jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Bump teleport to 14.2.0

Browse Source
This commit is contained in:
Jonny Ervine 2023-11-23 21:28:48 +08:00
parent 9c02504c98
commit a0e554728f
440 changed files with 510 additions and 32430 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cloudflare-tunnel/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
cloudflare-tunnel/Chart.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v2
appVersion: 2023.5.1
description: Creation of a cloudflared deployment - a reverse tunnel for an environment
icon: https://developers.cloudflare.com/cloudflare-one/favicon-32x32.png
name: cloudflare-tunnel
type: application
version: 0.3.0

51
cloudflare-tunnel/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,51 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "cloudflare-tunnel.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cloudflare-tunnel.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "cloudflare-tunnel.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "cloudflare-tunnel.labels" -}}
helm.sh/chart: {{ include "cloudflare-tunnel.chart" . }}
{{ include "cloudflare-tunnel.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "cloudflare-tunnel.selectorLabels" -}}
app.kubernetes.io/name: {{ include "cloudflare-tunnel.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

29
cloudflare-tunnel/templates/configmap.yaml Normal file
View File

@ -0,0 +1,29 @@
# This configmap stores the configuration used by cloudflared.
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "cloudflare-tunnel.fullname" . }}
data:
config.yaml: |
# Name of the tunnel you want to run
tunnel: {{ .Values.cloudflare.tunnelName }}
# The location of the secret containing the tunnel credentials
credentials-file: /etc/cloudflared/creds/credentials.json
# General purpose TCP routing for the network
warp-routing:
enabled: {{ .Values.cloudflare.enableWarp }}
# Serves the metrics server under /metrics and the readiness server under /ready
metrics: 0.0.0.0:2000
# Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so
# autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly
# recommend using autoupdate.
no-autoupdate: true
# The `ingress` block tells cloudflared which local service to route incoming
# requests to. For more about ingress rules, see
# https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress
ingress:
{{- with .Values.cloudflare.ingress }}
{{- toYaml . | nindent 6 }}
{{- end }}
# This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404.
- service: http_status:404

102
cloudflare-tunnel/templates/deployment.yaml Normal file
View File

@ -0,0 +1,102 @@
# Here we deploy cloudflared images. The tunnel credentials are stored in
# a k8s secret, and the configuration is stored in a k8s configmap.
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "cloudflare-tunnel.fullname" . }}
labels:
{{- include "cloudflare-tunnel.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "cloudflare-tunnel.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
# These are here so the deployment rolls when the config or secret change.
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "cloudflare-tunnel.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "cloudflare-tunnel.fullname" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- tunnel
# Points cloudflared to the config file, which configures what
# cloudflared will actually do. This file is created by a ConfigMap.
- --config
- /etc/cloudflared/config/config.yaml
- run
livenessProbe:
httpGet:
# Cloudflared has a /ready endpoint which returns 200 if and only if
# it has an active connection to the edge.
path: /ready
port: 2000
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
volumeMounts:
- name: config
mountPath: /etc/cloudflared/config
readOnly: true
# Each tunnel has an associated "credentials file" which authorizes machines
# to run the tunnel. cloudflared will read this file from its local filesystem,
# and it'll be stored in a k8s secret.
- name: creds
mountPath: /etc/cloudflared/creds
readOnly: true
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: creds
secret:
secretName: {{ .Values.cloudflare.secretName | default (include "cloudflare-tunnel.fullname" .) }}
- name: config
configMap:
name: {{ include "cloudflare-tunnel.fullname" . }}
items:
- key: config.yaml
path: config.yaml
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
{{- with .Values.affinity }}
{{- toYaml . | nindent 8 }}
{{- else }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 10
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
{{- range $k, $v := include "cloudflare-tunnel.selectorLabels" . | fromYaml }}
- key: {{ $k }}
operator: In
values:
- {{ $v }}
{{- end }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

17
cloudflare-tunnel/templates/secret.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if and (and .Values.cloudflare.account .Values.cloudflare.tunnelId .Values.cloudflare.secret) (not .Values.cloudflare.secretName) }}
# This credentials secret allows cloudflared to authenticate itself
# to the Cloudflare infrastructure.
apiVersion: v1
kind: Secret
metadata:
name: {{ include "cloudflare-tunnel.fullname" . }}
labels:
{{- include "cloudflare-tunnel.labels" . | nindent 4 }}
stringData:
credentials.json: |-
{
"AccountTag": {{ .Values.cloudflare.account | quote }},
"TunnelID": {{ .Values.cloudflare.tunnelId | quote }},
"TunnelSecret": {{ .Values.cloudflare.secret | quote }}
}
{{- end }}

12
cloudflare-tunnel/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
# Here we create a service account with no privileges to run the
# deployment - just in case the default service account is different.
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "cloudflare-tunnel.fullname" . }}
labels:
{{- include "cloudflare-tunnel.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}

81
cloudflare-tunnel/values.yaml Normal file
View File

@ -0,0 +1,81 @@
# Default values for cloudflare-tunnel.
# Cloudflare parameters.
cloudflare:
# Your Cloudflare account number.
account: ""
# The name of the tunnel this instance will serve
tunnelName: ""
# The ID of the above tunnel.
tunnelId: ""
# The secret for the tunnel.
secret: ""
# If defined, no secret is created for the credentials, and instead, the secret referenced is used
secretName: null
# If true, turn on WARP routing for TCP
enableWarp: false
# Define ingress rules for the tunnel. See
# https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress
ingress: []
# The first rule proxies traffic to the httpbin sample service named web-server at port 80
# - hostname: tunnel.example.com
# service: http://web-service:80
# This rule sends traffic to the built-in hello-world HTTP server. This can help debug connectivity
# issues. If hello.example.com resolves and tunnel.example.com does not, then the problem is
# in the connection from cloudflared to your local service, not from the internet to cloudflared.
# - hostname: hello.example.com
# service: hello_world
image:
repository: cloudflare/cloudflared
pullPolicy: IfNotPresent
# If supplied, this overrides "appVersion"
tag: ""
replicaCount: 2
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
# Security items common to everything in the pod. Here we require that it
# does not run as the user defined in the image, literally named "nonroot".
podSecurityContext:
runAsNonRoot: true
runAsUser: 65532
# Security items for one container. We lock it down.
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
# Default affinity is to spread out over nodes; use this to override.
affinity: {}

8
teleport-cluster-14.0.0/charts/teleport-operator/Chart.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v2
appVersion: 14.0.0
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-operator
version: 14.0.0

366
teleport-cluster-14.0.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
View File

@ -1,366 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportprovisiontokens.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportProvisionToken
listKind: TeleportProvisionTokenList
plural: teleportprovisiontokens
shortNames:
- provisiontoken
- provisiontokens
singular: teleportprovisiontoken
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: ProvisionToken is the Schema for the provisiontokens API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ProvisionToken resource definition v2 from Teleport
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
aws_account:
description: AWSAccount is the AWS account ID.
type: string
aws_arn:
description: AWSARN is used for the IAM join method, the AWS
identity of joining nodes must match this ARN. Supports wildcards
"*" and "?".
type: string
aws_regions:
description: AWSRegions is used for the EC2 join method and
is a list of AWS regions a node is allowed to join from.
items:
type: string
nullable: true
type: array
aws_role:
description: AWSRole is used for the EC2 join method and is
the the ARN of the AWS role that the auth server will assume
in order to call the ec2 API.
type: string
type: object
nullable: true
type: array
aws_iid_ttl:
description: AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity
Documents used to join the cluster with this token.
format: duration
type: string
azure:
description: Azure allows the configuration of options specific to
the "azure" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
resource_groups:
items:
type: string
nullable: true
type: array
subscription:
type: string
type: object
nullable: true
type: array
type: object
bot_name:
description: BotName is the name of the bot this token grants access
to, if any
type: string
circleci:
description: CircleCI allows the configuration of options specific
to the "circleci" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
context_id:
type: string
project_id:
type: string
type: object
nullable: true
type: array
organization_id:
type: string
type: object
gcp:
description: GCP allows the configuration of options specific to the
"gcp" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
locations:
items:
type: string
nullable: true
type: array
project_ids:
items:
type: string
nullable: true
type: array
service_accounts:
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
github:
description: GitHub allows the configuration of options specific to
the "github" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
actor:
type: string
environment:
type: string
ref:
type: string
ref_type:
type: string
repository:
type: string
repository_owner:
type: string
sub:
type: string
workflow:
type: string
type: object
nullable: true
type: array
enterprise_server_host:
description: EnterpriseServerHost allows joining from runners
associated with a GitHub Enterprise Server instance. When unconfigured,
tokens will be validated against github.com, but when configured
to the host of a GHES instance, then the tokens will be validated
against host. This value should be the hostname of the GHES
instance, and should not include the scheme or a path. The instance
must be accessible over HTTPS at this hostname and the certificate
must be trusted by the Auth Server.
type: string
type: object
gitlab:
description: GitLab allows the configuration of options specific to
the "gitlab" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
environment:
type: string
namespace_path:
type: string
pipeline_source:
type: string
project_path:
type: string
ref:
type: string
ref_type:
type: string
sub:
type: string
type: object
nullable: true
type: array
domain:
description: Domain is the domain of your GitLab instance. This
will default to `gitlab.com` - but can be set to the domain
of your self-hosted GitLab e.g `gitlab.example.com`.
type: string
type: object
join_method:
description: JoinMethod is the joining method required in order to
use this token. Supported joining methods include "token", "ec2",
and "iam".
type: string
kubernetes:
description: Kubernetes allows the configuration of options specific
to the "kubernetes" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
service_account:
type: string
type: object
nullable: true
type: array
static_jwks:
description: StaticJWKS is the configuration specific to the `static_jwks`
type.
nullable: true
properties:
jwks:
type: string
type: object
type:
description: 'Type controls which behavior should be used for
validating the Kubernetes Service Account token. Support values:
- `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
type: string
type: object
roles:
description: Roles is a list of roles associated with the token, that
will be converted to metadata in the SSH and X509 certificates issued
to the user of the token
items:
type: string
nullable: true
type: array
suggested_agent_matcher_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedAgentMatcherLabels is a set of labels to be
used by agents to match on resources. When an agent uses this token,
the agent should monitor resources that match those labels. For
databases, this means adding the labels to `db_service.resources.labels`.
Currently, only node-join scripts create a configuration according
to the suggestion.
type: object
suggested_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedLabels is a set of labels that resources should
set when using this token to enroll themselves in the cluster. Currently,
only node-join scripts create a configuration according to the suggestion.
type: object
type: object
status:
description: TeleportProvisionTokenStatus defines the observed state of
TeleportProvisionToken
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

2414
teleport-cluster-14.0.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
View File

File diff suppressed because it is too large Load Diff

307
teleport-cluster-14.0.0/templates/proxy/deployment.yaml
View File

@ -1,307 +0,0 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
# Deployment is {{ if not $replicable }}not {{end}}replicable
{{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
{{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }}
{{- end }}
{{- if and $proxy.acme $proxy.tls.existingSecretName }}
{{- fail "Cannot set both acme.enabled and tls.existingSecretName, choose one or the other" }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-proxy
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
{{- if $proxy.annotations.deployment }}
annotations: {{- toYaml $proxy.annotations.deployment | nindent 4 }}
{{- end }}
spec:
{{- /*
If proxies cannot be replicated we use a single replica.
By default we want to upgrade all users to at least 2 replicas, if they had a higher replica count we take it.
If a user wants to force a single proxy, they can use the `proxy` specific override.
$proxySpecificHA is a hack to avoid .Values.proxy.highAvailability to be nil, which would cause a fail when
accessing .Values.proxy.highAvailability.replicaCount.
*/}}
{{- if $replicable }}
{{- $proxySpecificHA := default (dict) .Values.proxy.highAvailability }}
{{- if $proxySpecificHA.replicaCount }}
replicas: {{ $proxySpecificHA.replicaCount }}
{{- else }}
replicas: {{ max .Values.highAvailability.replicaCount 2 }}
{{- end }}
{{- if $proxy.highAvailability.minReadySeconds }}
minReadySeconds: {{ $proxy.highAvailability.minReadySeconds }}
{{- end }}
{{- else }}
replicas: 1
{{- end }}
selector:
matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
# ConfigMap checksum, to recreate the pod on config changes.
checksum/config: {{ include (print $.Template.BasePath "/proxy/config.yaml") . | sha256sum }}
{{- if $proxy.annotations.pod }}
{{- toYaml $proxy.annotations.pod | nindent 8 }}
{{- end }}
labels: {{- include "teleport-cluster.proxy.labels" . | nindent 8 }}
spec:
{{- if $proxy.nodeSelector }}
nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }}
{{- end }}
affinity:
{{- if $proxy.affinity }}
{{- if $proxy.highAvailability.requireAntiAffinity }}
{{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }}
{{- end }}
{{- toYaml $proxy.affinity | nindent 8 }}
{{- else }}
podAntiAffinity:
{{- if $proxy.highAvailability.requireAntiAffinity }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- proxy
topologyKey: "kubernetes.io/hostname"
{{- else if gt (int $proxy.highAvailability.replicaCount) 1 }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- proxy
topologyKey: "kubernetes.io/hostname"
{{- end }}
{{- end }}
{{- if $proxy.tolerations }}
tolerations: {{- toYaml $proxy.tolerations | nindent 6 }}
{{- end }}
{{- if $proxy.imagePullSecrets }}
imagePullSecrets:
{{- toYaml $proxy.imagePullSecrets | nindent 6 }}
{{- end }}
initContainers:
# wait-auth-update is responsible for holding off the proxy rollout until all auths are running the
# next major version in case of major upgrade.
- name: wait-auth-update
image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
command:
- teleport
- wait
- no-resolve
- '{{ include "teleport-cluster.auth.previousVersionServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local'
{{- if $proxy.securityContext }}
securityContext: {{- toYaml $proxy.securityContext | nindent 12 }}
{{- end }}
{{- if $proxy.initContainers }}
{{- range $initContainer := $proxy.initContainers }}
{{- if and (not $initContainer.resources) $proxy.resources }}
{{- $_ := set $initContainer "resources" $proxy.resources }}
{{- end }}
{{- list $initContainer | toYaml | nindent 8 }}
{{- /* Note: this will break if the user sets volumeMounts to its initContainer */}}
volumeMounts:
{{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
- mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $proxy.extraVolumeMounts }}
{{- toYaml $proxy.extraVolumeMounts | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
containers:
- name: "teleport"
image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ $proxy.imagePullPolicy }}
{{- if or $proxy.extraEnv $proxy.tls.existingCASecretName }}
env:
{{- if (gt (len $proxy.extraEnv) 0) }}
{{- toYaml $proxy.extraEnv | nindent 8 }}
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- end }}
args:
- "--diag-addr=0.0.0.0:3000"
{{- if $proxy.insecureSkipProxyTLSVerify }}
- "--insecure"
{{- end }}
{{- if $proxy.extraArgs }}
{{- toYaml $proxy.extraArgs | nindent 8 }}
{{- end }}
ports:
- name: tls
containerPort: 3080
protocol: TCP
{{- if $proxy.enterprise }}
- name: proxypeering
containerPort: 3021
protocol: TCP
{{- end }}
{{- if ne $proxy.proxyListenerMode "multiplex" }}
- name: sshproxy
containerPort: 3023
protocol: TCP
- name: sshtun
containerPort: 3024
protocol: TCP
- name: kube
containerPort: 3026
protocol: TCP
- name: mysql
containerPort: 3036
protocol: TCP
{{- if $proxy.separatePostgresListener }}
- name: postgres
containerPort: 5432
protocol: TCP
{{- end }}
{{- if $proxy.separateMongoListener }}
- name: mongo
containerPort: 27017
protocol: TCP
{{- end }}
{{- end }}
- name: diag
containerPort: 3000
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to start
periodSeconds: 5 # poll health every 5s
failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
readinessProbe:
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to register
periodSeconds: 5 # poll health every 5s
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s)
timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod
# on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
{{- if $proxy.postStart.command }}
postStart:
exec:
command: {{ toYaml $proxy.postStart.command | nindent 14 }}
{{- end }}
{{- if $proxy.resources }}
resources:
{{- toYaml $proxy.resources | nindent 10 }}
{{- end }}
{{- if $proxy.securityContext }}
securityContext: {{- toYaml $proxy.securityContext | nindent 10 }}
{{- end }}
volumeMounts:
{{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
- mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $projectedServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
{{- end }}
{{- if $proxy.extraVolumeMounts }}
{{- toYaml $proxy.extraVolumeMounts | nindent 8 }}
{{- end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
volumes:
{{- if $projectedServiceAccountToken }}
# This projected token volume mimics the `automountServiceAccountToken`
# behaviour but defaults to a 1h TTL instead of 1y.
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
{{- end }}
{{- if $proxy.highAvailability.certManager.enabled }}
- name: teleport-tls
secret:
secretName: teleport-tls
{{- else if $proxy.tls.existingSecretName }}
- name: teleport-tls
secret:
secretName: {{ $proxy.tls.existingSecretName }}
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ $proxy.tls.existingCASecretName }}
{{- end }}
- name: "config"
configMap:
name: {{ .Release.Name }}-proxy
- name: "data"
emptyDir: {}
{{- if $proxy.extraVolumes }}
{{- toYaml $proxy.extraVolumes | nindent 6 }}
{{- end }}
{{- if $proxy.priorityClassName }}
priorityClassName: {{ $proxy.priorityClassName }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ $proxy.terminationGracePeriodSeconds }}

