From b76e232ac27609323d2512b5f39c61486b198f9d Mon Sep 17 00:00:00 2001 From: Jonny Ervine Date: Thu, 15 Aug 2024 22:45:43 +0800 Subject: [PATCH] Add teleport agent update --- .../.lint/affinity.yaml | 24 + teleport-kube-agent-13.3.8/.lint/all-v6.yaml | 27 + .../.lint/annotations.yaml | 20 + .../.lint/aws-databases.yaml | 15 + .../.lint/azure-databases.yaml | 26 + .../.lint/backwards-compatibility.yaml | 3 + teleport-kube-agent-13.3.8/.lint/ca-pin.yaml | 5 + .../.lint/clusterrole.yaml | 7 + teleport-kube-agent-13.3.8/.lint/db.yaml | 9 + .../.lint/dnsconfig.yaml | 15 + .../.lint/dynamic-app.yaml | 6 + .../.lint/dynamic-db.yaml | 6 + .../.lint/existing-data-volume.yaml | 5 + .../.lint/existing-tls-secret-with-ca.yaml | 6 + .../.lint/extra-args.yaml | 5 + .../.lint/extra-env.yaml | 7 + .../.lint/extra-labels.yaml | 37 + .../.lint/host-aliases.yaml | 11 + .../.lint/image-pull-policy-stateful.yaml | 7 + .../.lint/image-pull-policy.yaml | 5 + .../.lint/imagepullsecrets.yaml | 7 + .../.lint/initcontainers.yaml | 17 + .../.lint/join-params-iam.yaml | 5 + .../.lint/join-params-token.yaml | 5 + .../.lint/log-basic.yaml | 6 + .../.lint/log-extra.yaml | 8 + .../.lint/log-legacy.yaml | 4 + .../.lint/node-selector.yaml | 5 + teleport-kube-agent-13.3.8/.lint/pdb.yaml | 7 + .../.lint/podmonitor.yaml | 7 + .../.lint/priority-class-name.yaml | 4 + .../.lint/probe-timeout-seconds.yaml | 7 + .../.lint/resources.yaml | 13 + .../.lint/security-context-empty.yaml | 6 + .../.lint/service-account-name.yaml | 5 + .../.lint/stateful.yaml | 6 + .../.lint/tolerations.yaml | 13 + teleport-kube-agent-13.3.8/.lint/updater.yaml | 6 + teleport-kube-agent-13.3.8/.lint/v10.yaml | 5 + teleport-kube-agent-13.3.8/.lint/v11.yaml | 5 + teleport-kube-agent-13.3.8/.lint/volumes.yaml | 11 + teleport-kube-agent-13.3.8/Chart.yaml | 9 + teleport-kube-agent-13.3.8/README.md | 245 ++ .../aws-and-manual-db.yaml | 21 + .../templates/NOTES.txt | 53 + .../templates/_config.tpl | 116 + .../templates/_helpers.tpl | 46 + .../templates/admin_clusterrolebinding.yaml | 24 + .../templates/clusterrole.yaml | 31 + .../templates/clusterrolebinding.yaml | 18 + .../templates/config.yaml | 16 + .../templates/delete_hook.yaml | 95 + .../templates/deployment.yaml | 216 ++ .../templates/hook.yaml | 97 + teleport-kube-agent-13.3.8/templates/pdb.yaml | 21 + .../templates/podmonitor.yaml | 31 + teleport-kube-agent-13.3.8/templates/psp.yaml | 70 + .../templates/role.yaml | 14 + .../templates/rolebinding.yaml | 17 + .../templates/secret.yaml | 19 + .../templates/serviceaccount.yaml | 15 + .../templates/statefulset.yaml | 239 ++ .../templates/updater/_helpers.tpl | 7 + .../templates/updater/deployment.yaml | 113 + .../templates/updater/role.yaml | 95 + .../templates/updater/rolebinding.yaml | 22 + .../templates/updater/serviceaccount.yaml | 16 + teleport-kube-agent-13.3.8/tests/README.md | 23 + .../admin_clusterrolebinding_test.yaml.snap | 28 + .../__snapshot__/clusterrole_test.yaml.snap | 57 + .../clusterrolebinding_test.yaml.snap | 31 + .../tests/__snapshot__/config_test.yaml.snap | 1130 ++++++++ .../__snapshot__/deployment_test.yaml.snap | 1950 +++++++++++++ .../tests/__snapshot__/job_test.yaml.snap | 205 ++ .../tests/__snapshot__/pdb_test.yaml.snap | 30 + .../tests/__snapshot__/psp_test.yaml.snap | 123 + .../tests/__snapshot__/role_test.yaml.snap | 37 + .../__snapshot__/rolebinding_test.yaml.snap | 33 + .../tests/__snapshot__/secret_test.yaml.snap | 82 + .../serviceaccount_test.yaml.snap | 20 + .../__snapshot__/statefulset_test.yaml.snap | 2490 +++++++++++++++++ .../updater_deployment_test.yaml.snap | 117 + .../__snapshot__/updater_role_test.yaml.snap | 76 + .../tests/admin_clusterrolebinding_test.yaml | 35 + .../tests/clusterrole_test.yaml | 23 + .../tests/clusterrolebinding_test.yaml | 23 + .../tests/config_test.yaml | 291 ++ .../tests/deployment_test.yaml | 687 +++++ .../tests/job_test.yaml | 208 ++ .../tests/pdb_test.yaml | 26 + .../tests/podmonitor_test.yaml | 43 + .../tests/psp_test.yaml | 55 + .../tests/role_test.yaml | 34 + .../tests/rolebinding_test.yaml | 34 + .../tests/secret_test.yaml | 101 + .../tests/serviceaccount_test.yaml | 33 + .../tests/statefulset_test.yaml | 721 +++++ .../tests/updater_deployment_test.yaml | 227 ++ .../tests/updater_role_test.yaml | 39 + .../tests/updater_rolebinding_test.yaml | 49 + .../values-home.yaml | 0 teleport-kube-agent-13.3.8/values.schema.json | 647 +++++ teleport-kube-agent-13.3.8/values.yaml | 452 +++ teleport-kube-agent/.lint/all-v6.yaml | 5 +- .../.lint/app-discovery-full.yaml | 11 + .../.lint/app-discovery-minimal.yaml | 4 + .../.lint/extra-containers.yaml | 15 + teleport-kube-agent/.lint/extra-labels.yaml | 3 + .../.lint/jamf-service-existing-secret.yaml | 8 + teleport-kube-agent/.lint/jamf-service.yaml | 6 + .../.lint/updater-secret-docker.yaml | 23 + teleport-kube-agent/Chart.yaml | 6 +- teleport-kube-agent/README.md | 114 +- teleport-kube-agent/templates/NOTES.txt | 2 +- teleport-kube-agent/templates/_config.tpl | 61 +- teleport-kube-agent/templates/_helpers.tpl | 6 +- .../templates/clusterrole.yaml | 8 + .../templates/delete_hook.yaml | 18 +- teleport-kube-agent/templates/deployment.yaml | 27 + teleport-kube-agent/templates/role.yaml | 2 +- teleport-kube-agent/templates/secret.yaml | 20 + .../templates/statefulset.yaml | 25 +- .../templates/updater/deployment.yaml | 37 +- .../__snapshot__/clusterrole_test.yaml.snap | 60 + .../tests/__snapshot__/config_test.yaml.snap | 318 +++ .../__snapshot__/deployment_test.yaml.snap | 508 +++- .../tests/__snapshot__/job_test.yaml.snap | 54 +- .../tests/__snapshot__/secret_test.yaml.snap | 10 + .../__snapshot__/statefulset_test.yaml.snap | 436 ++- .../updater_deployment_test.yaml.snap | 12 +- .../tests/clusterrole_test.yaml | 20 + teleport-kube-agent/tests/config_test.yaml | 40 + .../tests/deployment_test.yaml | 188 +- teleport-kube-agent/tests/job_test.yaml | 79 +- teleport-kube-agent/tests/role_test.yaml | 2 +- .../tests/rolebinding_test.yaml | 2 +- teleport-kube-agent/tests/secret_test.yaml | 19 + .../tests/statefulset_test.yaml | 148 +- .../tests/updater_deployment_test.yaml | 62 + .../tests/updater_rolebinding_test.yaml | 2 +- teleport-kube-agent/values.schema.json | 135 + teleport-kube-agent/values.ubuntu.yaml | 6 + teleport-kube-agent/values.yaml | 1305 +++++++-- 143 files changed, 15355 insertions(+), 676 deletions(-) create mode 100644 teleport-kube-agent-13.3.8/.lint/affinity.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/all-v6.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/annotations.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/aws-databases.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/azure-databases.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/backwards-compatibility.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/ca-pin.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/clusterrole.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/db.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/dnsconfig.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/dynamic-app.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/dynamic-db.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/existing-data-volume.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/existing-tls-secret-with-ca.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/extra-args.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/extra-env.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/extra-labels.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/host-aliases.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/image-pull-policy-stateful.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/image-pull-policy.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/imagepullsecrets.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/initcontainers.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/join-params-iam.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/join-params-token.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/log-basic.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/log-extra.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/log-legacy.