default": [] + }, + "databaseResources": { + "$id": "#/properties/databaseResources", + "type": "array", + "default": [], + "required": [ + "labels" + ], + "properties": { + "labels": { + "$id": "#/properties/databaseResources/labels", + "type": "object" + }, + "additionalProperties": false + } + }, + "teleportVersionOverride": { + "$id": "#/properties/teleportVersionOverride", + "type": "string", + "default": "" + }, + "caPin": { + "$id": "#/properties/caPin", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "insecureSkipProxyTLSVerify": { + "$id": "#/properties/insecureSkipProxyTLSVerify", + "type": "boolean", + "default": false + }, + "teleportConfig": { + "$id": "#/properties/teleportConfig", + "type": "object", + "default": {} + }, + "tls": { + "$id": "#/properties/tls", + "type": "object", + "required": [ + "existingCASecretName" + ], + "properties": { + "existingCASecretName": { + "$id": "#/properties/tls/properties/existingCASecretName", + "type": "string", + "default": "" + } + } + }, + "existingDataVolume": { + "$id": "#/properties/existingDataVolume", + "type": "string", + "default": "" + }, + "podSecurityPolicy": { + "$id": "#/properties/podSecurityPolicy", + "type": "object", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "$id": "#/properties/podSecurityPolicy/properties/enabled", + "type": "boolean", + "default": true + } + } + }, + "labels": { + "$id": "#/properties/labels", + "type": "object", + "default": {} + }, + "image": { + "$id": "#/properties/image", + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-distroless" + }, + "enterpriseImage": { + "$id": "#/properties/enterpriseImage", + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-ent-distroless" + }, + "imagePullSecrets": { + "$id": "#/properties/imagePullSecrets", + "type": "array", + "default": [] + }, + "replicaCount": { + "$id": "#/properties/replicaCount", + "type": "integer", + "default": 1 + }, + "clusterRoleName": { + "$id": "#/properties/clusterRoleName", + "type": "string", + "default": "" + }, + "clusterRoleBindingName": { + "$id": "#/properties/clusterRoleBindingName", + "type": "string", + "default": "" + }, + "roleName": { + "$id": "#/properties/roleName", + "type": "string", + "default": "" + }, + "roleBindingName": { + "$id": "#/properties/roleBindingName", + "type": "string", + "default": "" + }, + "highAvailability": { + "$id": "#/properties/highAvailability", + "type": "object", + "required": [ + "podDisruptionBudget", + "replicaCount", + "requireAntiAffinity" + ], + "properties": { + "podDisruptionBudget": { + "$id": "#/properties/highAvailability/properties/podDisruptionBudget", + "type": "object", + "required": [ + "enabled", + "minAvailable" + ], + "properties": { + "enabled": { + "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled", + "type": "boolean", + "default": false + }, + "minAvailable": { + "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable", + "type": "integer", + "default": 1 + } + } + }, + "replicaCount": { + "$id": "#/properties/highAvailability/properties/replicaCount", + "type": "integer", + "default": 1 + }, + "requireAntiAffinity": { + "$id": "#/properties/highAvailability/properties/requireAntiAffinity", + "type": "boolean", + "default": false + } + } + }, + "podMonitor": { + "$id": "#/properties/podMonitor", + "type": "object", + "required": ["enabled"], + "properties": { + "enabled": { + "$id": "#/properties/podMonitor/enabled", + "type": "boolean", + "default": false + }, + "additionalLabels": { + "$id": "#/properties/podMonitor/additionalLabels", + "type": "object", + "default": {"prometheus": "default"}, + "additionalProperties": {"type": "string"} + }, + "interval": { + "$id": "#/properties/podMonitor/interval", + "type": "string", + "default": "30s" + } + } + }, + "priorityClassName": { + "$id": "#/properties/priorityClassName", + "type": "string", + "default": "" + }, + "serviceAccountName": { + "$id": "#/properties/serviceAccountName", + "type": "string", + "default": "" + }, + "secretName": { + "$id": "#/properties/secretName", + "type": "string", + "default": "teleport-kube-agent-join-token" + }, + "log": { + "$id": "#/properties/log", + "type": "object", + "required": [ + "output", + "format", + "extraFields" + ], + "properties": { + "level": { + "$id": "#/properties/log/properties/level", + "type": "string", + "enum": [ + "DEBUG", + "INFO", + "WARN", + "WARNING", + "ERROR" + ], + "default": "INFO" + }, + "deployment": { + "$id": "#/properties/log/properties/output", + "type": "string", + "default": {} + }, + "pod": { + "$id": "#/properties/log/properties/format", + "type": "string", + "default": {} + }, + "service": { + "$id": "#/properties/log/properties/extraFields", + "type": "array", + "default": {} + } + } + }, + "affinity": { + "$id": "#/properties/affinity", + "type": "object", + "default": {} + }, + "dnsConfig": { + "$id": "#/properties/dnsConfig", + "type": "object", + "default": {} + }, + "dnsPolicy": { + "$id": "#/properties/dnsPolicy", + "type": "string", + "default": "" + }, + "extraLabels": { + "$id": "#/properties/extraLabels", + "type": "object", + "properties": { + "clusterRole": { + "$id": "#/properties/extraLabels/properties/clusterRole", + "type": "object", + "default": {} + }, + "clusterRoleBinding": { + "$id": "#/properties/extraLabels/properties/clusterRoleBinding", + "type": "object", + "default": {} + }, + "role": { + "$id": "#/properties/extraLabels/properties/role", + "type": "object", + "default": {} + }, + "roleBinding": { + "$id": "#/properties/extraLabels/properties/roleBinding", + "type": "object", + "default": {} + }, + "config": { + "$id": "#/properties/extraLabels/properties/config", + "type": "object", + "default": {} + }, + "deployment": { + "$id": "#/properties/extraLabels/properties/deployment", + "type": "object", + "default": {} + }, + "pod": { + "$id": "#/properties/extraLabels/properties/pod", + "type": "object", + "default": {} + }, + "podDisruptionBudget": { + "$id": "#/properties/extraLabels/properties/podDisruptionBudget", + "type": "object", + "default": {} + }, + "podSecurityPolicy": { + "$id": "#/properties/extraLabels/properties/podSecurityPolicy", + "type": "object", + "default": {} + }, + "secret": { + "$id": "#/properties/extraLabels/properties/secret", + "type": "object", + "default": {} + }, + "serviceAccount": { + "$id": "#/properties/extraLabels/properties/serviceAccount", + "type": "object", + "default": {} + } + } + }, + "annotations": { + "$id": "#/properties/annotations", + "type": "object", + "required": [ + "config", + "deployment", + "pod", + "secret", + "serviceAccount" + ], + "properties": { + "config": { + "$id": "#/properties/annotations/properties/config", + "type": "object", + "default": {} + }, + "deployment": { + "$id": "#/properties/annotations/properties/deployment", + "type": "object", + "default": {} + }, + "pod": { + "$id": "#/properties/annotations/properties/pod", + "type": "object", + "default": {} + }, + "secret": { + "$id": "#/properties/annotations/properties/secret", + "type": "object", + "default": {} + }, + "serviceAccount": { + "$id": "#/properties/annotations/properties/serviceAccount", + "type": "object", + "default": {} + } + } + }, + "serviceAccount": { + "$id": "#/properties/serviceAccount", + "type": "object", + "required": [], + "properties": { + "name": { + "$id": "#properties/serviceAccount/name", + "type": "string", + "default": "" + }, + "create": { + "$id": "#properties/serviceAccount/create", + "type": "boolean", + "default": true + } + } + }, + "rbac": { + "$id": "#/properties/rbac", + "type": "object", + "required": [], + "properties": { + "create": { + "$id": "#properties/rbac/create", + "type": "boolean", + "default": true + } + } + }, + "extraArgs": { + "$id": "#/properties/extraArgs", + "type": "array", + "default": [] + }, + "extraEnv": { + "$id": "#/properties/extraEnv", + "type": "array", + "default": [] + }, + "extraVolumes": { + "$id": "#/properties/extraVolumes", + "type": "array", + "default": [] + }, + "extraVolumeMounts": { + "$id": "#/properties/extraVolumeMounts", + "type": "array", + "default": [] + }, + "hostAliases": { + "$id": "#/properties/hostAliases", + "type": "array", + "default": [] + }, + "imagePullPolicy": { + "$id": "#/properties/imagePullPolicy", + "type": "string", + "enum": [ + "Never", + "IfNotPresent", + "Always" + ], + "default": "IfNotPresent" + }, + "initContainers": { + "$id": "#/properties/initContainers", + "type": "array", + "default": [] + }, + "resources": { + "$id": "#/properties/resources", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/tolerations", + "type": "array", + "default": [] + }, + "probeTimeoutSeconds": { + "$id": "#/properties/probeTimeoutSeconds", + "type": "integer", + "default": 1 + } + } +} diff --git a/teleport-kube-agent/values.yaml b/teleport-kube-agent/values.yaml new file mode 100644 index 0000000..6c29c85 --- /dev/null +++ b/teleport-kube-agent/values.yaml @@ -0,0 +1,452 @@ +################################################################ +# Values that must always be provided by the user. +################################################################ + +# Join token for the cluster. `joinParams` can also pass the join token, +# but supports more join methods and takes precedence if set. +authToken: "" + +# Address of the teleport proxy with port (usually :3080). +proxyAddr: "" +# Comma-separated list of roles to enable (any of: kube,db,app) +roles: "kube" + +################################################################ +# Values that must be provided if IAM or EC2 joining is enabled. +################################################################ + +# Specify how to join the Teleport cluster +joinParams: + # Supported join methods are "token", "ec2", "iam". + # method "token", is equivalent to using authToken to join a cluster + method: "token" + + # Leave empty only when method is "token" and the secret + # "teleport-kube-agent-join-token" has been created before and + # contains a valid join token. + tokenName: "" + +################################################################ +# Values that must be provided if Kubernetes access is enabled. +################################################################ + +# Name for this kubernetes cluster to be used by teleport users. +kubeClusterName: "" + +################################################################ +# Values that must be provided if Application access is enabled. +################################################################ + +# At least one of 'apps', 'appResources' must be provided +# when application access is enabled. See the README for more details. + +# Details of at least one app to be proxied. Example: +# apps: +# - name: grafana +# uri: http://localhost:3000 +apps: [] + +# Dynamic application configuration mode. Example: +# appResources: +# - labels: +# "*": "*" +appResources: [] + +################################################################ +# Values that must be provided if Database access is enabled. +################################################################ + +# At least one of 'databases', 'awsDatabases', 'azureDatabases', or 'databaseResources' must be provided +# when database access is enabled. See the README for more details. + +# Database auto-discovery mode (AWS) +# Details of at least one awsDatabase discovery pattern to be discovered +# and proxied. Example: +# awsDatabases: +# - types: ["rds"] +# regions: ["us-east-1"] +# tags: +# "environment": "production" +awsDatabases: [] + +# Database auto-discovery mode (Azure) +# Details of at least one azureDatabase discovery pattern to be discovered +# and proxied. Example: +# azureDatabases: +# - types: ["mysql", "postgres"] +# tags: +# "environment": "production" +# regions: ["eastus", "centralus"] +# subscriptions: ["subID1", "subID2"] +# resource_groups: ["group1", "group2"] +# Note that regions, subscriptions, and resource_groups are optional, and by default +# the pattern for these selectors is ["*"] which will match all regions, subscriptions, or resource groups. +azureDatabases: [] + +# Manual database configuration mode +# Details of at least one database to be proxied. Example: +# databases: +# - name: aurora +# uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" +# protocol: "postgres" +# static_labels: +# env: "prod" +databases: [] + +# Dynamic database configuration mode. Example: +# databaseResources: +# - labels: +# "*": "*" +databaseResources: [] + +################################################################ +# Values that you may need to change. +################################################################ + +# Version of teleport image, if different from chart version in Chart.yaml. +# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. +# This chart is designed to run a specific teleport version (see Chart.yaml). +# You will face compatibility issues trying to run a different Teleport version with it. +# +# If you want to run Teleport version X, you should use `helm --version X` instead. +teleportVersionOverride: "" + +# Optional CA pins of the auth server. This enables a more secure way of +# adding new nodes to a cluster. See "Adding Nodes to the Cluster" +# (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster). +# Each list element can be the pin itself (recommended), or a path to a file +# containing the pin. For the latter it is your responsibility to mount +# the file, using extraVolumes. +caPin: [] + +# When set to true, the agent will skip the verification of proxy TLS +# certificate. +insecureSkipProxyTLSVerify: false + +# Set enterprise to true to use enterprise image. +enterprise: false + +# teleportConfig contains additional teleport configuration +# The configuration will be merged with the chart-generated configuration +# and will take precedence in case of conflict +teleportConfig: {} + +# Settings for mounting your own TLS material in the agent pod. +# The agent does not expose a TLS server, so this is only used to trust CAs. +tls: + # Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. + # This is useful to trust private CAs. + # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. + # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem` + # The filename inside the secret is important - it _must_ be ca.pem + existingCASecretName: "" + +updater: + enabled: false + # `updater.versionServer` is the URL of the version server the agent fetches + # the target version from. The complete version endpoint is built by + # concatenating `versionServer` and `releaseChannel`. + versionServer: "https://updates.releases.teleport.dev/v1/" + # Release channel the agent subscribes to. + releaseChannel: "stable/cloud" + image: public.ecr.aws/gravitational/teleport-kube-agent-updater + serviceAccount: + # service account name defaults to "-updater" + name: "" + +# If set, will use an existing volume mounted via extraVolumes +# as the Teleport data directory. +# If anything is set under the "storage" key, this will be ignored. +existingDataVolume: "" + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. +# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ +podSecurityPolicy: + enabled: true + +# Labels is a map of key values pairs about this cluster +labels: {} + +# Settings for high availability. +highAvailability: + # Set to >1 for a high availability mode where multiple Teleport agent pods will be deployed. + replicaCount: 1 + # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the + # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. + # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. + # This setting only has any effect when replicaCount is greater than 1. + requireAntiAffinity: false + # If enabled will create a Pod Disruption Budget + # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + +# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) +# This CRD is managed by the prometheus-operator and allows workload to +# get monitored. To use this value, you need to run a `prometheus-operator` +# in the cluster for this value to take effect. +# See https://prometheus-operator.dev/docs/prologue/introduction/ +podMonitor: + # Whether the chart should deploy a PodMonitor. + # Disabled by default as it requires the PodMonitor CRD to be installed. + enabled: false + # additionalLabels to put on the PodMonitor. + # This is used to be selected by a specific prometheus instance. + additionalLabels: {} + # interval is the interval between two metrics scrapes. Defaults to 30s + interval: 30s + +################################################################ +# Values that must be provided if using persistent storage for Teleport. +# +# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`. +# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV +# to survive restarts and rotations while using short-lived joining tokens. +# +# Fields: +# enabled: Set to true to enable the use of Persistent volumes. +# storageClassName: The name of the kubernetes storage class to use when creating volumes. See https://kubernetes.io/docs/concepts/storage/storage-classes/ +# requests: The size of the volume to request from the persistent storage system +################################################################ +storage: + enabled: false + storageClassName: "" + requests: 128Mi + +# Settings for configuring an cluster admin role binding. +# This is useful for granting cluster admin permissions to a Kubernetes Group +# other than the default "system:masters" group. +# GKE Autopilot clusters forbid using the "system:masters" group for impersonation +# and require a custom group to be used instead. +adminClusterRoleBinding: + create: false + name: "cluster-admin" + +################################################################ +# Values that you shouldn't need to change. +################################################################ + +# Container image for the cluster. +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport`. Those images will be +# removed with teleport 14. +image: public.ecr.aws/gravitational/teleport-distroless +# Enterprise version of the image +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport-ent`. Those images will be +# removed with teleport 14. +enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless +# Optional array of imagePullSecrets, to use when pulling from a private registry +imagePullSecrets: [] +# - name: myRegistryKeySecretName +# Number of replicas for the agent deployment. +# DEPRECATED Use highAvailability:replicaCount instead +# replicaCount: 1 +# (optional) Override the name of the ClusterRole used by the agent's service account. +clusterRoleName: "" +# (optional) Override the name of the ClusterRoleBinding used by the agent's service account. +clusterRoleBindingName: "" +# (optional) Override the name of the Role used by the agent's service account for Secret access. +roleName: "" +# (optional) Override the name of the RoleBinding used by the agent's service account. +roleBindingName: "" +# (optional) Override the name of the service account used by the agent. +# DEPRECATED Use serviceAccount:name instead +serviceAccountName: "" +# (optional) Kubernetes service account to create/use. +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and serviceAccount.create is true, the name is generated using the release name. + # If create is false, the name will be used to reference an existing service