525
teleport-cluster-14.0.0/tests/__snapshot__/auth_deployment_test.yaml.snap
View File

@ -1,525 +0,0 @@
should add an operator side-car when operator is enabled:
1: |
image: public.ecr.aws/gravitational/teleport-operator:14.0.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: operator
ports:
- containerPort: 8080
name: op-metrics
protocol: TCP
- containerPort: 8081
name: op-health
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
? should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName
is set and persistence.enabled is false
: 1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- emptyDir: {}
name: data
should provision initContainer correctly when set in values:
1: |
- args:
- echo test
image: alpine
name: teleport-init
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- args:
- echo test2
image: alpine
name: teleport-init2
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
should set affinity when set in values:
1: |
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
should set imagePullSecrets when set in values:
1: |
- name: myRegistryKeySecretName
should set nodeSelector when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
nodeSelector:
environment: security
role: bastion
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
should set required affinity when highAvailability.requireAntiAffinity is set:
1: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- RELEASE-NAME
- key: app.kubernetes.io/component
operator: In
values:
- auth
topologyKey: kubernetes.io/hostname
should set resources when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
should set securityContext when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
should set tolerations when set in values:
1: |
- effect: NoExecute
key: dedicated
operator: Equal
value: teleport
- effect: NoSchedule
key: dedicated
operator: Equal
value: teleport
should use OSS image and not mount license when enterprise is not set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:12.2.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
- containerPort: 3025
name: auth
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
volumes:
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-auth
name: config
- name: data
persistentVolumeClaim:
claimName: RELEASE-NAME

495
teleport-cluster-14.0.0/tests/__snapshot__/proxy_deployment_test.yaml.snap
View File

@ -1,495 +0,0 @@
should provision initContainer correctly when set in values:
1: |
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
name: wait-auth-update
- args:
- echo test
image: alpine
name: teleport-init
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- args:
- echo test2
image: alpine
name: teleport-init2
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
should set affinity when set in values:
1: |
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
should set imagePullSecrets when set in values:
1: |
- name: myRegistryKeySecretName
should set nodeSelector when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
name: wait-auth-update
nodeSelector:
environment: security
role: bastion
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set required affinity when highAvailability.requireAntiAffinity is set:
1: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- RELEASE-NAME
- key: app.kubernetes.io/component
operator: In
values:
- proxy
topologyKey: kubernetes.io/hostname
should set resources when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set securityContext for initContainers when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set securityContext when set in values:
1: |
affinity:
podAntiAffinity: null
automountServiceAccountToken: false
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3080
name: tls
protocol: TCP
- containerPort: 3023
name: sshproxy
protocol: TCP
- containerPort: 3024
name: sshtun
protocol: TCP
- containerPort: 3026
name: kube
protocol: TCP
- containerPort: 3036
name: mysql
protocol: TCP
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
initContainers:
- command:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.0.0
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
volumes:
- name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- configMap:
name: RELEASE-NAME-proxy
name: config
- emptyDir: {}
name: data
should set tolerations when set in values:
1: |
- effect: NoExecute
key: dedicated
operator: Equal
value: teleport
- effect: NoSchedule
key: dedicated
operator: Equal
value: teleport

826
teleport-cluster-14.0.0/tests/auth_deployment_test.yaml
View File

@ -1,826 +0,0 @@
suite: Auth Deployment
templates:
- auth/deployment.yaml
- auth/config.yaml
tests:
- it: sets Statefulset annotations when specified
template: auth/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/deployment
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/deployment-different
value: 3
- it: sets Pod annotations when specified
template: auth/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod
value: test-annotation
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod-different
value: 4
- it: should not have more than one replica in standalone mode
template: auth/deployment.yaml
set:
chartMode: standalone
clusterName: helm-lint.example.com
asserts:
- equal:
path: spec.replicas
value: 1
- it: should have multiple replicas when replicaCount is set
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
asserts:
- equal:
path: spec.replicas
value: 3
- it: should set affinity when set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
asserts:
- isNotNull:
path: spec.template.spec.affinity
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set nodeSelector when set in values
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
nodeSelector:
role: bastion
environment: security
asserts:
- isNotNull:
path: spec.template.spec.nodeSelector
- matchSnapshot:
path: spec.template.spec
- it: should set required affinity when highAvailability.requireAntiAffinity is set
template: auth/deployment.yaml
values:
- ../.lint/aws-ha-antiaffinity.yaml
asserts:
- isNotNull:
path: spec.template.spec.affinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set tolerations when set in values
template: auth/deployment.yaml
values:
- ../.lint/tolerations.yaml
asserts:
- isNotNull:
path: spec.template.spec.tolerations
- matchSnapshot:
path: spec.template.spec.tolerations
- it: should set resources when set in values
template: auth/deployment.yaml
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec
- it: should set securityContext when set in values
template: auth/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.containers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.containers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext when is empty object (default value)
template: auth/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.containers[0].securityContext
# we can't use the dynamic chart version or appVersion as a variable in the tests,
# so we override it manually and check that gets set instead
# this saves us having to update the test every time we cut a new release
- it: should use enterprise image and mount license when enterprise is set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/lib/license
name: "license"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: license
secret:
secretName: license
- it: should use OSS image and not mount license when enterprise is not set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/lib/license
name: "license"
readOnly: true
- notContains:
path: spec.template.spec.volumes
content:
name: license
secret:
secretName: license
- matchSnapshot:
path: spec.template.spec
- it: should mount GCP credentials in GCP mode
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- it: should not mount secret when credentialSecretName is blank in values
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha-workload.yaml
asserts:
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
- notContains:
path: spec.template.spec.volumes
content:
name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- it: should mount GCP credentials for initContainer in GCP mode
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[0].volumeMounts
content:
mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
- it: should mount ConfigMap containing Teleport config
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport
name: "config"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: config
configMap:
name: RELEASE-NAME-auth
- it: should mount extraVolumes and extraVolumeMounts on container and initContainers
template: auth/deployment.yaml
values:
- ../.lint/volumes.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[0].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.volumes
content:
name: my-mount
secret:
secretName: mySecret
- it: should set imagePullPolicy when set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
imagePullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should set environment when extraEnv set in values
template: auth/deployment.yaml
values:
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"
- it: should set imagePullSecrets when set in values
template: auth/deployment.yaml
values:
- ../.lint/imagepullsecrets.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets
- it: should provision initContainer correctly when set in values
template: auth/deployment.yaml
values:
- ../.lint/initcontainers.yaml
- ../.lint/resources.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[0].args
content: "echo test"
- equal:
path: spec.template.spec.initContainers[0].name
value: "teleport-init"
- equal:
path: spec.template.spec.initContainers[0].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[0].resources.requests.memory
value: 2Gi
- contains:
path: spec.template.spec.initContainers[1].args
content: "echo test2"
- equal:
path: spec.template.spec.initContainers[1].name
value: "teleport-init2"
- equal:
path: spec.template.spec.initContainers[1].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[1].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[1].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[1].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[1].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec.initContainers
- it: should add insecureSkipProxyTLSVerify to args when set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
insecureSkipProxyTLSVerify: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--insecure"
- it: should expose diag port
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: diag
containerPort: 3000
protocol: TCP
- it: should expose auth port
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: auth
containerPort: 3025
protocol: TCP
- it: should expose kube port
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should set postStart command if set in values
template: auth/deployment.yaml
set:
clusterName: helm-lint.example.com
postStart:
command: ["/bin/echo", "test"]
asserts:
- equal:
path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
value: ["/bin/echo", "test"]
- it: should add PersistentVolumeClaim as volume when in standalone mode and persistence.enabled is true
template: auth/deployment.yaml
set:
chartMode: standalone
clusterName: helm-lint.example.com
persistence:
enabled: true
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should not add PersistentVolumeClaim as volume when in standalone mode and persistence.enabled is false
template: auth/deployment.yaml
set:
chartMode: standalone
clusterName: helm-lint.example.com
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should add PersistentVolumeClaim as volume when in scratch mode and persistence.enabled is true
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
persistence:
enabled: true
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should not add PersistentVolumeClaim as volume when in scratch mode and persistence.enabled is false
template: auth/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: RELEASE-NAME
- it: should add an operator side-car when operator is enabled
template: auth/deployment.yaml
values:
- ../.lint/operator.yaml
asserts:
- equal:
path: spec.template.spec.containers[1].name
value: operator
- matchSnapshot:
path: spec.template.spec.containers[1]
- it: should add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set and persistence.enabled is true
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- it: should not add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set but persistence.enabled is false
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
set:
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- it: should add named PersistentVolumeClaim as volume when in scratch mode and persistence.existingClaimName is set
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- it: should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName is set and persistence.enabled is false
template: auth/deployment.yaml
values:
- ../.lint/standalone-existingpvc.yaml
set:
persistence:
enabled: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: teleport-storage
- matchSnapshot:
path: spec.template.spec
- it: should add emptyDir for data in AWS mode
template: auth/deployment.yaml
values:
- ../.lint/aws-ha.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: should add emptyDir for data in GCP mode
template: auth/deployment.yaml
values:
- ../.lint/gcp-ha.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: should set priorityClassName when set in values
template: auth/deployment.yaml
values:
- ../.lint/priority-class-name.yaml
asserts:
- equal:
path: spec.template.spec.priorityClassName
value: system-cluster-critical
- it: should set probeTimeoutSeconds when set in values
template: auth/deployment.yaml
values:
- ../.lint/probe-timeout-seconds.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
value: 5
- equal:
path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
value: 5
- it: should mount tls.existingCASecretName and set environment when set in values
template: auth/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- it: should mount tls.existingCASecretName and set extra environment when set in values
template: auth/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: some-value
- it: should set minReadySeconds when replicaCount > 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
minReadySeconds: 60
replicaCount: 3
asserts:
- equal:
path: spec.minReadySeconds
value: 60
- it: should not set minReadySeconds when replicaCount = 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
minReadySeconds: 60
replicaCount: 1
asserts:
- equal:
path: spec.minReadySeconds
value: null
- it: should use Recreate strategy when replicaCount = 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
replicaCount: 1
asserts:
- equal:
path: spec.strategy.type
value: Recreate
- it: should not set strategy when replicaCount > 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
replicaCount: 2
asserts:
- equal:
path: spec.strategy.type
value: RollingUpdate
- it: should not perform surge rolling updates when replicaCount > 1
template: auth/deployment.yaml
set:
chartMode: scratch
highAvailability:
replicaCount: 2
asserts:
- equal:
path: spec.strategy.rollingUpdate.maxSurge
value: 0
- equal:
path: spec.strategy.rollingUpdate.maxUnavailable
value: 1
- it: mounts regular tokens on older Kubernetes versions
template: auth/deployment.yaml
set:
clusterName: helm-lint
operator:
enabled: true
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- notEqual:
path: spec.template.spec.automountServiceAccountToken
value: false
- notContains:
path: spec.template.spec.volumes
content:
name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- notContains:
path: spec.template.spec.containers[1].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- it: mounts tokens through projected volumes on newer Kubernetes versions
template: auth/deployment.yaml
set:
clusterName: helm-lint
operator:
enabled: true
capabilities:
majorVersion: 1
minorVersion: 21
asserts:
- equal:
path: spec.template.spec.automountServiceAccountToken
value: false
- contains:
path: spec.template.spec.volumes
content:
name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- contains:
path: spec.template.spec.containers[1].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
- it: should add the azure workload identity label to auth pods in azure mode
template: auth/deployment.yaml
set:
chartMode: azure
clusterName: teleport.example.com
asserts:
- equal:
path: spec.template.metadata.labels.azure\.workload\.identity/use
value: "true"