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/node-selector.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/pdb.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/podmonitor.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/priority-class-name.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/probe-timeout-seconds.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/resources.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/security-context-empty.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/service-account-name.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/stateful.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/tolerations.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/updater.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/v10.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/v11.yaml create mode 100644 teleport-kube-agent-13.3.8/.lint/volumes.yaml create mode 100644 teleport-kube-agent-13.3.8/Chart.yaml create mode 100644 teleport-kube-agent-13.3.8/README.md create mode 100644 teleport-kube-agent-13.3.8/aws-and-manual-db.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/NOTES.txt create mode 100644 teleport-kube-agent-13.3.8/templates/_config.tpl create mode 100644 teleport-kube-agent-13.3.8/templates/_helpers.tpl create mode 100644 teleport-kube-agent-13.3.8/templates/admin_clusterrolebinding.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/clusterrole.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/clusterrolebinding.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/config.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/delete_hook.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/deployment.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/hook.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/pdb.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/podmonitor.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/psp.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/role.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/rolebinding.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/secret.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/serviceaccount.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/statefulset.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/updater/_helpers.tpl create mode 100644 teleport-kube-agent-13.3.8/templates/updater/deployment.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/updater/role.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/updater/rolebinding.yaml create mode 100644 teleport-kube-agent-13.3.8/templates/updater/serviceaccount.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/README.md create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrole_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrolebinding_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/config_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/deployment_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/job_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/pdb_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/psp_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/role_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/rolebinding_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/secret_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/serviceaccount_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/statefulset_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/updater_deployment_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/__snapshot__/updater_role_test.yaml.snap create mode 100644 teleport-kube-agent-13.3.8/tests/admin_clusterrolebinding_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/clusterrole_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/clusterrolebinding_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/config_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/deployment_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/job_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/pdb_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/podmonitor_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/psp_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/role_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/rolebinding_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/secret_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/serviceaccount_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/statefulset_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/updater_deployment_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/updater_role_test.yaml create mode 100644 teleport-kube-agent-13.3.8/tests/updater_rolebinding_test.yaml rename {teleport-kube-agent => teleport-kube-agent-13.3.8}/values-home.yaml (100%) create mode 100644 teleport-kube-agent-13.3.8/values.schema.json create mode 100644 teleport-kube-agent-13.3.8/values.yaml create mode 100644 teleport-kube-agent/.lint/app-discovery-full.yaml create mode 100644 teleport-kube-agent/.lint/app-discovery-minimal.yaml create mode 100644 teleport-kube-agent/.lint/extra-containers.yaml create mode 100644 teleport-kube-agent/.lint/jamf-service-existing-secret.yaml create mode 100644 teleport-kube-agent/.lint/jamf-service.yaml create mode 100644 teleport-kube-agent/.lint/updater-secret-docker.yaml create mode 100644 teleport-kube-agent/values.ubuntu.yaml diff --git a/teleport-kube-agent-13.3.8/.lint/affinity.yaml b/teleport-kube-agent-13.3.8/.lint/affinity.yaml new file mode 100644 index 0000000..a961974 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/affinity.yaml @@ -0,0 +1,24 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 diff --git a/teleport-kube-agent-13.3.8/.lint/all-v6.yaml b/teleport-kube-agent-13.3.8/.lint/all-v6.yaml new file mode 100644 index 0000000..7b8f28b --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/all-v6.yaml @@ -0,0 +1,27 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube,app,db +kubeClusterName: test-kube-cluster-name +labels: + cluster: testing +apps: + - name: grafana + uri: http://localhost:3000 + labels: + environment: test +databases: + - name: aurora + uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" + protocol: "postgres" + labels: + database: staging +annotations: + config: + kubernetes.io/config: "test-annotation" + kubernetes.io/config-different: 2 + deployment: + kubernetes.io/deployment: "test-annotation" + kubernetes.io/deployment-different: 3 + pod: + kubernetes.io/pod: "test-annotation" + kubernetes.io/pod-different: 4 diff --git a/teleport-kube-agent-13.3.8/.lint/annotations.yaml b/teleport-kube-agent-13.3.8/.lint/annotations.yaml new file mode 100644 index 0000000..50f5b21 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/annotations.yaml @@ -0,0 +1,20 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +annotations: + config: + kubernetes.io/config: "test-annotation" + kubernetes.io/config-different: 2 + deployment: + kubernetes.io/deployment: "test-annotation" + kubernetes.io/deployment-different: 3 + pod: + kubernetes.io/pod: "test-annotation" + kubernetes.io/pod-different: 4 + secret: + kubernetes.io/secret: "test-annotation" + kubernetes.io/secret-different: 6 + serviceAccount: + kubernetes.io/serviceaccount: "test-annotation" + kubernetes.io/serviceaccount-different: 5 diff --git a/teleport-kube-agent-13.3.8/.lint/aws-databases.yaml b/teleport-kube-agent-13.3.8/.lint/aws-databases.yaml new file mode 100644 index 0000000..948a839 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/aws-databases.yaml @@ -0,0 +1,15 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +awsDatabases: +- types: ["rds"] + regions: ["us-east-1"] + tags: + "*": "*" +- types: ["rds"] + regions: ["us-west-2"] + tags: + "env": "development" +annotations: + serviceAccount: + eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role diff --git a/teleport-kube-agent-13.3.8/.lint/azure-databases.yaml b/teleport-kube-agent-13.3.8/.lint/azure-databases.yaml new file mode 100644 index 0000000..a9b87e3 