account. + name: "" + +# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. +rbac: + # Specifies whether a ClusterRole and ClusterRoleBinding should be created. + # Set to false if your cluster level resources are managed separately. + create: true + +# Name of the Secret to store the teleport join token. +# DEPRECATED Use joinTokenSecret.name instead +secretName: "" + +# Manages the join token secret creation and its name. +joinTokenSecret: + # create controls whether the Helm chart should create and manage the join token + # secret. + # If false, the chart assumes that the secret with the configured name already exists at the + # installation namespace. + create: true + # Name of the Secret to store the teleport join token. + name: teleport-kube-agent-join-token + +# Teleport logging configuration +log: + # Log level for the Teleport process. + # Available log levels are: DEBUG, INFO, WARNING, ERROR. + # The default is INFO, which is recommended in production. + # DEBUG is useful during first-time setup or to see more detailed logs for debugging. + level: INFO + # Log output + # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' + # Other supported values: 'stdout', 'stderr' and 'syslog' + output: stderr + # Log format configuration + # Possible output values are 'json' and 'text' (default). + format: text + # Possible extra_fields values include: timestamp, component, caller, and level. + # All extra fields are included by default. + extraFields: ["timestamp", "level", "component", "caller"] + +################################## +# Extra Kubernetes configuration # +################################## + +# Affinity for pod assignment +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +# Pod's DNS Configuration +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs. +dnsConfig: {} +# nameservers: +# - 1.2.3.4 +# searches: +# - ns1.svc.cluster-domain.example +# - my.dns.search.suffix +# options: +# - name: ndots +# value: "2" + +# Pod's DNS Policy +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" + +# nodeSelector to apply for pod assignment +# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +nodeSelector: {} + +# Kubernetes labels to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +extraLabels: + # Labels for the Cluster Role + clusterRole: {} + # Labels for the Cluster Role Binding + clusterRoleBinding: {} + # Labels for the Role + role: {} + # Labels for the Role Binding + roleBinding: {} + # Labels for the ConfigMap + config: {} + # Labels for the Deployment/StatefulSet + deployment: {} + # Labels for each Pod in the Deployment/StatefulSet + pod: {} + # Labels for the Pod Disruption Budget (ignored when disabled) + podDisruptionBudget: {} + # Labels for the Pod Security Policy (ignored when disabled) + podSecurityPolicy: {} + # Labels for the Secret (ignored when disabled) + secret: {} + # Labels for the ServiceAccount object + serviceAccount: {} + +# Kubernetes annotations to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +annotations: + # Annotations for the ConfigMap + config: {} + # Annotations for the Deployment + deployment: {} + # Annotations for each Pod in the Deployment + pod: {} + # Annotations for the Secret (has no effect when `joinTokenSecret.create` is false) + secret: {} + # Annotations for the ServiceAccount object + serviceAccount: {} + +# Extra arguments to pass to 'teleport start' for the main Teleport pod +extraArgs: [] + +# Extra environment to be configured on the Teleport pod +extraEnv: [] + +# Extra volumes to mount into the Teleport pods +# https://kubernetes.io/docs/concepts/storage/volumes/ +extraVolumes: [] +# - name: myvolume +# secret: +# secretName: testSecret + +# Extra volume mounts corresponding to the volumes mounted above +extraVolumeMounts: [] +# - name: myvolume +# mountPath: /path/on/host + +# Pod Host aliases (see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" + +# Allow the imagePullPolicy to be overridden +imagePullPolicy: IfNotPresent + +# A list of initContainers to run before each Teleport pod starts +# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +initContainers: [] +# - name: "teleport-init" +# image: "alpine" +# args: ["echo test"] + +# Resources to request for each pod in the deployment +# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +resources: {} +# requests: +# cpu: "1" +# memory: "2Gi" + +# Security context to add to the initContainer +initSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + +# Security context to add to other containers +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + +# Priority class name to add to the deployment +priorityClassName: "" + +# Tolerations for pod assignment +# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Timeouts for the readiness and liveness probes +# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +probeTimeoutSeconds: 1