899
teleport-cluster-14.0.0/tests/proxy_deployment_test.yaml
View File

@ -1,899 +0,0 @@
suite: Proxy Deployment
templates:
- proxy/deployment.yaml
- proxy/config.yaml
tests:
- it: sets Deployment annotations when specified
template: proxy/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/deployment
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/deployment-different
value: 3
- it: sets Pod annotations when specified
template: proxy/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod
value: test-annotation
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod-different
value: 4
- it: should not have more than one replica if no certificate is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- equal:
path: spec.replicas
value: 1
- it: should have multiple replicas by default when a certificate is passed through a secret
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
tls:
existingSecretName: my-certs
asserts:
- equal:
path: spec.replicas
value: 2
- it: should have multiple replicas by default when certManager is configured
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
certManager:
enabled: true
asserts:
- equal:
path: spec.replicas
value: 2
- it: should have multiple replicas when global replicaCount is set and a certificate is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
certManager:
enabled: true
asserts:
- equal:
path: spec.replicas
value: 3
- it: should have a single replica when proxy-specific replicaCount is set to 1 and a cert is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
certManager:
enabled: true
proxy:
highAvailability:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- it: should set affinity when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
asserts:
- isNotNull:
path: spec.template.spec.affinity
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set required affinity when highAvailability.requireAntiAffinity is set
template: proxy/deployment.yaml
values:
- ../.lint/aws-ha-antiaffinity.yaml
asserts:
- isNotNull:
path: spec.template.spec.affinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set tolerations when set in values
template: proxy/deployment.yaml
values:
- ../.lint/tolerations.yaml
asserts:
- isNotNull:
path: spec.template.spec.tolerations
- matchSnapshot:
path: spec.template.spec.tolerations
- it: should set resources when set in values
template: proxy/deployment.yaml
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec
- it: should set securityContext when set in values
template: proxy/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.containers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.containers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext when is empty object (default value)
template: proxy/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.containers[0].securityContext
- it: should set securityContext for initContainers when set in values
template: proxy/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.initContainers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext for initContainers when is empty object (default value)
template: proxy/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.initContainers[0].securityContext
# we can't use the dynamic chart version or appVersion as a variable in the tests,
# so we override it manually and check that gets set instead
# this saves us having to update the test every time we cut a new release
- it: should use enterprise image when enterprise is set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
- it: should use OSS image when enterprise is not set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
- it: should mount TLS certs when cert-manager is enabled
template: proxy/deployment.yaml
values:
- ../.lint/gcp-ha-acme.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- contains:
path: spec.template.spec.initContainers[2].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- it: should mount ConfigMap containing Teleport config
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport
name: "config"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: config
configMap:
name: RELEASE-NAME-proxy
- it: should mount extraVolumes and extraVolumeMounts on container and initContainers
template: proxy/deployment.yaml
values:
- ../.lint/volumes.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[2].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.volumes
content:
name: my-mount
secret:
secretName: mySecret
- it: should set imagePullPolicy when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
imagePullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should set environment when extraEnv set in values
template: proxy/deployment.yaml
values:
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"
- it: should set imagePullSecrets when set in values
template: proxy/deployment.yaml
values:
- ../.lint/imagepullsecrets.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets
- it: should provision initContainer correctly when set in values
template: proxy/deployment.yaml
values:
- ../.lint/initcontainers.yaml
- ../.lint/resources.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[1].args
content: "echo test"
- equal:
path: spec.template.spec.initContainers[1].name
value: "teleport-init"
- equal:
path: spec.template.spec.initContainers[1].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[1].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[1].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[1].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[1].resources.requests.memory
value: 2Gi
- contains:
path: spec.template.spec.initContainers[2].args
content: "echo test2"
- equal:
path: spec.template.spec.initContainers[2].name
value: "teleport-init2"
- equal:
path: spec.template.spec.initContainers[2].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[2].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[2].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[2].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[2].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec.initContainers
- it: should add insecureSkipProxyTLSVerify to args when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
insecureSkipProxyTLSVerify: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--insecure"
- it: should expose diag port
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: diag
containerPort: 3000
protocol: TCP
- it: should expose tls port
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: tls
containerPort: 3080
protocol: TCP
- it: should expose tls port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: tls
containerPort: 3080
protocol: TCP
- it: should not expose proxy peering port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: proxypeering
containerPort: 3021
protocol: TCP
- it: should expose proxy peering port when enterprise is true
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: proxypeering
containerPort: 3021
protocol: TCP
- it: should expose sshproxy port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: sshproxy
containerPort: 3023
protocol: TCP
- it: should not expose sshproxy port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: sshproxy
containerPort: 3023
protocol: TCP
- it: should expose sshtun port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: sshtun
containerPort: 3024
protocol: TCP
- it: should not expose sshtun port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: sshtun
containerPort: 3024
protocol: TCP
- it: should expose k8s port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should not expose k8s port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should expose mysql port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: mysql
containerPort: 3036
protocol: TCP
- it: should not expose mysql port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: mysql
containerPort: 3036
protocol: TCP
- it: should expose postgres port when separate postgres listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
separatePostgresListener: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: postgres
containerPort: 5432
protocol: TCP
- it: should not expose postgres port when proxyListenerMode is multiplex and separate postgres listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
separatePostgresListener: true
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: postgres
containerPort: 5432
protocol: TCP
- it: should expose mongo port when separate mongo listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
separateMongoListener: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: mongo
containerPort: 27017
protocol: TCP
- it: should not expose mongo port when when proxyListenerMode is multiplex and separate mongo listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
separateMongoListener: true
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: mongo
containerPort: 27017
protocol: TCP
- it: should set postStart command if set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
postStart:
command: ["/bin/echo", "test"]
asserts:
- equal:
path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
value: ["/bin/echo", "test"]
- it: should add and mount emptyDir for data
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/lib/teleport
name: data
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: should set priorityClassName when set in values
template: proxy/deployment.yaml
values:
- ../.lint/priority-class-name.yaml
asserts:
- equal:
path: spec.template.spec.priorityClassName
value: system-cluster-critical
- it: should set probeTimeoutSeconds when set in values
template: proxy/deployment.yaml
values:
- ../.lint/probe-timeout-seconds.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
value: 5
- equal:
path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
value: 5
- it: should not mount TLS secrets when when highAvailability.certManager.enabled is false and tls.existingSecretName is not set
template: proxy/deployment.yaml
set:
clusterName: helm-lint-test-cluster
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount cert-manager TLS secret when highAvailability.certManager.enabled is true
template: proxy/deployment.yaml
values:
- ../.lint/cert-manager.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount tls.existingSecretName when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: helm-lint-existing-tls-secret
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount tls.existingCASecretName and set environment when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- it: should mount tls.existingCASecretName and set extra environment when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: some-value
- it: should set minReadySeconds when replicaCount > 1
template: proxy/deployment.yaml
set:
clusterName: helm-lint
highAvailability:
certManager:
enabled: true
replicaCount: 3
minReadySeconds: 60
asserts:
- equal:
path: spec.minReadySeconds
value: 60
- it: should not set minReadySeconds when replicaCount = 1
template: proxy/deployment.yaml
set:
chartMode: scratch
highAvailability:
minReadySeconds: 60
replicaCount: 1
asserts:
- equal:
path: spec.minReadySeconds
value: null
- it: should set nodeSelector when set in values
template: proxy/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
nodeSelector:
role: bastion
environment: security
asserts:
- isNotNull:
path: spec.template.spec.nodeSelector
- matchSnapshot:
path: spec.template.spec
- it: mounts regular tokens on older Kubernetes versions
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- notEqual:
path: spec.template.spec.automountServiceAccountToken
value: false
- notContains:
path: spec.template.spec.volumes
content:
name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
- it: mounts tokens through projected volumes on newer Kubernetes versions
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 21
asserts:
- equal:
path: spec.template.spec.automountServiceAccountToken
value: false
- contains:
path: spec.template.spec.volumes
content:
name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true

673
teleport-cluster-14.0.0/values.home.yaml
View File

@ -1,673 +0,0 @@
##################################################
# Values that must always be provided by the user.
##################################################
# `clusterName` controls the name used to refer to the Teleport cluster, along with
# the externally-facing public address to use to access it. In most setups this must
# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is
# used as the cluster's public address by default.
#
# Note: When using a fully qualified domain name as your `clusterName`, you will also
# need to configure the DNS provider for this domain to point to the external
# load balancer address of your Teleport cluster.
#
# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan.
# If you need to change it, you must redeploy a completely new cluster.
clusterName: "teleport.ervine.cloud"
# Name for this kubernetes cluster to be used by teleport users.
kubeClusterName: "homeK8s"
##################################################
# Values that you may need to change.
##################################################
# Version of teleport image, if different from chart version in Chart.yaml.
# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
# This chart is designed to run a specific teleport version (see Chart.yaml).
# You will face compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version X, you should use `helm --version X` instead.
teleportVersionOverride: ""
# The `proxyProtocol` value controls whether the Proxy pods will
# accept PROXY lines with the client's IP address when they are
# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
# required to ensure that Teleport can properly audit the client's IP address.
#
# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
# value should be set to "off" to prevent Teleport from accepting PROXY headers
# from untrusted sources.
# Possible values are "on" and "off".
# - "on" will enable the PROXY protocol for all connections and will require the
# L4 LB to send a PROXY header.
# - "off" will disable the PROXY protocol for all connections and denies all
# connections prefixed with a PROXY header.
#
# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
# connection, but will accept it if present. This mode is considered insecure
# and should only be used for testing purposes.
#
# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/
# for more information.
#
# proxyProtocol: on
# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
# `auth` contains values specific for the auth pods. You can use it to
# set specific values for auth pods, taking precedence over chart-scoped values.
# For example, to override the [`postStart`](#postStart) value only for auth pods:
#
# auth:
# postStart: ["curl", "http://hook"]
# imagePullPolicy: Always
auth:
# auth.teleportConfig contains YAML teleport configuration for auth pods
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict.
#
# See the Teleport Configuration Reference for the list of supported fields:
# https://goteleport.com/docs/reference/config/
#
# teleportConfig:
# teleport:
# cache:
# enabled: false
# auth_service:
# client_idle_timeout: 2h
# client_idle_timeout_message: "Connection closed after 2hours without activity"
teleportConfig: {}
# proxy contains values specific for the proxy pods
# You can override chart-scoped values, for example
# proxy:
# postStart: ["curl", "http://hook"]
# imagePullPolicy: Always
proxy:
# proxy.teleportConfig contains YAML teleport configuration for proxy pods
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict
#
# See the Teleport Configuration Reference for the list of supported fields:
# https://goteleport.com/docs/reference/config/
#
# teleportConfig:
# teleport:
# cache:
# enabled: false
# proxy_service:
# https_keypairs:
# - key_file: /my-custom-mount/key.pem
# cert_file: /my-custom-mount/cert.pem
teleportConfig: {}
authentication:
# Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise.
type: local
# Sets the authenticator connector for SSO or the default connector for "local" authentication.
# See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/).
# See Passwordless for local
# (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default).
# Defaults to "local".
connectorName: ""
# Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`.
# Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/.
localAuth: true
# Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ?
# Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort".
# See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
lockingMode: ""
# Second factor requirements for users of the Teleport cluster.
# Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
# Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
secondFactor: "on"
# (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
# webauthn:
# attestationAllowedCas:
# - /path/to/allowed_ca.pem
# - |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# attestationDeniedCas:
# - /path/to/denied_ca.pem
# - |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# Deprecated way to set the authentication type, `authentication.type` should be preferred.
# authenticationType: local
# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred.
# authenticationSecondFactor:
# secondFactor: "otp"
# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port.
# Default mode will not utilize TLS routing and operate in backwards-compatibility mode.
#
# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP
#
# Possible values are 'separate' and 'multiplex'
proxyListenerMode: "multiplex"
# Optional setting for configuring session recording.
# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml
sessionRecording: ""
# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443)
# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB)
# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM)