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/azure-databases.yaml @@ -0,0 +1,26 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +azureDatabases: +- types: ["mysql", "postgres"] + tags: + "*": "*" +- types: ["mysql"] + tags: + "env": ["dev", "staging"] + "origin": "alice" + regions: ["eastus", "centralus"] + subscriptions: ["subID1", "subID2"] + resource_groups: ["group1", "group2"] +# environment variables can be used to authenticate as the Azure service principal +extraEnv: +- name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: teleport-azure-client-secret + key: client_secret + optional: false +- name: AZURE_TENANT_ID + value: "11111111-2222-3333-4444-555555555555" +- name: AZURE_CLIENT_ID + value: "11111111-2222-3333-4444-555555555555" diff --git a/teleport-kube-agent-13.3.8/.lint/backwards-compatibility.yaml b/teleport-kube-agent-13.3.8/.lint/backwards-compatibility.yaml new file mode 100644 index 0000000..c452f86 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/backwards-compatibility.yaml @@ -0,0 +1,3 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name diff --git a/teleport-kube-agent-13.3.8/.lint/ca-pin.yaml b/teleport-kube-agent-13.3.8/.lint/ca-pin.yaml new file mode 100644 index 0000000..f5b536b --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/ca-pin.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +caPin: ["sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1"] diff --git a/teleport-kube-agent-13.3.8/.lint/clusterrole.yaml b/teleport-kube-agent-13.3.8/.lint/clusterrole.yaml new file mode 100644 index 0000000..228db73 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/clusterrole.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +clusterRoleName: teleport-kube-agent-test +clusterRoleBindingName: teleport-kube-agent-test +serviceAccountName: teleport-kube-agent-test diff --git a/teleport-kube-agent-13.3.8/.lint/db.yaml b/teleport-kube-agent-13.3.8/.lint/db.yaml new file mode 100644 index 0000000..7850322 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/db.yaml @@ -0,0 +1,9 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +databases: +- name: aurora + uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" + protocol: "postgres" + labels: + database: staging diff --git a/teleport-kube-agent-13.3.8/.lint/dnsconfig.yaml b/teleport-kube-agent-13.3.8/.lint/dnsconfig.yaml new file mode 100644 index 0000000..0900fcc --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/dnsconfig.yaml @@ -0,0 +1,15 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +dnsPolicy: ClusterFirstWithHostNet +dnsConfig: + nameservers: + - 1.2.3.4 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 diff --git a/teleport-kube-agent-13.3.8/.lint/dynamic-app.yaml b/teleport-kube-agent-13.3.8/.lint/dynamic-app.yaml new file mode 100644 index 0000000..78a8573 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/dynamic-app.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: app +appResources: + - labels: + "*": "*" diff --git a/teleport-kube-agent-13.3.8/.lint/dynamic-db.yaml b/teleport-kube-agent-13.3.8/.lint/dynamic-db.yaml new file mode 100644 index 0000000..a17bfd8 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/dynamic-db.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +databaseResources: + - labels: + "*": "*" diff --git a/teleport-kube-agent-13.3.8/.lint/existing-data-volume.yaml b/teleport-kube-agent-13.3.8/.lint/existing-data-volume.yaml new file mode 100644 index 0000000..511aa2f --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/existing-data-volume.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +existingDataVolume: teleport-kube-agent-data diff --git a/teleport-kube-agent-13.3.8/.lint/existing-tls-secret-with-ca.yaml b/teleport-kube-agent-13.3.8/.lint/existing-tls-secret-with-ca.yaml new file mode 100644 index 0000000..a8e2a46 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/existing-tls-secret-with-ca.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +tls: + existingCASecretName: "helm-lint-existing-tls-secret-ca" diff --git a/teleport-kube-agent-13.3.8/.lint/extra-args.yaml b/teleport-kube-agent-13.3.8/.lint/extra-args.yaml new file mode 100644 index 0000000..8353439 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/extra-args.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +extraArgs: ['--debug'] diff --git a/teleport-kube-agent-13.3.8/.lint/extra-env.yaml b/teleport-kube-agent-13.3.8/.lint/extra-env.yaml new file mode 100644 index 0000000..7f3ee92 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/extra-env.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +extraEnv: +- name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" diff --git a/teleport-kube-agent-13.3.8/.lint/extra-labels.yaml b/teleport-kube-agent-13.3.8/.lint/extra-labels.yaml new file mode 100644 index 0000000..293e8b3 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/extra-labels.yaml @@ -0,0 +1,37 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster +extraLabels: + role: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "role" + roleBinding: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "rolebinding" + clusterRole: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "clusterrole" + clusterRoleBinding: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "clusterrolebinding" + config: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "config" + deployment: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "deployment" + pod: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "pod" + podDisruptionBudget: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "poddisruptionbudget" + podSecurityPolicy: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "podsecuritypolicy" + secret: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "secret" + serviceAccount: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "serviceaccount" diff --git a/teleport-kube-agent-13.3.8/.lint/host-aliases.yaml b/teleport-kube-agent-13.3.8/.lint/host-aliases.yaml new file mode 100644 index 0000000..21faa71 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/host-aliases.yaml @@ -0,0 +1,11 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +hostAliases: + - ip: "127.0.0.1" + hostnames: + - "foo.local" + - "bar.local" + - ip: "10.1.2.3" + hostnames: + - "foo.remote" + - "bar.remote" diff --git a/teleport-kube-agent-13.3.8/.lint/image-pull-policy-stateful.yaml b/teleport-kube-agent-13.3.8/.lint/image-pull-policy-stateful.yaml new file mode 100644 index 0000000..83995f0 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/image-pull-policy-stateful.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +storage: + enabled: true + storageClassName: "aws-gp2" +imagePullPolicy: Always diff --git a/teleport-kube-agent-13.3.8/.lint/image-pull-policy.yaml b/teleport-kube-agent-13.3.8/.lint/image-pull-policy.yaml new file mode 100644 index 0000000..c5e389c --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/image-pull-policy.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +imagePullPolicy: Always diff --git a/teleport-kube-agent-13.3.8/.lint/imagepullsecrets.yaml b/teleport-kube-agent-13.3.8/.lint/imagepullsecrets.yaml new file mode 100644 index 0000000..cb5ce1e --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/imagepullsecrets.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +image: public.ecr.aws/gravitational/teleport +imagePullSecrets: +- name: myRegistryKeySecretName diff --git a/teleport-kube-agent-13.3.8/.lint/initcontainers.yaml b/teleport-kube-agent-13.3.8/.lint/initcontainers.yaml new file mode 100644 index 0000000..a8d7a2a --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/initcontainers.yaml @@ -0,0 +1,17 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +initContainers: +- name: "teleport-init" + image: "alpine" + args: ["echo test"] +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi diff --git a/teleport-kube-agent-13.3.8/.lint/join-params-iam.yaml b/teleport-kube-agent-13.3.8/.lint/join-params-iam.yaml new file mode 100644 index 0000000..13d38c6 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/join-params-iam.yaml @@ -0,0 +1,5 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +joinParams: + tokenName: iam-token + method: iam diff --git a/teleport-kube-agent-13.3.8/.lint/join-params-token.yaml b/teleport-kube-agent-13.3.8/.lint/join-params-token.yaml new file mode 100644 index 0000000..5e476c1 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/join-params-token.yaml @@ -0,0 +1,5 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +joinParams: + tokenName: xxxxxxx-secret-token-xxxxxxx + method: token diff --git a/teleport-kube-agent-13.3.8/.lint/log-basic.yaml b/teleport-kube-agent-13.3.8/.lint/log-basic.yaml new file mode 100644 index 0000000..46d87a7 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/log-basic.