# These settings will not apply if proxyListenerMode is set to "multiplex".
separatePostgresListener: false
separateMongoListener: false
# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName, you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
#
# Public cluster addresses, including port (e.g. teleport.example.com:443)
# Defaults to `clusterName` on port 443.
publicAddr: []
# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026.
# Only used when `proxyListenerMode` is not 'multiplex'.
kubePublicAddr: []
# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017.
# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true.
mongoPublicAddr: []
# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036.
# Only used when `proxyListenerMode` is not 'multiplex'.
mysqlPublicAddr: []
# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432.
# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true.
postgresPublicAddr: []
# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023.
# Only used when `proxyListenerMode` is not 'multiplex'.
sshPublicAddr: []
# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024.
# Only used when `proxyListenerMode` is not 'multiplex'.
tunnelPublicAddr: []
# ACME is a protocol for getting Web X.509 certificates
# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
# For HA configurations, see either the "highAvailability.certManager" or "tls" values.
# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
# This section is mutually exclusive with the "tls" value below.
acme: false
# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement)
acmeEmail: ""
# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server.
acmeURI: ""
# Set enterprise to true to use enterprise image
# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this:
# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
enterprise: false
# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation
# when deploying multiple releases in the same cluster.
# installCRDs:
# Configuration of the optional Teleport operator
operator:
# Set enabled to true to add the Kubernetes Teleport Operator
enabled: true
# Kubernetes Teleport Operator image
image: public.ecr.aws/gravitational/teleport-operator
# Resources to request for the operator container
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# cpu: "0.5"
# memory: "1Gi"
# limits:
# memory: "1Gi"
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
podSecurityPolicy:
enabled: false
# Labels is a map of key-value pairs about this cluster
labels: {}
# Mode to deploy the chart in. The default is "standalone". Options:
# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage.
# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1)
# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2)
# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3)
# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4)
# (1) To use "aws" mode, you must also configure the "aws" section below.
# (2) To use "gcp" mode, you must also configure the "gcp" section below.
# (3) To use "azure" mode, you must also configure the "azure" section below.
# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig.
# `scratch` usage is strongly discouraged, this is a last resort option and
# everything should be doable with `standalone` mode + overrides through
# `auth.teleportConfig` and `proxy.teleportConfig`.
chartMode: standalone
# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify
# if the teleport.yaml configuration is valid and will block the deployment if it is not
validateConfigOnDeploy: true
# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster.
# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the
# Helm chart user is responsible for configuring working join_params on the proxy.
createProxyToken: true
# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
# This CRD is managed by the prometheus-operator and allows workload to
# get monitored. To use this value, you need to run a `prometheus-operator`
# in the cluster for this value to take effect.
# See https://prometheus-operator.dev/docs/prologue/introduction/
podMonitor:
# Whether the chart should deploy a PodMonitor.
# Disabled by default as it requires the PodMonitor CRD to be installed.
enabled: true
# additionalLabels to put on the PodMonitor.
# This is used to be selected by a specific prometheus instance.
# Defaults to {prometheus: default} which seems to be the common default prometheus selector
additionalLabels:
prometheus: k8s
# interval is the interval between two metrics scrapes. Defaults to 30s
interval: 30s
######################################################################
# Persistence settings (only used in "standalone" and "scratch" modes)
# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters
# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details.
# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23.
######################################################################
persistence:
# Enable persistence using a PersistentVolumeClaim
enabled: true
# Leave blank to automatically create a PersistentVolumeClaim for Teleport storage.
# If you would like to use a pre-existing PersistentVolumeClaim, put its name here.
existingClaimName: ""
# Size of persistent volume to request when created by Teleport.
# Ignored if existingClaimName is provided.
volumeSize: 10Gi
##################################################
# AWS-specific settings (only used in "aws" mode)
##################################################
aws:
# The AWS region where the DynamoDB tables are located.
region: ""
# The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
backendTable: ""
# The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
# This MUST NOT be the same table name as used for 'backendTable' as the schemas are different.
auditLogTable: ""
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.
sessionRecordingBucket: ""
# Whether or not to turn on DynamoDB backups
backups: false
# Whether Teleport should configure DynamoDB's autoscaling.
# Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling.
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
dynamoAutoScaling: false
# DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`.
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
readMinCapacity: null # Integer
readMaxCapacity: null # Integer
readTargetValue: null # Float
writeMinCapacity: null # Integer
writeMaxCapacity: null # Integer
writeTargetValue: null # Float
##################################################
# GCP-specific settings (only used in "gcp" mode)
##################################################
gcp:
# The project name being used for the GCP account where Teleport is running.
# See https://support.google.com/googleapi/answer/7014113?hl=en
projectId: ""
# The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist.
# Either of the following must be true:
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
backendTable: ""
# The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist.
# Either of the following must be true:
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
# This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different.
auditLogTable: ""
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used.
sessionRecordingBucket: ""
# The name of the Kubernetes secret used to store the Google credentials.
# You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use.
# You can override this to a blank value if the worker node running Teleport already has a service account which grants access.
credentialSecretName: teleport-gcp-credentials
#####################################################
# Azure-specific settings (only used in "azure" mode)
#####################################################
azure:
# The fully qualified hostname of the Postgres database cluster hosted in Azure.
# It should follow the format "<database name>.postgres.database.azure.com".
databaseHost: ""
# The Postgres user Teleport must use to connect to the backend and audit
# databases.
databaseUser: ""
# The Postgres database to use for backend storage.
backendDatabase: "teleport_backend"
# The Postgres database to use for audit log storage.
# This MUST NOT be the same database as used for 'backendDatabase'.
auditLogDatabase: "teleport_audit"
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The fully qualified domain name of the Azure Blob Storage account to use for
# recorded session storage. This account must already exist.
# It should follow the format "<storage account>.blob.core.windows.net"
sessionRecordingStorageAccount: ""
# Azure client ID is used by the Kubernetes Service Account to know which
# Application it should impersonate. This can be unset only if the clientID is
# passed through other means (e.g. environment variable)
clientID: ""
# Controls the `pool_max_conns` setting passed to PostgreSQL. This is the
# max amount of connections Teleport can open to the database. This can affect
# performance on large clusters and depends on various factors like the
# database size, the number of CPU cores available for Teleport, GOMAXPROCS
# and the database latency.
# This only applies to the core backend connections, not the audit log ones.
# 0 means the parameter is not set and the client's default is used (recommended)
databasePoolMaxConnections: 0
# `highAvailability` contains settings controlling how Teleport pods are
# replicated and scheduled. This allows Teleport to run in a highly-available
# fashion: Teleport should sustain the crash/loss of a machine without interrupting
# the service.
#
# For auth pods:
# When using "standalone" or "scratch" mode, you must use highly-available storage
# (etcd, DynamoDB or Firestore) for multiple replicas to be supported.
# Manually configuring NFS-based storage or ReadWriteMany volume claims
# is NOT supported and will result in errors. Using Teleport's built-in
# ACME client (as opposed to using cert-manager or passing certs through a secret)
# is not supported with multiple replicas.
# For proxy pods:
# Proxy pods need to be provided a certificate to be replicated (either via
# `tls.existingSecretName` or via `highAvailability.certManager`).
# If proxy pods are replicable, they will default to 2 replicas,
# even if `highAvailability.replicaCount` is 1. To force a single proxy replica,
# set `proxy.highAvailability.replicaCount: 1`.
highAvailability:
# Controls the amount of pod replicas. The `highAvailability` comment describes
# the replication requirements.
#
# WARNING: You **must** meet the replication criteria,
# else the deployment will result in errors and inconsistent data.
replicaCount: 1
# Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
# same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
# Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
# This setting only has any effect when replicaCount is greater than 1.
requireAntiAffinity: false
# If enabled will create a Pod Disruption Budget
# https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
# These settings are mutually exclusive with the "tls" value below.
certManager:
# If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
enabled: true
# If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
addCommonName: false
# If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
# This setting is not enabled by default to preserve backward compatibility.
addPublicAddrs: false
# Name of the Issuer/ClusterIssuer to use for certs
# NOTE: You will always need to create this yourself when certManager.enabled is true.
issuerName: "letsencrypt-prod"
# Kind of Issuer that cert-manager should look for.
# This defaults to 'Issuer' to keep everything contained within the teleport namespace.
issuerKind: ClusterIssuer
# Group of Issuer that cert-manager should look for.
# This defaults to 'cert-manager.io' which is the default Issuer group.
issuerGroup: cert-manager.io
# Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time
# See https://github.com/gravitational/teleport/issues/13129
minReadySeconds: 15
# Settings for mounting your own TLS keypair to secure Teleport's web UI.
# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above.
tls:
# Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml.
# Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file`
# See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
existingSecretName: ""
# (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
# Useful for building trust when using intermediate certificate authorities.
# This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
# Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
# The filename inside the secret is important - it _must_ be ca.pem
existingCASecretName: ""
##################################################
# Values that you shouldn't need to change.
##################################################
# Container image for the cluster.
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be
# removed with teleport 14.
image: public.ecr.aws/gravitational/teleport-distroless
# Enterprise version of the image
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 14.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
# Optional array of imagePullSecrets, to use when pulling from a private registry
imagePullSecrets: []
# Teleport logging configuration
log:
# Log level for the Teleport process.
# Available log levels are: DEBUG, INFO, WARNING, ERROR.
# The default is INFO, which is recommended in production.
# DEBUG is useful during first-time setup or to see more detailed logs for debugging.
level: INFO
# Log output
# Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
# Other supported values: 'stdout', 'stderr' and 'syslog'
output: stderr
# Log format configuration
# Possible output values are 'json' and 'text' (default).
format: text
# Possible extra_fields values include: timestamp, component, caller, and level.
# All extra fields are included by default.
extraFields: ["timestamp", "level", "component", "caller"]
##################################
# Extra Kubernetes configuration #
##################################
# nodeSelector to apply for pod assignment
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
nodeSelector: {}
# Affinity for pod assignment
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
affinity: {}
# Kubernetes annotations to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations:
# Annotations for the ConfigMap
config: {}
# Annotations for the Deployment
deployment: {}
# Annotations for each Pod in the Deployment
pod: {}
# Annotations for the Service object
service: {}
# Annotations for the ServiceAccount object
serviceAccount: {}
# Annotations for the certificate secret generated by cert-manager v1.5+ when
# highAvailability.certManager.enabled is true
certSecret: {}
# Annotations for the Ingress object
ingress:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "http-cookie"
nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
# Kubernetes service account to create/use.
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and serviceAccount.create is true, the name is generated using the release name.
# If create is false, the name will be used to reference an existing service account.
name: ""
# To set annotations on the service account, use the annotations.serviceAccount value.
# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
rbac:
# Specifies whether a ClusterRole and ClusterRoleBinding should be created.
# Set to false if your cluster level resources are managed separately.
create: true
# Options for the Teleport proxy service
# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP.
# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed.
# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true
service:
type: ClusterIP
# Additional entries here will be added to the service spec.
spec: {}
# loadBalancerIP: "1.2.3.4"
# Options for ingress
# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent
# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer.
# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport.
# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details.
ingress:
enabled: true
# Setting suppressAutomaticWildcards to true will not automatically add *.<clusterName> as a hostname served
# by the Ingress. This may be desirable if you don't use Teleport Application Access.
suppressAutomaticWildcards: false
# Additional entries here will be added to the ingress spec.
spec: {}
# ingressClassName: nginx
# Extra arguments to pass to 'teleport start' for the main Teleport pod
extraArgs: []
# Extra environment to be configured on the Teleport pod
extraEnv: []
# Extra volumes to mount into the Teleport pods
# https://kubernetes.io/docs/concepts/storage/volumes/
extraVolumes: []
# - name: myvolume
# secret:
# secretName: testSecret
# Extra volume mounts corresponding to the volumes mounted above
extraVolumeMounts: []
# - name: myvolume
# mountPath: /path/on/host
# Allow the imagePullPolicy to be overridden
imagePullPolicy: IfNotPresent
# A list of initContainers to run before each Teleport pod starts
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: "teleport-init"
# image: "alpine"
# args: ["echo test"]
# If set, will run the command as a postStart handler
# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
postStart:
command: []
# Resources to request for the teleport container
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# cpu: "1"
# memory: "2Gi"
# Security context to add to the container
securityContext: {}
# runAsUser: 99
# Priority class name to add to the deployment
priorityClassName: ""
# Tolerations for pod assignment
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Timeouts for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1
# Kubernetes termination grace period
# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
#
# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook.
terminationGracePeriodSeconds: 60