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +log: + format: json + level: INFO diff --git a/teleport-kube-agent-13.3.8/.lint/log-extra.yaml b/teleport-kube-agent-13.3.8/.lint/log-extra.yaml new file mode 100644 index 0000000..656190d --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/log-extra.yaml @@ -0,0 +1,8 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +log: + format: json + level: DEBUG + output: /var/lib/teleport/test.log + extraFields: ["level", "timestamp", "component", "caller"] diff --git a/teleport-kube-agent-13.3.8/.lint/log-legacy.yaml b/teleport-kube-agent-13.3.8/.lint/log-legacy.yaml new file mode 100644 index 0000000..8d3767b --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/log-legacy.yaml @@ -0,0 +1,4 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +logLevel: DEBUG diff --git a/teleport-kube-agent-13.3.8/.lint/node-selector.yaml b/teleport-kube-agent-13.3.8/.lint/node-selector.yaml new file mode 100644 index 0000000..a9f3d5c --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/node-selector.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +nodeSelector: + gravitational.io/k8s-role: node diff --git a/teleport-kube-agent-13.3.8/.lint/pdb.yaml b/teleport-kube-agent-13.3.8/.lint/pdb.yaml new file mode 100644 index 0000000..e898684 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/pdb.yaml @@ -0,0 +1,7 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +highAvailability: + replicaCount: 3 + podDisruptionBudget: + enabled: true + minAvailable: 2 diff --git a/teleport-kube-agent-13.3.8/.lint/podmonitor.yaml b/teleport-kube-agent-13.3.8/.lint/podmonitor.yaml new file mode 100644 index 0000000..2cdb90b --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/podmonitor.yaml @@ -0,0 +1,7 @@ +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +podMonitor: + enabled: true + additionalLabels: + prometheus: default + interval: 30s diff --git a/teleport-kube-agent-13.3.8/.lint/priority-class-name.yaml b/teleport-kube-agent-13.3.8/.lint/priority-class-name.yaml new file mode 100644 index 0000000..1f0baeb --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/priority-class-name.yaml @@ -0,0 +1,4 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster +priorityClassName: teleport-kube-agent diff --git a/teleport-kube-agent-13.3.8/.lint/probe-timeout-seconds.yaml b/teleport-kube-agent-13.3.8/.lint/probe-timeout-seconds.yaml new file mode 100644 index 0000000..306f64c --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/probe-timeout-seconds.yaml @@ -0,0 +1,7 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster-name +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +probeTimeoutSeconds: 5 diff --git a/teleport-kube-agent-13.3.8/.lint/resources.yaml b/teleport-kube-agent-13.3.8/.lint/resources.yaml new file mode 100644 index 0000000..bd0ccf4 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/resources.yaml @@ -0,0 +1,13 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi diff --git a/teleport-kube-agent-13.3.8/.lint/security-context-empty.yaml b/teleport-kube-agent-13.3.8/.lint/security-context-empty.yaml new file mode 100644 index 0000000..4f2c972 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/security-context-empty.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: helm-lint +securityContext: null +initSecurityContext: null diff --git a/teleport-kube-agent-13.3.8/.lint/service-account-name.yaml b/teleport-kube-agent-13.3.8/.lint/service-account-name.yaml new file mode 100644 index 0000000..fbc76f9 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/service-account-name.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +serviceAccountName: teleport-kube-agent-sa diff --git a/teleport-kube-agent-13.3.8/.lint/stateful.yaml b/teleport-kube-agent-13.3.8/.lint/stateful.yaml new file mode 100644 index 0000000..5424307 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/stateful.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster-name +storage: + enabled: true + storageClassName: "aws-gp2" diff --git a/teleport-kube-agent-13.3.8/.lint/tolerations.yaml b/teleport-kube-agent-13.3.8/.lint/tolerations.yaml new file mode 100644 index 0000000..87abf13 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/tolerations.yaml @@ -0,0 +1,13 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +tolerations: +- key: "dedicated" + operator: "Equal" + value: "teleport" + effect: "NoExecute" +- key: "dedicated" + operator: "Equal" + value: "teleport" + effect: "NoSchedule" diff --git a/teleport-kube-agent-13.3.8/.lint/updater.yaml b/teleport-kube-agent-13.3.8/.lint/updater.yaml new file mode 100644 index 0000000..8519cd8 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/updater.yaml @@ -0,0 +1,6 @@ +proxyAddr: proxy.example.com:3080 +roles: "custom" +updater: + enabled: true + versionServer: https://my-custom-version-server/v1 + releaseChannel: custom/preview diff --git a/teleport-kube-agent-13.3.8/.lint/v10.yaml b/teleport-kube-agent-13.3.8/.lint/v10.yaml new file mode 100644 index 0000000..887242a --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/v10.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster-name +teleportVersionOverride: "10.3.5-dev" diff --git a/teleport-kube-agent-13.3.8/.lint/v11.yaml b/teleport-kube-agent-13.3.8/.lint/v11.yaml new file mode 100644 index 0000000..b308f63 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/v11.yaml @@ -0,0 +1,5 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster-name +teleportVersionOverride: "11.0.1-dev" diff --git a/teleport-kube-agent-13.3.8/.lint/volumes.yaml b/teleport-kube-agent-13.3.8/.lint/volumes.yaml new file mode 100644 index 0000000..1f55235 --- /dev/null +++ b/teleport-kube-agent-13.3.8/.lint/volumes.yaml @@ -0,0 +1,11 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +extraVolumeMounts: +- name: "my-mount" + mountPath: "/path/to/mount" +extraVolumes: +- name: "my-mount" + secret: + secretName: "mySecret" diff --git a/teleport-kube-agent-13.3.8/Chart.yaml b/teleport-kube-agent-13.3.8/Chart.yaml new file mode 100644 index 0000000..c559b3e --- /dev/null +++ b/teleport-kube-agent-13.3.8/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +appVersion: 13.3.8 +description: Teleport provides a secure SSH, Kubernetes, database and application + remote access solution that doesn't get in the way. +icon: https://goteleport.com/images/logos/logo-teleport-square.svg +keywords: +- Teleport +name: teleport-kube-agent +version: 13.3.8 diff --git a/teleport-kube-agent-13.3.8/README.md b/teleport-kube-agent-13.3.8/README.md new file mode 100644 index 0000000..903398c --- /dev/null +++ b/teleport-kube-agent-13.3.8/README.md @@ -0,0 +1,245 @@ +# Teleport Agent chart + +This chart is a Teleport agent used to register any or all of the following services +with an existing Teleport cluster: +- Teleport Kubernetes access +- Teleport Application access +- Teleport Database access + +To use it, you will need: +- an existing Teleport cluster (at least proxy and auth services) +- a reachable proxy endpoint (`$PROXY_ENDPOINT` e.g. `teleport.example.com:3080` or `teleport.example.com:443`) +- a reachable reverse tunnel port on the proxy (e.g. `teleport.example.com:3024`). The address is automatically + retrieved from the Teleport proxy configuration. +- either a static or dynamic join token for the Teleport Cluster + - a [static join token](https://goteleport.com/docs/setup/admin/adding-nodes/#adding-nodes-to-the-cluster) + for this Teleport cluster (`$JOIN_TOKEN`) is used by default. + - optionally a [dynamic join token](https://goteleport.com/docs/setup/admin/adding-nodes/#short-lived-dynamic-tokens) can + be used on Kubernetes clusters that support persistent volumes. Set `storage.enabled=true` and + `storage.storageClassName=` in the helm configuration to use persistent + volumes. + + +## Combining roles + +You can combine multiple roles as a comma-separated list: `--set roles=kube\,db\,app` + +Note that commas must be escaped if the values are provided on the command line. This is due to the way that +Helm parses arguments. + +You must also provide the settings for each individual role which is enabled as detailed below. + +## Backwards compatibility + +To provide backwards compatibility with older versions of the `teleport-kube-agent` chart, if you do +not specify any value for `roles`, the chart will run with only the `kube` role enabled. + +## Kubernetes access + +To use Teleport Kubernetes access, you will also need: +- to choose a name for your Kubernetes cluster, distinct from other registered + clusters (`$KUBERNETES_CLUSTER_NAME`) + +To install the agent, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=kube \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set kubeClusterName=${KUBERNETES_CLUSTER_NAME?} +``` + +Set the values in the above command as appropriate for your setup. + +You can also optionally set labels for your Kubernetes cluster using the +format `--set "labels.key=value"` - for example: `--set "labels.env=development,labels.region=us-west-1"` + +To avoid specifying the auth token in plain text, it's possible to create a secret containing the token beforehand. To do so, run: + +```sh +export TELEPORT_KUBE_TOKEN=` | base64 -w0` +export TELEPORT_NAMESPACE=teleport + +cat < secrets.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: teleport-kube-agent-join-token + namespace: ${TELEPORT_NAMESPACE?} +type: Opaque +data: + auth-token: ${TELEPORT_KUBE_TOKEN?} +EOF + +$ kubectl apply -f secret.yaml + +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace ${TELEPORT_NAMESPACE?} \ + --set roles=kube \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set kubeClusterName=${KUBERNETES_CLUSTER_NAME?} +``` + +Note that due to backwards compatibility, the `labels` value **only** applies to the Teleport +Kubernetes service. To set labels for applications or databases, use the different formats +detailed below. + +## Application access + +### Dynamic Registration mode + +To use Teleport application access in [dynamic registration mode](https://goteleport.com/docs/application-access/guides/dynamic-registration/), +you will need to know the application resource selector. (`$APP_RESOURCE_KEY` and `$APP_RESOURCE_VALUE`) + +To listen for all application resources, set both variables to `*`. + +To install the agent in dynamic application registration mode, run: +```sh +$ helm install teleport-kube-agent . \ +--create-namespace \ +--namespace teleport \ +--set roles=app \ +--set proxyAddr=${PROXY_ENDPOINT?} \ +--set authToken=${JOIN_TOKEN?} \ +--set "appResources[0].labels.${APP_RESOURCE_KEY?}=${APP_RESOURCE_VALUE?}" +``` + +### Manual configuration mode + +To use Teleport Application access, you will also need: +- the name of an application that you would like to proxy (`$APP_NAME`) +- the URI to connect to the application from the node where this chart is deployed (`$APP_URI`) + +To install the agent, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=app \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set "apps[0].name=${APP_NAME?}" \ + --set "apps[0].uri=${APP_URI?}" +``` + +Set the values in the above command as appropriate for your setup. + +These are the supported values for the `apps` map: + +| Key | Description | Example | Default | Required | +| --- | --- | --- | --- | --- | +| `name` | Name of the app to be accessed | `apps[0].name=grafana` | | Yes | +| `uri` | URI of the app to be accessed | `apps[0].uri=http://localhost:3000` | | Yes | +| `public_addr` | Public address used to access the app | `apps[0].public_addr=grafana.teleport.example.com` | | No | +| `labels.[name]` | Key-value pairs to set against the app for grouping/RBAC | `apps[0].labels.env=local,apps[0].labels.region=us-west-1` | | No | +| `insecure_skip_verify` | Whether to skip validation of TLS certificates presented by backend apps | `apps[0].insecure_skip_verify=true` | `false` | No | +| `rewrite.redirect` | A list of URLs to rewrite to the public address of the app service | `apps[0].rewrite.redirect[0]=https://192.168.1.1` | | No + +You can add multiple apps using `apps[1].name`, `apps[1].uri`, `apps[2].name`, `apps[2].uri` etc. + +After installing, the new application should show up in `tsh apps ls` after a few minutes. + +## Database access + +### Dynamic Registration mode + +To use Teleport database access in [dynamic registration mode](https://goteleport.com/docs/database-access/guides/dynamic-registration/), +you will need to know the database resource selector. (`$DB_RESOURCE_KEY` and `$DB_RESOURCE_VALUE`) + +To listen for all database resources, set both variables to `*`. + +To install the agent in dynamic database registration mode, run: +```sh +$ helm install teleport-kube-agent . \ +--create-namespace \ +--namespace teleport \ +--set roles=db \ +--set proxyAddr=${PROXY_ENDPOINT?} \ +--set authToken=${JOIN_TOKEN?} \ +--set "databaseResources[0].labels.${DB_RESOURCE_KEY?}=${DB_RESOURCE_VALUE?}" +``` + +### Auto-discovery mode (AWS) + +To use Teleport database access in AWS database auto-discovery mode, you will also need: +- the database types you are attempting to auto-discover (`types`) +- the AWS region(s) you would like to run auto-discovery in (`regions`) +- the AWS resource tags if you want to target only certain databases (`tags`) + +See the [AWS databases Helm chart reference](https://goteleport.com/docs/reference/helm-reference/teleport-kube-agent/#awsDatabases) +for an example of installing an agent with AWS database auto-discovery. + +### Auto-discovery mode (Azure) + +To use Teleport database access in Azure database auto-discovery mode, you will also need: +- the database types you are attempting to auto-discover (`types`) +- the Azure resource tags if you want to target only certain databases (`tags`) + +You can optionally specify: +- the Azure subscription(s) to auto-discover in (`subscriptions`) +- the Azure region(s) to auto-discover in (`regions`) +- the Azure resource-group(s) to auto-discover in (`resource_groups`) + +The default for each of these optional settings is `[*]`, which will auto-discover in all +subscriptions, regions, or resource groups accessible by the Teleport service +principal in Azure. + +See the [Azure databases Helm chart reference](https://goteleport.com/docs/reference/helm-reference/teleport-kube-agent/#azureDatabases) +for an example of installing an agent with Azure database auto-discovery. + +### Manual configuration mode + +To use Teleport database access, you will also need: +- the name of an database that you would like to proxy (`$DB_NAME`) +- the URI to connect to the database from the node where this chart is deployed (`$DB_URI`) +- the database protocol used for the database (`$DB_PROTOCOL`) + +To install the agent in manual database configuration mode, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=db \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set "databases[0].name=${DB_NAME?}" \ + --set "databases[0].uri=${DB_URI?}" \ + --set "databases[0].protocol=${DB_PROTOCOL?}" +``` + +Set the values in the above command as appropriate for your setup. + +These are the supported values for the `databases` map: + +| Key | Description | Example | Default | Required | +| --- | --- | --- | --- | --- | +| `name` | Name of the database to be accessed | `databases[0].name=aurora` | | Yes | +| `uri` | URI of the database to be accessed | `databases[0].uri=postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432` | | Yes | +| `protocol` | Database protocol | `databases[0].protocol=postgres` | | Yes | +| `description` | Free-form description of the database proxy instance | `databases[0].description='AWS Aurora instance of PostgreSQL 13.0'` | | No | +| `aws.region` | AWS-specific region configuration (only used for RDS/Aurora) | `databases[0].aws.region=us-east-1` | | No | +| `labels.