966
teleport-cluster-14.0.0/values.schema.json
View File

@ -1,966 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema",
"type": "object",
"required": [
"clusterName",
"authentication",
"enterprise",
"operator",
"podSecurityPolicy",
"labels",
"chartMode",
"validateConfigOnDeploy",
"highAvailability",
"podMonitor",
"tls",
"image",
"enterpriseImage",
"log",
"affinity",
"nodeSelector",
"annotations",
"extraVolumes",
"extraVolumeMounts",
"imagePullPolicy",
"initContainers",
"resources",
"tolerations",
"probeTimeoutSeconds"
],
"properties": {
"clusterName": {
"$id": "#/properties/clusterName",
"type": "string",
"default": ""
},
"proxyProtocol": {
"$id": "#/properties/proxyProtocol",
"type": "string",
"default": "",
"enum": [
"off",
"on"
]
},
"auth": {
"$id": "#/properties/auth",
"type": "object"
},
"proxy": {
"$id": "#/properties/proxy",
"type": "object"
},
"createProxyToken": {
"$id": "#/properties/createProxyToken",
"type": "boolean",
"default": true
},
"podMonitor": {
"$id": "#/properties/podMonitor",
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/podMonitor/enabled",
"type": "boolean",
"default": false
},
"additionalLabels": {
"$id": "#/properties/podMonitor/additionalLabels",
"type": "object",
"default": {
"prometheus": "default"
},
"additionalProperties": {
"type": "string"
}
},
"interval": {
"$id": "#/properties/podMonitor/interval",
"type": "string",
"default": "30s"
}
}
},
"authentication": {
"$id": "#/properties/authentication",
"type": "object",
"required": [
"type",
"localAuth"
],
"properties": {
"type": {
"$id": "#/properties/authentication/properties/type",
"type": "string",
"default": "local"
},
"connectorName": {
"$id": "#/properties/authentication/properties/connectorName",
"type": "string",
"default": ""
},
"localAuth": {
"$id": "#/properties/authentication/properties/localAuth",
"type": "boolean",
"default": true
},
"lockingMode": {
"$id": "#/properties/authentication/properties/lockingMode",
"type": "string",
"default": ""
},
"secondFactor": {
"$id": "#/properties/authentication/properties/secondFactor",
"type": "string",
"enum": [
"off",
"on",
"otp",
"optional",
"webauthn"
],
"default": "otp"
},
"webauthn": {
"$id": "#/properties/authentication/properties/webauthn",
"type": "object",
"required": [],
"properties": {
"attestationAllowedCas": {
"$id": "#/properties/authentication/properties/webauthn/properties/attestationAllowedCas",
"type": "array",
"default": []
},
"attestationDeniedCas": {
"$id": "#/properties/authentication/properties/webauthn/properties/attestationDeniedCas",
"type": "array",
"default": []
}
}
}
}
},
"authenticationType": {
"$id": "#/properties/authenticationType",
"type": "string"
},
"authenticationSecondFactor": {
"$id": "#/properties/authenticationSecondFactor",
"type": "object",
"required": [],
"properties": {
"secondFactor": {
"$id": "#/properties/authenticationSecondFactor/properties/secondFactor",
"type": "string",
"enum": [
"off",
"on",
"otp",
"optional",
"webauthn"
],
"default": "otp"
},
"webauthn": {
"$id": "#/properties/authenticationSecondFactor/properties/webauthn",
"type": "object",
"required": [],
"properties": {
"attestationAllowedCas": {
"$id": "#/properties/authenticationSecondFactor/properties/webauthn/properties/attestationAllowedCas",
"type": "array",
"default": []
},
"attestationDeniedCas": {
"$id": "#/properties/authenticationSecondFactor/properties/webauthn/properties/attestationDeniedCas",
"type": "array",
"default": []
}
}
}
}
},
"proxyListenerMode": {
"$id": "#/properties/proxyListenerMode",
"type": "string",
"default": ""
},
"sessionRecording": {
"$id": "#/properties/sessionRecording",
"type": "string",
"default": ""
},
"separatePostgresListener": {
"$id": "#/properties/separatePostgresListener",
"type": "boolean",
"default": false
},
"separateMongoListener": {
"$id": "#/properties/separateMongoListener",
"type": "boolean",
"default": false
},
"publicAddr": {
"$id": "#/properties/publicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"kubePublicAddr": {
"$id": "#/properties/kubePublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"mongoPublicAddr": {
"$id": "#/properties/mongoPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"mysqlPublicAddr": {
"$id": "#/properties/mysqlPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"postgresPublicAddr": {
"$id": "#/properties/postgresPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"sshPublicAddr": {
"$id": "#/properties/sshPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"tunnelPublicAddr": {
"$id": "#/properties/tunnelPublicAddr",
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"teleportVersionOverride": {
"$id": "#/properties/teleportVersionOverride",
"type": "string",
"default": ""
},
"acme": {
"$id": "#/properties/acme",
"type": "boolean",
"default": false
},
"acmeEmail": {
"$id": "#/properties/acmeEmail",
"type": "string",
"default": ""
},
"acmeURI": {
"$id": "#/properties/acmeURI",
"type": "string",
"default": ""
},
"enterprise": {
"$id": "#/properties/enterprise",
"type": "boolean",
"default": false
},
"installCRDs": {
"$id": "#/properties/installCRDs",
"type": "boolean"
},
"operator": {
"$id": "#/properties/operator",
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/operator/properties/enabled",
"type": "boolean",
"default": false
},
"image": {
"$id": "#/properties/operator/properties/image",
"type": "string",
"default": "public.ecr.aws/gravitational/teleport-operator"
},
"resources": {
"$id": "#/properties/operator/properties/resources",
"type": "object",
"default": {}
}
}
},
"podSecurityPolicy": {
"$id": "#/properties/podSecurityPolicy",
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/podSecurityPolicy/properties/enabled",
"type": "boolean",
"default": true
}
}
},
"labels": {
"$id": "#/properties/labels",
"type": "object",
"default": {}
},
"chartMode": {
"$id": "#/properties/chartMode",
"type": "string",
"enum": [
"standalone",
"aws",
"azure",
"gcp",
"scratch"
],
"default": "standalone"
},
"validateConfigOnDeploy": {
"$id": "#/properties/validateConfigOnDeploy",
"type": "boolean",
"default": true
},
"standalone": {
"$id": "#/properties/standalone",
"type": "object",
"required": [
"volumeSize"
],
"properties": {
"existingClaimName": {
"$id": "#/properties/standalone/properties/existingClaimName",
"type": "string",
"default": ""
},
"volumeSize": {
"$id": "#/properties/standalone/properties/volumeSize",
"type": "string",
"default": ""
}
}
},
"persistence": {
"$id": "#/properties/persistence",
"type": "object",
"required": [
"enabled",
"volumeSize"
],
"properties": {
"enabled": {
"$id": "#/properties/persistence/properties/enabled",
"type": "boolean",
"default": "true"
},
"existingClaimName": {
"$id": "#/properties/persistence/properties/existingClaimName",
"type": "string",
"default": ""
},
"storageClassName": {
"$id": "#/properties/persistence/properties/storageClassName",
"type": "string",
"default": ""
},
"volumeSize": {
"$id": "#/properties/persistence/properties/volumeSize",
"type": "string",
"default": ""
}
}
},
"aws": {
"$id": "#/properties/aws",
"type": "object",
"properties": {
"region": {
"$id": "#/properties/aws/properties/region",
"type": "string",
"default": ""
},
"backendTable": {
"$id": "#/properties/aws/properties/backendTable",
"type": "string",
"default": ""
},
"auditLogTable": {
"$id": "#/properties/aws/properties/auditLogTable",
"type": "string",
"default": ""
},
"auditLogMirrorOnStdout": {
"$id": "#/properties/aws/properties/auditLogMirrorOnStdout",
"type": "boolean",
"default": "false"
},
"sessionRecordingBucket": {
"$id": "#/properties/aws/properties/sessionRecordingBucket",
"type": "string",
"default": ""
},
"backups": {
"$id": "#/properties/aws/properties/backups",
"type": "boolean",
"default": false
},
"dynamoAutoScaling": {
"$id": "#/properties/aws/properties/dynamoAutoScaling",
"type": "boolean",
"default": false
}
},
"if": {
"properties": {
"dynamoAutoScaling": {
"const": true
}
}
},
"then": {
"properties": {
"readMinCapacity": {
"$id": "#/properties/aws/properties/readMinCapacity",
"type": "integer"
},
"readMaxCapacity": {
"$id": "#/properties/aws/properties/readMaxCapacity",
"type": "integer"
},
"readTargetValue": {
"$id": "#/properties/aws/properties/readTargetValue",
"type": "number"
},
"writeMinCapacity": {
"$id": "#/properties/aws/properties/writeMinCapacity",
"type": "integer"
},
"writeMaxCapacity": {
"$id": "#/properties/aws/properties/writeMaxCapacity",
"type": "integer"
},
"writeTargetValue": {
"$id": "#/properties/aws/properties/writeTargetValue",
"type": "number"
}
}
},
"else": {
"properties": {
"readMinCapacity": {
"$id": "#/properties/aws/properties/readMinCapacity",
"type": "null"
},
"readMaxCapacity": {
"$id": "#/properties/aws/properties/readMaxCapacity",
"type": "null"
},
"readTargetValue": {
"$id": "#/properties/aws/properties/readTargetValue",
"type": "null"
},
"writeMinCapacity": {
"$id": "#/properties/aws/properties/writeMinCapacity",
"type": "null"
},
"writeMaxCapacity": {
"$id": "#/properties/aws/properties/writeMaxCapacity",
"type": "null"
},
"writeTargetValue": {
"$id": "#/properties/aws/properties/writeTargetValue",
"type": "null"
}
}
}
},
"azure": {
"$id": "#/properties/azure",
"type": "object",
"properties": {
"databaseHost": {
"$id": "#/properties/azure/properties/databaseHost",
"type": "string",
"default": ""
},
"databaseUser": {
"$id": "#/properties/azure/properties/databaseUser",
"type": "string",
"default": ""
},
"backendDatabase": {
"$id": "#/properties/azure/properties/backendDatabase",
"type": "string",
"default": "teleport_backend"
},
"auditLogDatabase": {
"$id": "#/properties/azure/properties/auditLogDatabase",
"type": "string",
"default": "teleport_audit"
},
"auditLogMirrorOnStdout": {
"$id": "#/properties/azure/properties/auditLogMirrorOnStdout",
"type": "boolean",
"default": false
},
"sessionRecordingStorageAccount": {
"$id": "#/properties/azure/properties/sessionRecordingStorageAccount",
"type": "string",
"default": ""
},
"clientID": {
"$id": "#/properties/azure/properties/clientID",
"type": "string",
"default": ""
},
"databasePoolMaxConnections": {
"$id": "#/properties/azure/properties/databasePoolMaxConnections",
"type": "integer",
"default": 0
}
}
},
"gcp": {
"$id": "#/properties/gcp",
"type": "object",
"properties": {
"projectId": {
"$id": "#/properties/gcp/properties/projectId",
"type": "string",
"default": ""
},
"backendTable": {
"$id": "#/properties/gcp/properties/backendTable",
"type": "string",
"default": ""
},
"auditLogTable": {
"$id": "#/properties/gcp/properties/auditLogTable",
"type": "string",
"default": ""
},
"auditLogMirrorOnStdout": {
"$id": "#/properties/aws/properties/auditLogMirrorOnStdout",
"type": "boolean",
"default": "false"
},
"sessionRecordingBucket": {
"$id": "#/properties/gcp/properties/sessionRecordingBucket",
"type": "string",
"default": ""
},
"credentialSecretName": {
"$id": "#/properties/gcp/properties/credentialSecretName",
"type": "string",
"default": "teleport-gcp-credentials"
}
}
},
"highAvailability": {
"$id": "#/properties/highAvailability",
"type": "object",
"required": [
"replicaCount",
"requireAntiAffinity",
"certManager",
"minReadySeconds",
"podDisruptionBudget"
],
"properties": {
"replicaCount": {
"$id": "#/properties/highAvailability/properties/replicaCount",
"type": "integer",
"default": 1
},
"requireAntiAffinity": {
"$id": "#/properties/highAvailability/properties/requireAntiAffinity",
"type": "boolean",
"default": false
},
"certManager": {
"$id": "#/properties/highAvailability/properties/certManager",
"type": "object",
"required": [
"enabled",
"issuerName",
"issuerKind",
"issuerGroup"
],
"properties": {
"addCommonName": {
"$id": "#/properties/highAvailability/properties/certManager/properties/addCommonName",
"type": "boolean",
"default": "false"
},
"addPublicAddrs": {
"$id": "#/properties/highAvailability/properties/certManager/properties/addPublicAddrs",
"type": "boolean",
"default": "false"
},
"enabled": {
"$id": "#/properties/highAvailability/properties/certManager/properties/enabled",
"type": "boolean",
"default": "false"
},
"issuerName": {
"$id": "#/properties/highAvailability/properties/certManager/properties/issuerName",
"type": "string",
"default": ""
},
"issuerKind": {
"$id": "#/properties/highAvailability/properties/certManager/properties/issuerKind",
"type": "string",
"default": "Issuer"
},
"issuerGroup": {
"$id": "#/properties/highAvailability/properties/certManager/properties/issuerGroup",
"type": "string",
"default": "cert-manager.io"
}
}
},
"minReadySeconds": {
"$id": "#/properties/highAvailability/properties/minReadySeconds",
"type": "integer",
"default": 15
},
"podDisruptionBudget": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget",
"type": "object",
"required": [
"enabled",
"minAvailable"
],
"properties": {
"enabled": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled",
"type": "boolean",
"default": false
},
"minAvailable": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable",
"type": "integer",
"default": 1
}
}
}
}
},
"tls": {
"$id": "#/properties/tls",
"type": "object",
"required": [
"existingSecretName",
"existingCASecretName"
],
"properties": {
"existingSecretName": {
"$id": "#/properties/tls/properties/existingSecretName",
"type": "string",
"default": ""
},
"existingCASecretName": {
"$id": "#/properties/tls/properties/existingCASecretName",
"type": "string",
"default": ""
}
}
},
"image": {
"$id": "#/properties/image",
"type": "string",
"default": "public.ecr.aws/gravitational/teleport-distroless"
},
"enterpriseImage": {
"$id": "#/properties/enterpriseImage",
"type": "string",
"default": "public.ecr.aws/gravitational/teleport-ent-distroless"
},
"imagePullSecrets": {
"$id": "#/properties/imagePullSecrets",
"type": "array",
"default": []
},
"logLevel": {
"$id": "#/properties/logLevel",
"type": "string",
"enum": [
"DEBUG",
"INFO",
"WARN",
"WARNING",
"ERROR"
],
"default": "INFO"
},
"log": {
"$id": "#/properties/log",
"type": "object",
"required": [
"output",
"format",
"extraFields"
],
"properties": {
"level": {
"$id": "#/properties/log/properties/level",
"type": "string",
"enum": [
"DEBUG",
"INFO",
"WARN",
"WARNING",
"ERROR"
],
"default": "INFO"
},
"deployment": {
"$id": "#/properties/log/properties/output",
"type": "string",
"default": {}
},
"pod": {
"$id": "#/properties/log/properties/format",
"type": "string",
"default": {}
},
"service": {
"$id": "#/properties/log/properties/extraFields",
"type": "array",
"default": {}
}
}
},
"affinity": {
"$id": "#/properties/affinity",
"type": "object",
"default": {}
},
"nodeSelector": {
"$id": "#/properties/nodeSelector",
"type": "object",
"default": {}
},
"annotations": {
"$id": "#/properties/annotations",
"type": "object",
"required": [
"config",
"deployment",
"pod",
"service",
"serviceAccount",
"certSecret",
"ingress"
],
"properties": {
"config": {
"$id": "#/properties/annotations/properties/config",
"type": "object",
"default": {}
},
"deployment": {
"$id": "#/properties/annotations/properties/deployment",
"type": "object",
"default": {}
},
"pod": {
"$id": "#/properties/annotations/properties/pod",
"type": "object",
"default": {}
},
"service": {
"$id": "#/properties/annotations/properties/service",
"type": "object",
"default": {}
},
"serviceAccount": {
"$id": "#/properties/annotations/properties/serviceAccount",
"type": "object",
"default": {}
},
"certSecret": {
"$id": "#/properties/annotations/properties/certSecret",
"type": "object",
"default": {}
}
}
},
"service": {
"$id": "#/properties/service",
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"$id": "#properties/service/type",
"type": "string",
"default": "LoadBalancer"
},
"spec": {
"$id": "#/properties/service/spec",
"type": "object",
"default": {}
}
}
},
"ingress": {
"enabled": {
"$id": "#/properties/ingress/enabled",
"type": "boolean",
"default": false
},
"suppressAutomaticWildcards": {
"$id": "#/properties/ingress/suppressAutomaticWildcards",
"type": "boolean",
"default": false
},
"spec": {
"$id": "#/properties/ingress/spec",
"type": "object",
"default": {}
}
},
"serviceAccount": {
"$id": "#/properties/serviceAccount",
"type": "object",
"required": [],
"properties": {
"name": {
"$id": "#properties/service/name",
"type": "string",
"default": ""
},
"create": {
"$id": "#properties/service/create",
"type": "boolean",
"default": true
}
}
},
"rbac": {
"$id": "#/properties/rbac",
"type": "object",
"required": [],
"properties": {
"create": {
"$id": "#properties/rbac/create",
"type": "boolean",
"default": true
}
}
},
"extraArgs": {
"$id": "#/properties/extraArgs",
"type": "array",
"default": []
},
"extraEnv": {
"$id": "#/properties/extraEnv",
"type": "array",
"default": []
},
"extraVolumes": {
"$id": "#/properties/extraVolumes",
"type": "array",
"default": []
},
"extraVolumeMounts": {
"$id": "#/properties/extraVolumeMounts",
"type": "array",
"default": []
},
"imagePullPolicy": {
"$id": "#/properties/imagePullPolicy",
"type": "string",
"enum": [
"Never",
"IfNotPresent",
"Always"
],
"default": "IfNotPresent"
},
"initContainers": {
"$id": "#/properties/initContainers",
"type": "array",
"default": []
},
"postStart": {
"$id": "#/properties/postStart",
"type": "object",
"required": [
"command"
],
"properties": {
"command": {
"$id": "#properties/postStart/command",
"type": "array",
"default": []
}
}
},
"kubeClusterName": {
"$id": "#/properties/kubeClusterName",
"type": "string",
"default": ""
},
"resources": {
"$id": "#/properties/resources",
"type": "object",
"default": {}
},
"securityContext": {
"$id": "#/properties/securityContext",
"type": "object",
"default": {}
},
"tolerations": {
"$id": "#/properties/tolerations",
"type": "array",
"default": []
},
"priorityClassName": {
"$id": "#/properties/priorityClassName",
"type": "string",
"default": ""
},
"probeTimeoutSeconds": {
"$id": "#/properties/probeTimeoutSeconds",
"type": "integer",
"default": 1
},
"terminationGracePeriodSeconds": {
"$id": "#/properties/terminationGracePeriodSeconds",
"type": "integer",
"default": 60
}
}
}

665
teleport-cluster-14.0.0/values.yaml
View File

@ -1,665 +0,0 @@
##################################################
# Values that must always be provided by the user.
##################################################
# `clusterName` controls the name used to refer to the Teleport cluster, along with
# the externally-facing public address to use to access it. In most setups this must
# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is
# used as the cluster's public address by default.
#
# Note: When using a fully qualified domain name as your `clusterName`, you will also
# need to configure the DNS provider for this domain to point to the external
# load balancer address of your Teleport cluster.
#
# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan.
# If you need to change it, you must redeploy a completely new cluster.
clusterName: ""
# Name for this kubernetes cluster to be used by teleport users.
kubeClusterName: ""
##################################################
# Values that you may need to change.
##################################################
# Version of teleport image, if different from chart version in Chart.yaml.
# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
# This chart is designed to run a specific teleport version (see Chart.yaml).
# You will face compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version X, you should use `helm --version X` instead.
teleportVersionOverride: ""
# The `proxyProtocol` value controls whether the Proxy pods will
# accept PROXY lines with the client's IP address when they are
# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
# required to ensure that Teleport can properly audit the client's IP address.
#
# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
# value should be set to "off" to prevent Teleport from accepting PROXY headers
# from untrusted sources.
# Possible values are "on" and "off".
# - "on" will enable the PROXY protocol for all connections and will require the
# L4 LB to send a PROXY header.
# - "off" will disable the PROXY protocol for all connections and denies all
# connections prefixed with a PROXY header.
#
# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
# connection, but will accept it if present. This mode is considered insecure
# and should only be used for testing purposes.
#
# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/
# for more information.
#
# proxyProtocol: on
# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
# `auth` contains values specific for the auth pods. You can use it to
# set specific values for auth pods, taking precedence over chart-scoped values.
# For example, to override the [`postStart`](#postStart) value only for auth pods:
#
# auth:
# postStart: ["curl", "http://hook"]
# imagePullPolicy: Always
auth:
# auth.teleportConfig contains YAML teleport configuration for auth pods
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict.
#
# See the Teleport Configuration Reference for the list of supported fields:
# https://goteleport.com/docs/reference/config/
#
# teleportConfig:
# teleport:
# cache:
# enabled: false
# auth_service:
# client_idle_timeout: 2h
# client_idle_timeout_message: "Connection closed after 2hours without activity"
teleportConfig: {}
# proxy contains values specific for the proxy pods
# You can override chart-scoped values, for example
# proxy:
# postStart: ["curl", "http://hook"]
# imagePullPolicy: Always
proxy:
# proxy.teleportConfig contains YAML teleport configuration for proxy pods
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict
#
# See the Teleport Configuration Reference for the list of supported fields:
# https://goteleport.com/docs/reference/config/
#
# teleportConfig:
# teleport:
# cache:
# enabled: false
# proxy_service:
# https_keypairs:
# - key_file: /my-custom-mount/key.pem
# cert_file: /my-custom-mount/cert.pem
teleportConfig: {}
authentication:
# Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise.
type: local
# Sets the authenticator connector for SSO or the default connector for "local" authentication.
# See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/).
# See Passwordless for local
# (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default).
# Defaults to "local".
connectorName: ""
# Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`.
# Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/.
localAuth: true
# Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ?
# Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort".
# See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
lockingMode: ""
# Second factor requirements for users of the Teleport cluster.
# Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
# Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
secondFactor: "on"
# (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
# webauthn:
# attestationAllowedCas:
# - /path/to/allowed_ca.pem
# - |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# attestationDeniedCas:
# - /path/to/denied_ca.pem
# - |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# Deprecated way to set the authentication type, `authentication.type` should be preferred.
# authenticationType: local
# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred.
# authenticationSecondFactor:
# secondFactor: "otp"
# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port.
# Default mode will not utilize TLS routing and operate in backwards-compatibility mode.
#
# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP
#
# Possible values are 'separate' and 'multiplex'
proxyListenerMode: "separate"
# Optional setting for configuring session recording.
# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml
sessionRecording: ""
# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443)
# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB)
# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM)
# These settings will not apply if proxyListenerMode is set to "multiplex".
separatePostgresListener: false
separateMongoListener: false
# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName, you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
#
# Public cluster addresses, including port (e.g. teleport.example.com:443)
# Defaults to `clusterName` on port 443.
publicAddr: []
# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026.
# Only used when `proxyListenerMode` is not 'multiplex'.
kubePublicAddr: []
# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017.
# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true.
mongoPublicAddr: []
# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036.
# Only used when `proxyListenerMode` is not 'multiplex'.
mysqlPublicAddr: []
# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432.
# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true.
postgresPublicAddr: []
# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023.
# Only used when `proxyListenerMode` is not 'multiplex'.
sshPublicAddr: []
# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024.
# Only used when `proxyListenerMode` is not 'multiplex'.
tunnelPublicAddr: []
# ACME is a protocol for getting Web X.509 certificates
# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
# For HA configurations, see either the "highAvailability.certManager" or "tls" values.
# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
# This section is mutually exclusive with the "tls" value below.
acme: false
# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement)
acmeEmail: ""
# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server.
acmeURI: ""
# Set enterprise to true to use enterprise image
# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this:
# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
enterprise: false
# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation
# when deploying multiple releases in the same cluster.
# installCRDs:
# Configuration of the optional Teleport operator
operator:
# Set enabled to true to add the Kubernetes Teleport Operator
enabled: false
# Kubernetes Teleport Operator image
image: public.ecr.aws/gravitational/teleport-operator
# Resources to request for the operator container
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# cpu: "0.5"
# memory: "1Gi"
# limits:
# memory: "1Gi"
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
podSecurityPolicy:
enabled: true
# Labels is a map of key-value pairs about this cluster
labels: {}
# Mode to deploy the chart in. The default is "standalone". Options:
# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage.
# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1)
# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2)
# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3)
# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4)
# (1) To use "aws" mode, you must also configure the "aws" section below.
# (2) To use "gcp" mode, you must also configure the "gcp" section below.
# (3) To use "azure" mode, you must also configure the "azure" section below.
# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig.
# `scratch` usage is strongly discouraged, this is a last resort option and
# everything should be doable with `standalone` mode + overrides through
# `auth.teleportConfig` and `proxy.teleportConfig`.
chartMode: standalone
# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify
# if the teleport.yaml configuration is valid and will block the deployment if it is not
validateConfigOnDeploy: true
# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster.
# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the
# Helm chart user is responsible for configuring working join_params on the proxy.
createProxyToken: true
# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
# This CRD is managed by the prometheus-operator and allows workload to
# get monitored. To use this value, you need to run a `prometheus-operator`
# in the cluster for this value to take effect.
# See https://prometheus-operator.dev/docs/prologue/introduction/
podMonitor:
# Whether the chart should deploy a PodMonitor.
# Disabled by default as it requires the PodMonitor CRD to be installed.
enabled: false
# additionalLabels to put on the PodMonitor.
# This is used to be selected by a specific prometheus instance.
# Defaults to {prometheus: default} which seems to be the common default prometheus selector
additionalLabels:
prometheus: default
# interval is the interval between two metrics scrapes. Defaults to 30s
interval: 30s
######################################################################
# Persistence settings (only used in "standalone" and "scratch" modes)
# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters
# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details.
# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23.
######################################################################
persistence:
# Enable persistence using a PersistentVolumeClaim
enabled: true
# Leave blank to automatically create a PersistentVolumeClaim for Teleport storage.
# If you would like to use a pre-existing PersistentVolumeClaim, put its name here.
existingClaimName: ""
# Size of persistent volume to request when created by Teleport.
# Ignored if existingClaimName is provided.
volumeSize: 10Gi
##################################################
# AWS-specific settings (only used in "aws" mode)
##################################################
aws:
# The AWS region where the DynamoDB tables are located.
region: ""
# The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
backendTable: ""
# The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
# This MUST NOT be the same table name as used for 'backendTable' as the schemas are different.
auditLogTable: ""
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.
# The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.
sessionRecordingBucket: ""
# Whether or not to turn on DynamoDB backups
backups: false
# Whether Teleport should configure DynamoDB's autoscaling.
# Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling.
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
dynamoAutoScaling: false
# DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`.
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
readMinCapacity: null # Integer
readMaxCapacity: null # Integer
readTargetValue: null # Float
writeMinCapacity: null # Integer
writeMaxCapacity: null # Integer
writeTargetValue: null # Float
##################################################
# GCP-specific settings (only used in "gcp" mode)
##################################################
gcp:
# The project name being used for the GCP account where Teleport is running.
# See https://support.google.com/googleapi/answer/7014113?hl=en
projectId: ""
# The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist.
# Either of the following must be true:
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
backendTable: ""
# The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist.
# Either of the following must be true:
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
# This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different.
auditLogTable: ""
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used.
sessionRecordingBucket: ""
# The name of the Kubernetes secret used to store the Google credentials.
# You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use.
# You can override this to a blank value if the worker node running Teleport already has a service account which grants access.
credentialSecretName: teleport-gcp-credentials
#####################################################
# Azure-specific settings (only used in "azure" mode)
#####################################################
azure:
# The fully qualified hostname of the Postgres database cluster hosted in Azure.
# It should follow the format "<database name>.postgres.database.azure.com".
databaseHost: ""
# The Postgres user Teleport must use to connect to the backend and audit
# databases.
databaseUser: ""
# The Postgres database to use for backend storage.
backendDatabase: "teleport_backend"
# The Postgres database to use for audit log storage.
# This MUST NOT be the same database as used for 'backendDatabase'.
auditLogDatabase: "teleport_audit"
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
auditLogMirrorOnStdout: false
# The fully qualified domain name of the Azure Blob Storage account to use for
# recorded session storage. This account must already exist.
# It should follow the format "<storage account>.blob.core.windows.net"
sessionRecordingStorageAccount: ""
# Azure client ID is used by the Kubernetes Service Account to know which
# Application it should impersonate. This can be unset only if the clientID is
# passed through other means (e.g. environment variable)
clientID: ""
# Controls the `pool_max_conns` setting passed to PostgreSQL. This is the
# max amount of connections Teleport can open to the database. This can affect
# performance on large clusters and depends on various factors like the
# database size, the number of CPU cores available for Teleport, GOMAXPROCS
# and the database latency.
# This only applies to the core backend connections, not the audit log ones.
# 0 means the parameter is not set and the client's default is used (recommended)
databasePoolMaxConnections: 0
# `highAvailability` contains settings controlling how Teleport pods are
# replicated and scheduled. This allows Teleport to run in a highly-available
# fashion: Teleport should sustain the crash/loss of a machine without interrupting
# the service.
#
# For auth pods:
# When using "standalone" or "scratch" mode, you must use highly-available storage
# (etcd, DynamoDB or Firestore) for multiple replicas to be supported.
# Manually configuring NFS-based storage or ReadWriteMany volume claims
# is NOT supported and will result in errors. Using Teleport's built-in
# ACME client (as opposed to using cert-manager or passing certs through a secret)
# is not supported with multiple replicas.
# For proxy pods:
# Proxy pods need to be provided a certificate to be replicated (either via
# `tls.existingSecretName` or via `highAvailability.certManager`).
# If proxy pods are replicable, they will default to 2 replicas,
# even if `highAvailability.replicaCount` is 1. To force a single proxy replica,
# set `proxy.highAvailability.replicaCount: 1`.
highAvailability:
# Controls the amount of pod replicas. The `highAvailability` comment describes
# the replication requirements.
#
# WARNING: You **must** meet the replication criteria,
# else the deployment will result in errors and inconsistent data.
replicaCount: 1
# Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
# same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
# Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
# This setting only has any effect when replicaCount is greater than 1.
requireAntiAffinity: false
# If enabled will create a Pod Disruption Budget
# https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
# These settings are mutually exclusive with the "tls" value below.
certManager:
# If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
enabled: false
# If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
addCommonName: false
# If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
# This setting is not enabled by default to preserve backward compatibility.
addPublicAddrs: false
# Name of the Issuer/ClusterIssuer to use for certs
# NOTE: You will always need to create this yourself when certManager.enabled is true.
issuerName: ""
# Kind of Issuer that cert-manager should look for.
# This defaults to 'Issuer' to keep everything contained within the teleport namespace.
issuerKind: Issuer
# Group of Issuer that cert-manager should look for.
# This defaults to 'cert-manager.io' which is the default Issuer group.
issuerGroup: cert-manager.io
# Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time
# See https://github.com/gravitational/teleport/issues/13129
minReadySeconds: 15
# Settings for mounting your own TLS keypair to secure Teleport's web UI.
# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above.
tls:
# Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml.
# Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file`
# See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
existingSecretName: ""
# (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
# Useful for building trust when using intermediate certificate authorities.
# This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
# Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
# The filename inside the secret is important - it _must_ be ca.pem
existingCASecretName: ""
##################################################
# Values that you shouldn't need to change.
##################################################
# Container image for the cluster.
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be
# removed with teleport 14.
image: public.ecr.aws/gravitational/teleport-distroless
# Enterprise version of the image
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 14.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
# Optional array of imagePullSecrets, to use when pulling from a private registry
imagePullSecrets: []
# Teleport logging configuration
log:
# Log level for the Teleport process.
# Available log levels are: DEBUG, INFO, WARNING, ERROR.
# The default is INFO, which is recommended in production.
# DEBUG is useful during first-time setup or to see more detailed logs for debugging.
level: INFO
# Log output
# Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
# Other supported values: 'stdout', 'stderr' and 'syslog'
output: stderr
# Log format configuration
# Possible output values are 'json' and 'text' (default).
format: text
# Possible extra_fields values include: timestamp, component, caller, and level.
# All extra fields are included by default.
extraFields: ["timestamp", "level", "component", "caller"]
##################################
# Extra Kubernetes configuration #
##################################
# nodeSelector to apply for pod assignment
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
nodeSelector: {}
# Affinity for pod assignment
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
affinity: {}
# Kubernetes annotations to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations:
# Annotations for the ConfigMap
config: {}
# Annotations for the Deployment
deployment: {}
# Annotations for each Pod in the Deployment
pod: {}
# Annotations for the Service object
service: {}
# Annotations for the ServiceAccount object
serviceAccount: {}
# Annotations for the certificate secret generated by cert-manager v1.5+ when
# highAvailability.certManager.enabled is true
certSecret: {}
# Annotations for the Ingress object
ingress: {}
# Kubernetes service account to create/use.
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and serviceAccount.create is true, the name is generated using the release name.
# If create is false, the name will be used to reference an existing service account.
name: ""
# To set annotations on the service account, use the annotations.serviceAccount value.
# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
rbac:
# Specifies whether a ClusterRole and ClusterRoleBinding should be created.
# Set to false if your cluster level resources are managed separately.
create: true
# Options for the Teleport proxy service
# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP.
# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed.
# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true
service:
type: LoadBalancer
# Additional entries here will be added to the service spec.
spec: {}
# loadBalancerIP: "1.2.3.4"
# Options for ingress
# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent
# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer.
# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport.
# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details.
ingress:
enabled: false
# Setting suppressAutomaticWildcards to true will not automatically add *.<clusterName> as a hostname served
# by the Ingress. This may be desirable if you don't use Teleport Application Access.
suppressAutomaticWildcards: false
# Additional entries here will be added to the ingress spec.
spec: {}
# ingressClassName: nginx
# Extra arguments to pass to 'teleport start' for the main Teleport pod
extraArgs: []
# Extra environment to be configured on the Teleport pod
extraEnv: []
# Extra volumes to mount into the Teleport pods
# https://kubernetes.io/docs/concepts/storage/volumes/
extraVolumes: []
# - name: myvolume
# secret:
# secretName: testSecret
# Extra volume mounts corresponding to the volumes mounted above
extraVolumeMounts: []
# - name: myvolume
# mountPath: /path/on/host
# Allow the imagePullPolicy to be overridden
imagePullPolicy: IfNotPresent
# A list of initContainers to run before each Teleport pod starts
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: "teleport-init"
# image: "alpine"
# args: ["echo test"]
# If set, will run the command as a postStart handler
# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
postStart:
command: []
# Resources to request for the teleport container
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# cpu: "1"
# memory: "2Gi"
# Security context to add to the container
securityContext: {}
# runAsUser: 99
# Priority class name to add to the deployment
priorityClassName: ""
# Tolerations for pod assignment
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Timeouts for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1
# Kubernetes termination grace period
# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
#
# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook.
terminationGracePeriodSeconds: 60

3
teleport-cluster-14.0.1/.lint/acme-off.yaml
View File

@ -1,3 +0,0 @@
clusterName: test-cluster-name
extraArgs:
- "--insecure"

3
teleport-cluster-14.0.1/.lint/acme-on.yaml
View File

@ -1,3 +0,0 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com

4
teleport-cluster-14.0.1/.lint/acme-uri-staging.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com
acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory

29
teleport-cluster-14.0.1/.lint/affinity.yaml
View File

@ -1,29 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 2
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- teleport
topologyKey: kubernetes.io/hostname
weight: 1

17
teleport-cluster-14.0.1/.lint/annotations.yaml
View File

@ -1,17 +0,0 @@
clusterName: helm-lint
annotations:
config:
kubernetes.io/config: "test-annotation"
kubernetes.io/config-different: 2
deployment:
kubernetes.io/deployment: "test-annotation"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-annotation"
kubernetes.io/pod-different: 4
service:
kubernetes.io/service: "test-annotation"
kubernetes.io/service-different: 5
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"
kubernetes.io/serviceaccount-different: 6

3
teleport-cluster-14.0.1/.lint/auth-connector-name.yaml
View File

@ -1,3 +0,0 @@
clusterName: helm-lint
authentication:
connectorName: "okta"

5
teleport-cluster-14.0.1/.lint/auth-disable-local.yaml
View File

@ -1,5 +0,0 @@
clusterName: helm-lint
authentication:
type: "github"
localAuth: false
secondFactor: "off"

3
teleport-cluster-14.0.1/.lint/auth-locking-mode.yaml
View File

@ -1,3 +0,0 @@
clusterName: helm-lint
authentication:
lockingMode: "strict"

4
teleport-cluster-14.0.1/.lint/auth-passwordless.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint
authentication:
connectorName: passwordless
secondFactor: webauthn

4
teleport-cluster-14.0.1/.lint/auth-type-legacy.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint
authentication:
type: "this-should-be-ignored"
authenticationType: "github"

3
teleport-cluster-14.0.1/.lint/auth-type.yaml
View File

@ -1,3 +0,0 @@
clusterName: helm-lint
authentication:
type: "github"

10
teleport-cluster-14.0.1/.lint/auth-webauthn-legacy.yaml
View File

@ -1,10 +0,0 @@
clusterName: helm-lint
authentication:
secondFactor: "off" # this should be overridden
authenticationSecondFactor:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

8
teleport-cluster-14.0.1/.lint/auth-webauthn.yaml
View File

@ -1,8 +0,0 @@
clusterName: helm-lint
authentication:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

14
teleport-cluster-14.0.1/.lint/aws-dynamodb-autoscaling.yaml
View File

@ -1,14 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
dynamoAutoScaling: true
readMinCapacity: 5
readMaxCapacity: 100
readTargetValue: 50.0
writeMinCapacity: 5
writeMaxCapacity: 100
writeTargetValue: 50.0

14
teleport-cluster-14.0.1/.lint/aws-ha-acme.yaml
View File

@ -1,14 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

12
teleport-cluster-14.0.1/.lint/aws-ha-antiaffinity.yaml
View File

@ -1,12 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: aws

17
teleport-cluster-14.0.1/.lint/aws-ha-log.yaml
View File

@ -1,17 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
log:
level: DEBUG
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 2
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

11
teleport-cluster-14.0.1/.lint/aws-ha.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: aws

11
teleport-cluster-14.0.1/.lint/aws.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: aws

11
teleport-cluster-14.0.1/.lint/azure.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-azure-cluster
chartMode: azure
azure:
databaseHost: "mypostgresinstance.postgres.database.azure.com"
databaseUser: "teleport"
backendDatabase: "teleport_backend"
auditLogDatabase: "teleport_audit"
auditLogMirrorOnStdout: true
sessionRecordingStorageAccount: "mystorageaccount.blob.core.windows.net"
clientID: "1234"
databasePoolMaxConnections: 100

15
teleport-cluster-14.0.1/.lint/cert-manager.yaml
View File

@ -1,15 +0,0 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
addCommonName: true
enabled: true
issuerGroup: custom.cert-manager.io
issuerName: custom
issuerKind: CustomClusterIssuer

15
teleport-cluster-14.0.1/.lint/cert-secret.yaml
View File

@ -1,15 +0,0 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
annotations:
certSecret:
kubernetes.io/cert-secret: value
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt

7
teleport-cluster-14.0.1/.lint/example-minimal-standalone.yaml
View File

@ -1,7 +0,0 @@
# This setup is not safe for production because the proxy will self-sign its certificate.
# Use those values for testing only
# The chart should deploy and work only with a clusterName.
# This setup can also cause redirection issues if the proxy is contacted with a hostName instead of an IP address
# as it is not aware of its external hostname and will attempt to perform a redirection.
clusterName: helm-lint

4
teleport-cluster-14.0.1/.lint/existing-tls-secret-with-ca.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret
existingCASecretName: helm-lint-existing-tls-secret-ca

3
teleport-cluster-14.0.1/.lint/existing-tls-secret.yaml
View File

@ -1,3 +0,0 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret

4
teleport-cluster-14.0.1/.lint/extra-env.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint.example.com
extraEnv:
- name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"

14
teleport-cluster-14.0.1/.lint/gcp-ha-acme.yaml
View File

@ -1,14 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-14.0.1/.lint/gcp-ha-antiaffinity.yaml
View File

@ -1,12 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: gcp

17
teleport-cluster-14.0.1/.lint/gcp-ha-log.yaml
View File

@ -1,17 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
log:
level: DEBUG
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-14.0.1/.lint/gcp-ha-workload.yaml
View File

@ -1,12 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
credentialSecretName: ""
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-14.0.1/.lint/gcp-ha.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-14.0.1/.lint/gcp.yaml
View File

@ -1,11 +0,0 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: gcp

4
teleport-cluster-14.0.1/.lint/imagepullsecrets.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-standalone-cluster
chartMode: standalone
imagePullSecrets:
- name: myRegistryKeySecretName

8
teleport-cluster-14.0.1/.lint/ingress-publicaddr.yaml
View File

@ -1,8 +0,0 @@
clusterName: teleport.example.com
publicAddr: ["my-teleport-ingress.example.com:443"]
ingress:
enabled: true
suppressAutomaticWildcards: true
proxyListenerMode: multiplex
service:
type: ClusterIP

6
teleport-cluster-14.0.1/.lint/ingress.yaml
View File

@ -1,6 +0,0 @@
clusterName: teleport.example.com
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP

8
teleport-cluster-14.0.1/.lint/initcontainers.yaml
View File

@ -1,8 +0,0 @@
clusterName: helm-lint
initContainers:
- name: "teleport-init"
image: "alpine"
args: ["echo test"]
- name: "teleport-init2"
image: "alpine"
args: ["echo test2"]

2
teleport-cluster-14.0.1/.lint/kube-cluster-name.yaml
View File

@ -1,2 +0,0 @@
clusterName: test-aws-cluster
kubeClusterName: test-kube-cluster

4
teleport-cluster-14.0.1/.lint/log-basic.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-log-cluster
log:
format: json
level: INFO

6
teleport-cluster-14.0.1/.lint/log-extra.yaml
View File

@ -1,6 +0,0 @@
clusterName: test-log-cluster
log:
format: json
level: DEBUG
output: /var/lib/teleport/test.log
extraFields: ["level", "timestamp", "component", "caller"]

2
teleport-cluster-14.0.1/.lint/log-legacy.yaml
View File

@ -1,2 +0,0 @@
clusterName: test-log-cluster
logLevel: DEBUG

4
teleport-cluster-14.0.1/.lint/node-selector.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-cluster-name
nodeSelector:
role: bastion
environment: security

4
teleport-cluster-14.0.1/.lint/operator.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-cluster-name
operator:
enabled: true
installCRDs: true

12
teleport-cluster-14.0.1/.lint/pdb.yaml
View File

@ -1,12 +0,0 @@
clusterName: helm-lint
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
podDisruptionBudget:
enabled: true
minAvailable: 2

4
teleport-cluster-14.0.1/.lint/persistence-legacy.yaml
View File

@ -1,4 +0,0 @@
clusterName: test-persistence-cluster
standalone:
existingClaimName: ""
volumeSize: 10Gi

6
teleport-cluster-14.0.1/.lint/podmonitor.yaml
View File

@ -1,6 +0,0 @@
clusterName: test-kube-cluster-name
podMonitor:
enabled: true
additionalLabels:
prometheus: default
interval: 30s

4
teleport-cluster-14.0.1/.lint/priority-class-name.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
priorityClassName: "system-cluster-critical"

4
teleport-cluster-14.0.1/.lint/probe-timeout-seconds.yaml
View File

@ -1,4 +0,0 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
probeTimeoutSeconds: 5

2
teleport-cluster-14.0.1/.lint/proxy-listener-mode-multiplex.yaml
View File

@ -1,2 +0,0 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: multiplex

2
teleport-cluster-14.0.1/.lint/proxy-listener-mode-separate.yaml
View File

@ -1,2 +0,0 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: separate

11
teleport-cluster-14.0.1/.lint/public-addresses.yaml
View File

@ -1,11 +0,0 @@
clusterName: helm-lint
publicAddr: ["loadbalancer.example.com:443"]
sshPublicAddr: ["loadbalancer.example.com:3023"]
tunnelPublicAddr: ["loadbalancer.example.com:3024"]
postgresPublicAddr: ["loadbalancer.example.com:5432"]
mongoPublicAddr: ["loadbalancer.example.com:27017"]
mysqlPublicAddr: ["loadbalancer.example.com:3036"]
kubePublicAddr: ["loadbalancer.example.com:3026"]
separatePostgresListener: true
separateMongoListener: true

10
teleport-cluster-14.0.1/.lint/resources.yaml
View File

@ -1,10 +0,0 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi

1
teleport-cluster-14.0.1/.lint/security-context-empty.yaml
View File

@ -1 +0,0 @@
clusterName: helm-lint

8
teleport-cluster-14.0.1/.lint/security-context.yaml
View File

@ -1,8 +0,0 @@
clusterName: helm-lint
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99

2
teleport-cluster-14.0.1/.lint/separate-mongo-listener.yaml
View File

@ -1,2 +0,0 @@
clusterName: helm-lint
separateMongoListener: true

2
teleport-cluster-14.0.1/.lint/separate-postgres-listener.yaml
View File

@ -1,2 +0,0 @@
clusterName: helm-lint
separatePostgresListener: true

7
teleport-cluster-14.0.1/.lint/service-account.yaml
View File

@ -1,7 +0,0 @@
clusterName: helm-lint
serviceAccount:
create: true
name: helm-lint
annotations:
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"

5
teleport-cluster-14.0.1/.lint/service.yaml
View File

@ -1,5 +0,0 @@
clusterName: helm-lint
service:
type: LoadBalancer
spec:
loadBalancerIP: 1.2.3.4

2
teleport-cluster-14.0.1/.lint/session-recording.yaml
View File

@ -1,2 +0,0 @@
clusterName: helm-lint
sessionRecording: "node-sync"

9
teleport-cluster-14.0.1/.lint/standalone-custom-storage-class.yaml
View File

@ -1,9 +0,0 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
storageClassName: ebs-ssd
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
teleport-cluster-14.0.1/.lint/standalone-customsize.yaml
View File

@ -1,9 +0,0 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
volumeSize: 50Gi
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
teleport-cluster-14.0.1/.lint/standalone-existingpvc.yaml
View File

@ -1,9 +0,0 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
existingClaimName: teleport-storage
acme: true
acmeEmail: test@email.com
labels:
env: standalone

18
teleport-cluster-14.0.1/.lint/tolerations.yaml
View File

@ -1,18 +0,0 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
tolerations:
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoExecute"
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoSchedule"

5
teleport-cluster-14.0.1/.lint/version-override.yaml
View File

@ -1,5 +0,0 @@
clusterName: test-cluster-name
teleportVersionOverride: 5.2.1
labels:
env: test
version: 5.2.1

8
teleport-cluster-14.0.1/.lint/volumes.yaml
View File

@ -1,8 +0,0 @@
clusterName: helm-lint
extraVolumeMounts:
- name: "my-mount"
mountPath: "/path/to/mount"
extraVolumes:
- name: "my-mount"
secret:
secretName: "mySecret"

13
teleport-cluster-14.0.1/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v2
appVersion: 14.0.1
dependencies:
- condition: installCRDs,operator.enabled
name: teleport-operator
repository: ""
version: 14.0.1
description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-cluster
version: 14.0.1

64
teleport-cluster-14.0.1/README.md
View File

@ -1,64 +0,0 @@
# Teleport Cluster
This chart sets up a single node Teleport cluster.
It uses a persistent volume claim for storage.
Great for getting started with Teleport.
## Important Notices
- The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x
- Teleport does mutual TLS to authenticate clients. It currently does not support running behind a L7 LoadBalancer, like a Kubernetes `Ingress`. It requires being exposed through a L4 LoadBalancer (Kubernetes `Service`).
## Getting Started
### Single-node example
To install Teleport in a separate namespace and provision a web certificate using Let's Encrypt, run:
```bash
$ helm install teleport/teleport-cluster \
--set acme=true \
--set acmeEmail=alice@example.com \
--set clusterName=teleport.example.com\
--create-namespace \
--namespace=teleport-cluster \
./teleport-cluster/
```
Finally, configure the DNS for `teleport.example.com` to point to the newly created LoadBalancer.
Note: this guide uses the built-in ACME client to get certificates.
In this setup, Teleport nodes cannot be replicated. If you want to run multiple
Teleport replicas, you must provide a certificate through `tls.existingSecretName`
or by installing [cert-manager](https://cert-manager.io/docs/) and setting the `highAvailability.certManager.*` values.
### Replicated setup guides
- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/aws/)
- [Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/gcp/)
- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/custom/)
### Creating first user
The first user can be created by executing a command in one of the auth pods.
```shell
kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access
```
The command should output a registration link to finalize the user creation.
## Uninstalling
```bash
helm uninstall --namespace teleport-cluster teleport-cluster
```
## Documentation
See https://goteleport.com/docs/kubernetes-access/helm/guides/ for guides on setting up HA Teleport clusters
in EKS or GKE, plus a comprehensive chart reference.
## Contributing to the chart
Please read [CONTRIBUTING.md](../CONTRIBUTING.md) before raising a pull request to this chart.

8
teleport-cluster-14.0.1/charts/teleport-operator/Chart.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v2
appVersion: 14.0.1
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-operator
version: 14.0.1

168
teleport-cluster-14.0.1/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml
View File

@ -1,168 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportgithubconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportGithubConnector
listKind: TeleportGithubConnectorList
plural: teleportgithubconnectors
shortNames:
- githubconnector
- githubconnectors
singular: teleportgithubconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: GithubConnector is the Schema for the githubconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GithubConnector resource definition v3 from Teleport
properties:
api_endpoint_url:
description: APIEndpointURL is the URL of the API endpoint of the
Github instance this connector is for.
type: string
client_id:
description: ClientID is the Github OAuth app client ID.
type: string
client_secret:
description: ClientSecret is the Github OAuth app client secret.
type: string
display:
description: Display is the connector display name.
type: string
endpoint_url:
description: EndpointURL is the URL of the GitHub instance this connector
is for.
type: string
redirect_url:
description: RedirectURL is the authorization callback URL.
type: string
teams_to_roles:
description: TeamsToRoles maps Github team memberships onto allowed
roles.
items:
properties:
organization:
description: Organization is a Github organization a user belongs
to.
type: string
roles:
description: Roles is a list of allowed logins for this org/team.
items:
type: string
nullable: true
type: array
team:
description: Team is a team within the organization a user belongs
to.
type: string
type: object
type: array
type: object
status:
description: TeleportGithubConnectorStatus defines the observed state
of TeleportGithubConnector
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

145
teleport-cluster-14.0.1/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml
View File

@ -1,145 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportloginrules.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportLoginRule
listKind: TeleportLoginRuleList
plural: teleportloginrules
shortNames:
- loginrule
- loginrules
singular: teleportloginrule
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: LoginRule is the Schema for the loginrules API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: LoginRule resource definition v1 from Teleport
properties:
priority:
description: Priority is the priority of the login rule relative to
other login rules in the same cluster. Login rules with a lower
numbered priority will be evaluated first.
format: int32
type: integer
traits_expression:
description: TraitsExpression is a predicate expression which should
return the desired traits for the user upon login.
type: string
traits_map:
additionalProperties:
items:
type: string
type: array
description: TraitsMap is a map of trait keys to lists of predicate
expressions which should evaluate to the desired values for that
trait.
nullable: true
type: object
type: object
status:
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

213
teleport-cluster-14.0.1/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml
View File

@ -1,213 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportoidcconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOIDCConnector
listKind: TeleportOIDCConnectorList
plural: teleportoidcconnectors
shortNames:
- oidcconnector
- oidcconnectors
singular: teleportoidcconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: OIDCConnector is the Schema for the oidcconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OIDCConnector resource definition v3 from Teleport
properties:
acr_values:
description: ACR is an Authentication Context Class Reference value.
The meaning of the ACR value is context-specific and varies for
identity providers.
type: string
allow_unverified_email:
description: AllowUnverifiedEmail tells the connector to accept OIDC
users with unverified emails.
type: boolean
claims_to_roles:
description: ClaimsToRoles specifies a dynamic mapping from claims
to roles.
items:
properties:
claim:
description: Claim is a claim name.
type: string
roles:
description: Roles is a list of static teleport roles to match.
items:
type: string
nullable: true
type: array
value:
description: Value is a claim value to match.
type: string
type: object
type: array
client_id:
description: ClientID is the id of the authentication client (Teleport
Auth server).
type: string
client_secret:
description: ClientSecret is used to authenticate the client.
type: string
display:
description: Display is the friendly name for this provider.
type: string
google_admin_email:
description: GoogleAdminEmail is the email of a google admin to impersonate.
type: string
google_service_account:
description: GoogleServiceAccount is a string containing google service
account credentials.
type: string
google_service_account_uri:
description: GoogleServiceAccountURI is a path to a google service
account uri.
type: string
issuer_url:
description: IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
type: string
max_age:
description: MaxAge is the amount of time that user logins are valid
for. If a user logs in, but then does not login again within this
time period, they will be forced to re-authenticate.
format: duration
type: string
prompt:
description: Prompt is an optional OIDC prompt. An empty string omits
prompt. If not specified, it defaults to select_account for backwards
compatibility.
type: string
provider:
description: Provider is the external identity provider.
type: string
redirect_url:
description: RedirectURLs is a list of callback URLs which the identity
provider can use to redirect the client back to the Teleport Proxy
to complete authentication. This list should match the URLs on the
provider's side. The URL used for a given auth request will be chosen
to match the requesting Proxy's public address. If there is no match,
the first url in the list will be used.
items:
type: string
type: array
scope:
description: Scope specifies additional scopes set by provider.
items:
type: string
nullable: true
type: array
username_claim:
description: UsernameClaim specifies the name of the claim from the
OIDC connector to be used as the user's username.
type: string
type: object
status:
description: TeleportOIDCConnectorStatus defines the observed state of
TeleportOIDCConnector
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

183
teleport-cluster-14.0.1/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml
View File

@ -1,183 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportoktaimportrules.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOktaImportRule
listKind: TeleportOktaImportRuleList
plural: teleportoktaimportrules
shortNames:
- oktaimportrule
- oktaimportrules
singular: teleportoktaimportrule
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: OktaImportRule is the Schema for the oktaimportrules API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OktaImportRule resource definition v1 from Teleport
properties:
mappings:
description: Mappings is a list of matches that will map match conditions
to labels.
items:
properties:
add_labels:
description: AddLabels specifies which labels to add if any
of the previous matches match.
nullable: true
properties:
key:
type: string
value:
type: string
type: object
match:
description: Match is a set of matching rules for this mapping.
If any of these match, then the mapping will be applied.
items:
properties:
app_ids:
description: AppIDs is a list of app IDs to match against.
items:
type: string
nullable: true
type: array
app_name_regexes:
description: AppNameRegexes is a list of regexes to match
against app names.
items:
type: string
nullable: true
type: array
group_ids:
description: GroupIDs is a list of group IDs to match
against.
items:
type: string
nullable: true
type: array
group_name_regexes:
description: GroupNameRegexes is a list of regexes to
match against group names.
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
nullable: true
type: array
priority:
description: Priority represents the priority of the rule application.
Lower numbered rules will be applied first.
format: int32
type: integer
type: object
status:
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

210
teleport-cluster-14.0.1/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml
View File

@ -1,210 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportsamlconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportSAMLConnector
listKind: TeleportSAMLConnectorList
plural: teleportsamlconnectors
shortNames:
- samlconnector
- samlconnectors
singular: teleportsamlconnector
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: SAMLConnector is the Schema for the samlconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SAMLConnector resource definition v2 from Teleport
properties:
acs:
description: AssertionConsumerService is a URL for assertion consumer
service on the service provider (Teleport's side).
type: string
allow_idp_initiated:
description: AllowIDPInitiated is a flag that indicates if the connector
can be used for IdP-initiated logins.
type: boolean
assertion_key_pair:
description: EncryptionKeyPair is a key pair used for decrypting SAML
assertions.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
attributes_to_roles:
description: AttributesToRoles is a list of mappings of attribute
statements to roles.
items:
properties:
name:
description: Name is an attribute statement name.
type: string
roles:
description: Roles is a list of static teleport roles to map
to.
items:
type: string
nullable: true
type: array
value:
description: Value is an attribute statement value to match.
type: string
type: object
type: array
audience:
description: Audience uniquely identifies our service provider.
type: string
cert:
description: Cert is the identity provider certificate PEM. IDP signs
<Response> responses using this certificate.
type: string
display:
description: Display controls how this connector is displayed.
type: string
entity_descriptor:
description: EntityDescriptor is XML with descriptor. It can be used
to supply configuration parameters in one XML file rather than supplying
them in the individual elements.
type: string
entity_descriptor_url:
description: EntityDescriptorURL is a URL that supplies a configuration
XML.
type: string
issuer:
description: Issuer is the identity provider issuer.
type: string
provider:
description: Provider is the external identity provider.
type: string
service_provider_issuer:
description: ServiceProviderIssuer is the issuer of the service provider
(Teleport).
type: string
signing_key_pair:
description: SigningKeyPair is an x509 key pair used to sign AuthnRequest.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
sso:
description: SSO is the URL of the identity provider's SSO service.
type: string
type: object
status:
description: TeleportSAMLConnectorStatus defines the observed state of
TeleportSAMLConnector
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

195
teleport-cluster-14.0.1/charts/teleport-operator/templates/resources.teleport.dev_users.yaml
View File

@ -1,195 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportusers.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportUser
listKind: TeleportUserList
plural: teleportusers
shortNames:
- user
- users
singular: teleportuser
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: User is the Schema for the users API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: User resource definition v2 from Teleport
properties:
github_identities:
description: GithubIdentities list associated Github OAuth2 identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
oidc_identities:
description: OIDCIdentities lists associated OpenID Connect identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
roles:
description: Roles is a list of roles assigned to user
items:
type: string
nullable: true
type: array
saml_identities:
description: SAMLIdentities lists associated SAML identities that
let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: Traits are key/value pairs received from an identity
provider (through OIDC claims or SAML assertions) or from a system
administrator for local accounts. Traits are used to populate role
variables.
type: object
trusted_device_ids:
description: TrustedDeviceIDs contains the IDs of trusted devices
enrolled by the user. Managed by the Device Trust subsystem, avoid
manual edits.
items:
type: string
nullable: true
type: array
type: object
status:
description: TeleportUserStatus defines the observed state of TeleportUser
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

35
teleport-cluster-14.0.1/templates/NOTES.txt
View File

@ -1,35 +0,0 @@
{{- if .Values.highAvailability.certManager.enabled }}
You have enabled cert-manager support in high availability mode.
There may be a short delay before Teleport pods start while an ACME certificate is issued.
You can check the status of the certificate with `kubectl -n {{ .Release.Namespace }} describe certificate/{{ .Release.Name }}`
NOTE: For certificates to be provisioned, you must also install cert-manager (https://cert-manager.io/docs/) and configure an appropriate
Issuer with access to your DNS provider to handle DNS01 challenges (https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers)
For more information, please see the Helm guides in the Teleport docs (https://goteleport.com/docs/kubernetes-access/helm/guides/)
{{- end }}
{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }}
SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm
doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12
the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older.
Instead, we recommend you to configure Pod Security AdmissionControllers for
the namespace "{{.Release.Namespace}}" by adding the label
`pod-security.kubernetes.io/enforce: baseline` on the namespace resource.
See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
To remove this warning, explicitly set "podSecurityPolicy.enabled=false".
{{- end }}
{{- if .Values.teleportVersionOverride }}
DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
This chart is designed to run Teleport version {{ .Chart.AppVersion }}.
You will face compatibility issues trying to run a different Teleport version with it.
If you want to run Teleport version {{.Values.teleportVersionOverride}},
you should use `helm --version {{.Values.teleportVersionOverride}}` instead.
{{- end }}

91
teleport-cluster-14.0.1/templates/_helpers.tpl
View File

@ -1,91 +0,0 @@
{{/*
Create the name of the service account to use
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
*/}}
{{- define "teleport-cluster.auth.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Release.Name -}}
{{- end -}}
{{- define "teleport-cluster.proxy.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Release.Name -}}-proxy
{{- end -}}
{{- define "teleport-cluster.version" -}}
{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
{{- end -}}
{{- define "teleport-cluster.majorVersion" -}}
{{- (semver (include "teleport-cluster.version" .)).Major -}}
{{- end -}}
{{- define "teleport-cluster.previousMajorVersion" -}}
{{- sub (include "teleport-cluster.majorVersion" . | atoi ) 1 -}}
{{- end -}}
{{/* Proxy selector labels */}}
{{- define "teleport-cluster.proxy.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'proxy'
{{- end -}}
{{/* Proxy all labels */}}
{{- define "teleport-cluster.proxy.labels" -}}
{{ include "teleport-cluster.proxy.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* Auth pods selector labels */}}
{{- define "teleport-cluster.auth.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'auth'
{{- end -}}
{{/* All pods all labels */}}
{{- define "teleport-cluster.labels" -}}
{{ include "teleport-cluster.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* All pods selector labels */}}
{{- define "teleport-cluster.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
{{- end -}}
{{/* Auth pods all labels */}}
{{- define "teleport-cluster.auth.labels" -}}
{{ include "teleport-cluster.auth.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* ServiceNames are limited to 63 characters, we might have to truncate the ReleaseName
to make sure the auth serviceName won't exceed this limit */}}
{{- define "teleport-cluster.auth.serviceName" -}}
{{- .Release.Name | trunc 58 | trimSuffix "-" -}}-auth
{{- end -}}
{{- define "teleport-cluster.auth.currentVersionServiceName" -}}
{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.majorVersion" . }}
{{- end -}}
{{- define "teleport-cluster.auth.previousVersionServiceName" -}}
{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.previousMajorVersion" . }}
{{- end -}}
{{/* In most places we want to use the FQDN instead of relying on Kubernetes ndots behaviour
for performance reasons */}}
{{- define "teleport-cluster.auth.serviceFQDN" -}}
{{ include "teleport-cluster.auth.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end -}}

26
teleport-cluster-14.0.1/templates/auth/_config.aws.tpl
View File

@ -1,26 +0,0 @@
{{- define "teleport-cluster.auth.config.aws" -}}
{{ include "teleport-cluster.auth.config.common" . }}
storage:
type: dynamodb
region: {{ required "aws.region is required in chart values" .Values.aws.region }}
table_name: {{ required "aws.backendTable is required in chart values" .Values.aws.backendTable }}
{{- if .Values.aws.auditLogMirrorOnStdout }}
audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}', 'stdout://']
{{- else }}
audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}']
{{- end }}
audit_sessions_uri: s3://{{ required "aws.sessionRecordingBucket is required in chart values" .Values.aws.sessionRecordingBucket }}
continuous_backups: {{ required "aws.backups is required in chart values" .Values.aws.backups }}
{{- if .Values.aws.dynamoAutoScaling }}
auto_scaling: true
billing_mode: provisioned
read_min_capacity: {{ required "aws.readMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMinCapacity }}
read_max_capacity: {{ required "aws.readMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMaxCapacity }}
read_target_value: {{ required "aws.readTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.readTargetValue }}
write_min_capacity: {{ required "aws.writeMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMinCapacity }}
write_max_capacity: {{ required "aws.writeMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMaxCapacity }}
write_target_value: {{ required "aws.writeTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.writeTargetValue }}
{{- else }}
auto_scaling: false
{{- end }}
{{- end -}}

38
teleport-cluster-14.0.1/templates/auth/_config.azure.tpl
View File

@ -1,38 +0,0 @@
{{/* Helper to build the database connection string, adds paraneters if needed */}}
{{- define "teleport-cluster.auth.config.azure.conn_string.query" }}
{{- if .Values.azure.databasePoolMaxConnections -}}
{{- printf "sslmode=verify-full&pool_max_conns=%v" .Values.azure.databasePoolMaxConnections -}}
{{- else -}}
sslmode=verify-full
{{- end -}}
{{- end -}}
{{- define "teleport-cluster.auth.config.azure" -}}
{{ include "teleport-cluster.auth.config.common" . }}
storage:
type: postgresql
auth_mode: azure
conn_string: {{ urlJoin (dict
"scheme" "postgresql"
"userinfo" .Values.azure.databaseUser
"host" .Values.azure.databaseHost
"path" .Values.azure.backendDatabase
"query" (include "teleport-cluster.auth.config.azure.conn_string.query" .)
) | toYaml }}
audit_sessions_uri: {{ urlJoin (dict
"scheme" "azblob"
"host" .Values.azure.sessionRecordingStorageAccount
) | toYaml }}
audit_events_uri:
- {{ urlJoin (dict
"scheme" "postgresql"
"userinfo" .Values.azure.databaseUser
"host" .Values.azure.databaseHost
"path" .Values.azure.auditLogDatabase
"query" "sslmode=verify-full"
"fragment" "auth_mode=azure"
) | toYaml }}
{{- if .Values.azure.auditLogMirrorOnStdout }}
- "stdout://"
{{- end }}
{{- end -}}

65
teleport-cluster-14.0.1/templates/auth/_config.common.tpl
View File

@ -1,65 +0,0 @@
{{- define "teleport-cluster.auth.config.common" -}}
{{- $authentication := mustMergeOverwrite .Values.authentication (default dict .Values.authenticationSecondFactor) -}}
{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}}
version: v3
kubernetes_service:
enabled: true
listen_addr: 0.0.0.0:3026
public_addr: "{{ include "teleport-cluster.auth.serviceFQDN" . }}:3026"
{{- if .Values.kubeClusterName }}
kube_cluster_name: {{ .Values.kubeClusterName }}
{{- else }}
kube_cluster_name: {{ .Values.clusterName }}
{{- end }}
{{- if .Values.labels }}
labels: {{- toYaml .Values.labels | nindent 8 }}
{{- end }}
proxy_service:
enabled: false
ssh_service:
enabled: false
auth_service:
enabled: true
cluster_name: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if .Values.enterprise }}
license_file: '/var/lib/license/license.pem'
{{- end }}
authentication:
type: "{{ required "authentication.type is required in chart values" (coalesce .Values.authenticationType $authentication.type) }}"
local_auth: {{ $authentication.localAuth }}
{{- if $authentication.connectorName }}
connector_name: "{{ $authentication.connectorName }}"
{{- end }}
{{- if $authentication.lockingMode }}
locking_mode: "{{ $authentication.lockingMode }}"
{{- end }}
{{- if $authentication.secondFactor }}
second_factor: "{{ $authentication.secondFactor }}"
{{- if not (or (eq $authentication.secondFactor "off") (eq $authentication.secondFactor "otp")) }}
webauthn:
rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if $authentication.webauthn }}
{{- if $authentication.webauthn.attestationAllowedCas }}
attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }}
{{- end }}
{{- if $authentication.webauthn.attestationDeniedCas }}
attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.sessionRecording }}
session_recording: {{ .Values.sessionRecording }}
{{- end }}
{{- if .Values.proxyListenerMode }}
proxy_listener_mode: {{ .Values.proxyListenerMode }}
{{- end }}
teleport:
auth_server: 127.0.0.1:3025
log:
severity: {{ $logLevel }}
output: {{ .Values.log.output }}
format:
output: {{ .Values.log.format }}
extra_fields: {{ .Values.log.extraFields | toJson }}
{{- end -}}

16
teleport-cluster-14.0.1/templates/auth/_config.gcp.tpl
View File

@ -1,16 +0,0 @@
{{- define "teleport-cluster.auth.config.gcp" -}}
{{ include "teleport-cluster.auth.config.common" . }}
storage:
type: firestore
project_id: {{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}
collection_name: {{ required "gcp.backendTable is required in chart values" .Values.gcp.backendTable }}
{{- if .Values.gcp.credentialSecretName }}
credentials_path: /etc/teleport-secrets/gcp-credentials.json
{{- end }}
{{- if .Values.gcp.auditLogMirrorOnStdout }}
audit_events_uri: ['firestore://{{ required "gcp.auditLogTable is required in chart values" .Values.gcp.auditLogTable }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}', 'stdout://']
{{- else }}
audit_events_uri: ['firestore://{{ required "gcp.auditLogTable is required in chart values" .Values.gcp.auditLogTable }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}']
{{- end }}
audit_sessions_uri: "gs://{{ required "gcp.sessionRecordingBucket is required in chart values" .Values.gcp.sessionRecordingBucket }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}"
{{- end -}}

12
teleport-cluster-14.0.1/templates/auth/_config.scratch.tpl
View File

@ -1,12 +0,0 @@
{{- define "teleport-cluster.auth.config.scratch" -}}
proxy_service:
enabled: false
ssh_service:
enabled: false
auth_service:
enabled: true
{{- end -}}
{{- define "teleport-cluster.auth.config.custom" -}}
{{ fail "'custom' mode has been removed with chart v12 because of the proxy/auth split breaking change, see https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-v12/" }}
{{- end -}}

3
teleport-cluster-14.0.1/templates/auth/_config.standalone.tpl
View File

@ -1,3 +0,0 @@
{{- define "teleport-cluster.auth.config.standalone" -}}
{{ include "teleport-cluster.auth.config.common" . }}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More