[name]` | Key-value pairs to set against the database for grouping/RBAC | `databases[0].labels.db=postgres-dev,apps[0].labels.region=us-east-1` | | No | + +You can add multiple databases using `databases[1].name`, `databases[1].uri`, `databases[1].protocol`, +`databases[2].name`, `databases[2].uri`, `databases[2].protocol` etc. + +After installing, the new database should show up in `tsh db ls` after a few minutes. + +## Troubleshooting + +If the service for a given role doesn't show up, look into the agent logs with: + +```sh +$ kubectl logs -n teleport deployment/teleport-kube-agent +``` + +## Contributing to the chart + +Please read [CONTRIBUTING.md](../CONTRIBUTING.md) before raising a pull request to this chart. diff --git a/teleport-kube-agent-13.3.8/aws-and-manual-db.yaml b/teleport-kube-agent-13.3.8/aws-and-manual-db.yaml new file mode 100644 index 0000000..7e85f65 --- /dev/null +++ b/teleport-kube-agent-13.3.8/aws-and-manual-db.yaml @@ -0,0 +1,21 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: db +awsDatabases: +- types: ["rds"] + regions: ["us-east-1"] + tags: + "*": "*" +- types: ["rds"] + regions: ["us-west-2"] + tags: + "env": "development" +databases: +- name: aurora + uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" + protocol: "postgres" + labels: + database: staging +annotations: + serviceAccount: + eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role diff --git a/teleport-kube-agent-13.3.8/templates/NOTES.txt b/teleport-kube-agent-13.3.8/templates/NOTES.txt new file mode 100644 index 0000000..9a35a1e --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/NOTES.txt @@ -0,0 +1,53 @@ +{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }} +SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm +doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12 +the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older. +Instead, we recommend you to configure Pod Security AdmissionControllers for +the namespace "{{.Release.Namespace}}" by adding the label +`pod-security.kubernetes.io/enforce: baseline` on the namespace resource. + +See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ + +To remove this warning, explicitly set "podSecurityPolicy.enabled=false". +{{- end }} + +{{- if .Values.teleportVersionOverride }} + +DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. +This chart is designed to run Teleport version {{ .Chart.AppVersion }}. +You will face compatibility issues trying to run a different Teleport version with it. + +If you want to run Teleport version {{.Values.teleportVersionOverride}}, +you should use `helm --version {{.Values.teleportVersionOverride}}` instead. +{{- end }} +{{- if contains "-gke." .Capabilities.KubeVersion.Version -}} +{{- $groupName := (coalesce .Values.adminClusterRoleBinding.name "cluster-admin") }} + +WARNING: GKE Autopilot clusters forbid users from impersonating system-wide identities. +This means you won't be able to use the `system:masters` Kubernetes Group in +the Teleport Roles for GKE Autopilot clusters. + +Given that you installed Teleport on a GKE cluster, we recommend you use the +Kubernetes Group `{{ $groupName }}` instead of `system:masters` in the Teleport Roles +for GKE Autopilot clusters. + +To do so, you can use the following Teleport Role resource: + + kind: role + metadata: + name: gke-kube-access + version: v6 + spec: + allow: + kubernetes_labels: + '*': '*' + kubernetes_groups: + - "{{ $groupName }}" + +This chart automatically created the `{{ $groupName }}` Kubernetes Group for you and +assigned it admin privileges on the Kubernetes cluster. + +Consult the built-in security features that GKE Autopilot enforces: +https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-security#built-in-security + +{{- end }} diff --git a/teleport-kube-agent-13.3.8/templates/_config.tpl b/teleport-kube-agent-13.3.8/templates/_config.tpl new file mode 100644 index 0000000..7d34788 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/_config.tpl @@ -0,0 +1,116 @@ +{{- define "teleport-kube-agent.config" -}} +{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}} +{{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }} +version: v3 +{{- end }} +teleport: + join_params: + method: "{{ .Values.joinParams.method }}" + token_name: "/etc/teleport-secrets/auth-token" + {{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }} + proxy_server: {{ required "proxyAddr is required in chart values" .Values.proxyAddr }} + {{- else }} + auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"] + {{- end }} + {{- if .Values.caPin }} + ca_pin: {{- toYaml .Values.caPin | nindent 8 }} + {{- end }} + log: + severity: {{ $logLevel }} + output: {{ .Values.log.output }} + format: + output: {{ .Values.log.format }} + extra_fields: {{ .Values.log.extraFields | toJson }} + +kubernetes_service: + {{- if or (contains "kube" (.Values.roles | toString)) (empty .Values.roles) }} + enabled: true + kube_cluster_name: {{ required "kubeClusterName is required in chart values when kube role is enabled, see README" .Values.kubeClusterName }} + {{- if .Values.labels }} + labels: {{- toYaml .Values.labels | nindent 8 }} + {{- end }} + {{- else }} + enabled: false + {{- end }} + +app_service: + {{- if contains "app" (.Values.roles | toString) }} + enabled: true + {{- if not (or (.Values.apps) (.Values.appResources)) }} + {{- fail "at least one of 'apps' and 'appResources' is required in chart values when app role is enabled, see README" }} + {{- end }} + {{- if .Values.apps }} + {{- range $app := .Values.apps }} + {{- if not (hasKey $app "name") }} + {{- fail "'name' is required for all 'apps' in chart values when app role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $app "uri") }} + {{- fail "'uri' is required for all 'apps' in chart values when app role is enabled, see README" }} + {{- end }} + {{- end }} + apps: + {{- toYaml .Values.apps | nindent 8 }} + {{- end }} + {{- if .Values.appResources }} + resources: + {{- toYaml .Values.appResources | nindent 8 }} + {{- end }} + {{- else }} + enabled: false + {{- end }} + +db_service: + {{- if contains "db" (.Values.roles | toString) }} + enabled: true + {{- if not (or (.Values.awsDatabases) (.Values.azureDatabases) (.Values.databases) (.Values.databaseResources)) }} + {{- fail "at least one of 'awsDatabases', 'azureDatabases', 'databases' or 'databaseResources' is required in chart values when db role is enabled, see README" }} + {{- end }} + {{- if .Values.awsDatabases }} + aws: + {{- range $awsDb := .Values.awsDatabases }} + {{- if not (hasKey $awsDb "types") }} + {{- fail "'types' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $awsDb "regions") }} + {{- fail "'regions' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $awsDb "tags") }} + {{- fail "'tags' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- end }} + {{- toYaml .Values.awsDatabases | nindent 6 }} + {{- end }} + {{- if .Values.azureDatabases }} + azure: + {{- toYaml .Values.azureDatabases | nindent 6 }} + {{- end}} + {{- if .Values.databases }} + databases: + {{- range $db := .Values.databases }} + {{- if not (hasKey $db "name") }} + {{- fail "'name' is required for all 'databases' in chart values when db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $db "uri") }} + {{- fail "'uri' is required for all 'databases' is required in chart values when db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $db "protocol") }} + {{- fail "'protocol' is required for all 'databases' in chart values when db role is enabled, see README" }} + {{- end }} + {{- end }} + {{- toYaml .Values.databases | nindent 6 }} + {{- end }} + {{- if .Values.databaseResources }} + resources: + {{- toYaml .Values.databaseResources | nindent 6 }} + {{- end }} +{{- else }} + enabled: false +{{- end }} + +auth_service: + enabled: false +ssh_service: + enabled: false +proxy_service: + enabled: false +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/_helpers.tpl b/teleport-kube-agent-13.3.8/templates/_helpers.tpl new file mode 100644 index 0000000..8827f34 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/_helpers.tpl @@ -0,0 +1,46 @@ +{{- define "teleport.kube.agent.isUpgrade" -}} +{{- /* Checks if action is an upgrade from an old release that didn't support Secret storage */}} +{{- if .Release.IsUpgrade }} + {{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace .Release.Name ) -}} + {{- if ($deployment) }} +true + {{- else if .Values.unitTestUpgrade }} +true + {{- end }} +{{- end }} +{{- end -}} +{{/* +Create the name of the service account to use +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name +*/}} +{{- define "teleport-kube-agent.serviceAccountName" -}} +{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName .Release.Name -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the post-delete hook +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name-delete-hook +*/}} +{{- define "teleport-kube-agent.deleteHookServiceAccountName" -}} +{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName (printf "%s-delete-hook" .Release.Name) -}} +{{- end -}} + +{{- define "teleport-kube-agent.version" -}} +{{- if .Values.teleportVersionOverride -}} + {{- .Values.teleportVersionOverride -}} +{{- else -}} + {{- .Chart.Version -}} +{{- end -}} +{{- end -}} + +{{- define "teleport-kube-agent.baseImage" -}} +{{- if .Values.enterprise -}} + {{- .Values.enterpriseImage -}} +{{- else -}} + {{- .Values.image -}} +{{- end -}} +{{- end -}} + +{{- define "teleport-kube-agent.image" -}} +{{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/admin_clusterrolebinding.yaml b/teleport-kube-agent-13.3.8/templates/admin_clusterrolebinding.yaml new file mode 100644 index 0000000..cd3fe98 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/admin_clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* GKE Autopilot clusters forbid users from impersonating system:masters +Groups. This is a security measure released under the GKE Warden authz module +https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-security#built-in-security +Because of this limitation, users are unable to specify kubernetes_groups=["system:masters"] +in Teleport, so we create a Kubernetes Group called cluster-admin when we detect +that the underlying cluster is a GKE cluster. */}} +{{- if or (contains "-gke." .Capabilities.KubeVersion.Version) (.Values.adminClusterRoleBinding.create) -}} +{{- $groupName := (coalesce .Values.adminClusterRoleBinding.name "cluster-admin") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-k8s-cluster-group +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +# This is the built-in cluster-admin role that exists in all K8S clusters. +# We are binding the cluster-admin role to the cluster-admin group. +# See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ $groupName }} +{{- end }} diff --git a/teleport-kube-agent-13.3.8/templates/clusterrole.yaml b/teleport-kube-agent-13.3.8/templates/clusterrole.yaml new file mode 100644 index 0000000..c6f3c73 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/clusterrole.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.clusterRoleName | default .Release.Name }} +{{- if .Values.extraLabels.clusterRole }} + labels: + {{- toYaml .Values.extraLabels.clusterRole | nindent 4 }} +{{- end }} +rules: +- apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "authorization.k8s.io" + resources: + - selfsubjectaccessreviews + verbs: + - create +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/clusterrolebinding.yaml b/teleport-kube-agent-13.3.8/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..af2a7b1 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/clusterrolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.clusterRoleBindingName | default .Release.Name }} +{{- if .Values.extraLabels.clusterRoleBinding }} + labels: + {{- toYaml .Values.extraLabels.clusterRoleBinding | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.clusterRoleName | default .Release.Name }} +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/config.yaml b/teleport-kube-agent-13.3.8/templates/config.yaml new file mode 100644 index 0000000..d97ebae --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/config.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.config }} + labels: + {{- toYaml .Values.extraLabels.config | nindent 4 }} +{{- end }} + {{- if .Values.annotations.config }} + annotations: + {{- toYaml .Values.annotations.config | nindent 4 }} + {{- end }} +data: + teleport.yaml: | + {{- mustMergeOverwrite (include "teleport-kube-agent.config" . | fromYaml) .Values.teleportConfig | toYaml | nindent 4 -}} diff --git a/teleport-kube-agent-13.3.8/templates/delete_hook.yaml b/teleport-kube-agent-13.3.8/templates/delete_hook.yaml new file mode 100644 index 0000000..0b8cd06 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/delete_hook.yaml @@ -0,0 +1,95 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +--- +{{- end }} +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: [""] + resources: ["secrets",] + verbs: ["get", "delete", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-delete-hook +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} +--- +{{- end }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-delete-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: {{ .Release.Name }}-delete-hook + spec: +{{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.imagePullSecrets | nindent 6 }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }} + restartPolicy: OnFailure +{{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} +{{- end }} + containers: + - name: post-delete-job + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: {{ .Release.Name }} + image: {{ include "teleport-kube-agent.image" . | quote }} + {{- if .Values.imagePullPolicy }} + imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} + {{- end }} + command: ["teleport"] + args: ["kube-state", "delete"] + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} diff --git a/teleport-kube-agent-13.3.8/templates/deployment.yaml b/teleport-kube-agent-13.3.8/templates/deployment.yaml new file mode 100644 index 0000000..30b7924 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/deployment.yaml @@ -0,0 +1,216 @@ +# +# Warning to maintainers, any changes to this file that are not specific to the Deployment need to also be duplicated +# in the statefulset.yaml file. +# +{{- if and (not .Values.storage.enabled) (include "teleport.kube.agent.isUpgrade" . ) }} +{{- $replicaCount := (coalesce .Values.replicaCount .Values.highAvailability.replicaCount "1") }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + {{- if .Values.extraLabels.deployment }} + {{- toYaml .Values.extraLabels.deployment | nindent 4 }} + {{- end }} + {{- if .Values.annotations.deployment }} + annotations: + {{- toYaml .Values.annotations.deployment | nindent 4 }} + {{- end }} +spec: + replicas: {{ $replicaCount }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + annotations: + # ConfigMap checksum, to recreate the pod on config changes. + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} +{{- if .Values.annotations.pod }} + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} + spec: + {{- if .Values.dnsConfig }} + dnsConfig: {{- toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} + {{- end }} + {{- if or .Values.affinity (gt (int $replicaCount) 1) }} + affinity: + {{- if .Values.affinity }} + {{- if .Values.highAvailability.requireAntiAffinity }} + {{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }} + {{- end }} + {{- toYaml .Values.affinity | nindent 8 }} + {{- else }} + podAntiAffinity: + {{- if .Values.highAvailability.requireAntiAffinity }} + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- else if gt (int $replicaCount) 1 }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} + {{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.imagePullSecrets | nindent 6 }} +{{- end }} +{{- if .Values.initContainers }} + initContainers: {{- toYaml .Values.initContainers | nindent 6 }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if .Values.initSecurityContext }} + securityContext: {{- toYaml .Values.initSecurityContext | nindent 10 }} + {{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true + - mountPath: /var/lib/teleport + name: "data" + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} + {{- end }} +{{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + containers: + - name: "teleport" + image: {{ include "teleport-kube-agent.image" . | quote }} + {{- if .Values.imagePullPolicy }} + imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} + {{- end }} + env: + # This variable is set for telemetry purposes. + # Telemetry is opt-in for oss users and controlled at the auth level. + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + {{- if .Values.updater.enabled }} + - name: TELEPORT_EXT_UPGRADER + value: kube + {{- end }} + {{- if (gt (len .Values.extraEnv) 0) }} + {{- toYaml .Values.extraEnv | nindent 8 }} + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} + args: + - "--diag-addr=0.0.0.0:3000" + {{- if .Values.insecureSkipProxyTLSVerify }} + - "--insecure" + {{- end }} + {{- if .Values.extraArgs }} + {{- toYaml .Values.extraArgs | nindent 8 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} + ports: + - name: diag + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to start + periodSeconds: 5 # poll health every 5s + failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} + readinessProbe: + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to register + periodSeconds: 5 # poll health every 5s + failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} +{{- if .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true + - mountPath: /var/lib/teleport + name: {{ default "data" .Values.existingDataVolume }} + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} +{{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} +{{- end }} + volumes: + - name: "config" + configMap: + name: {{ .Release.Name }} + - name: "auth-token" + secret: + secretName: {{ coalesce .Values.secretName .Values.joinTokenSecret.name }} + {{- if not .Values.existingDataVolume }} + - name: "data" + emptyDir: {} + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: "teleport-tls-ca" + secret: + secretName: {{ .Values.tls.existingCASecretName }} + {{- end }} +{{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 6 }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent.serviceAccountName" . }} +{{- end }} diff --git a/teleport-kube-agent-13.3.8/templates/hook.yaml b/teleport-kube-agent-13.3.8/templates/hook.yaml new file mode 100644 index 0000000..e6d7de5 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/hook.yaml @@ -0,0 +1,97 @@ +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace .Release.Name ) -}} +{{- if $deployment }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: ["apps"] + resources: ["statefulsets"] + resourceNames: ["{{ .Release.Name }}"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["pods",] + verbs: ["get", "watch"] + - apiGroups: ["apps"] + resources: ["deployments",] + resourceNames: ["{{ .Release.Name }}"] + verbs: ["get", "delete", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-hook +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: {{ .Release.Name }}-hook + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} +{{- end }} + serviceAccountName: {{ .Release.Name }}-hook + restartPolicy: OnFailure +{{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} +{{- end }} + containers: + - name: post-install-job + image: alpine/k8s:1.26.0 + command: + - sh + - "-c" + - | + /bin/sh <<'EOF' + set -eu -o pipefail + # wait until statefulset is ready + kubectl rollout status --watch --timeout=600s statefulset/{{ .Release.Name }} + # delete deployment + kubectl delete deployment/{{ .Release.Name }} + EOF + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} +{{- end}} diff --git a/teleport-kube-agent-13.3.8/templates/pdb.yaml b/teleport-kube-agent-13.3.8/templates/pdb.yaml new file mode 100644 index 0000000..6b6e17a --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.highAvailability.podDisruptionBudget.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.podDisruptionBudget }} + {{- toYaml .Values.extraLabels.podDisruptionBudget | nindent 4 }} +{{- end }} +spec: + minAvailable: {{ .Values.highAvailability.podDisruptionBudget.minAvailable }} + selector: + matchLabels: + app: {{ .Release.Name }} +{{- end }} diff --git a/teleport-kube-agent-13.3.8/templates/podmonitor.yaml b/teleport-kube-agent-13.3.8/templates/podmonitor.yaml new file mode 100644 index 0000000..6bc0ccd --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/podmonitor.yaml @@ -0,0 +1,31 @@ +{{- if.Values.podMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + {{- with .Values.podMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Release.Name }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ .Release.Name }} + podMetricsEndpoints: + - port: diag + path: /metrics + {{- with .Values.podMonitor.interval }} + interval: {{ . | quote }} + {{- end }} + podTargetLabels: + - "app.kubernetes.io/name" + - "app.kubernetes.io/instance" + - "app.kubernetes.io/component" + - "app.kubernetes.io/version" + - "teleport.dev/majorVersion" +{{- end }} diff --git a/teleport-kube-agent-13.3.8/templates/psp.yaml b/teleport-kube-agent-13.3.8/templates/psp.yaml new file mode 100644 index 0000000..bdf8b10 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/psp.yaml @@ -0,0 +1,70 @@ +{{/* PSPs are deprecated in 1.22 and removed in 1.25. However Helm doesn't handle their removal properly in 1.25 + We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this + only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt. + Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}} +{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Release.Name }} +{{- if .Values.extraLabels.podSecurityPolicy }} + labels: + {{- toYaml .Values.extraLabels.podSecurityPolicy | nindent 4 }} +{{- end }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + runAsUser: + rule: MustRunAsNonRoot + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true + volumes: + - '*' + hostNetwork: false + hostIPC: false + hostPID: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-psp +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-psp +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-psp +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent.serviceAccountName" . }} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/role.yaml b/teleport-kube-agent-13.3.8/templates/role.yaml new file mode 100644 index 0000000..9cffd88 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/role.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.roleName | default .Release.Name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.role }} + labels: + {{- toYaml .Values.extraLabels.role | nindent 4 }} +{{- end }} +rules: +- apiGroups: [""] + # objects is "secrets" + resources: ["secrets"] + verbs: ["create", "get", "update","patch"] \ No newline at end of file diff --git a/teleport-kube-agent-13.3.8/templates/rolebinding.yaml b/teleport-kube-agent-13.3.8/templates/rolebinding.yaml new file mode 100644 index 0000000..563853e --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.roleBindingName | default .Release.Name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.roleBinding }} + labels: + {{- toYaml .Values.extraLabels.roleBinding | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.roleName | default .Release.Name }} +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/teleport-kube-agent-13.3.8/templates/secret.yaml b/teleport-kube-agent-13.3.8/templates/secret.yaml new file mode 100644 index 0000000..0b23ec1 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/secret.yaml @@ -0,0 +1,19 @@ +{{- if .Values.joinTokenSecret.create }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ coalesce .Values.secretName .Values.joinTokenSecret.name }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.secret }} + labels: + {{- toYaml .Values.extraLabels.secret | nindent 4 }} +{{- end }} +{{- if .Values.annotations.secret }} + annotations: + {{- toYaml .Values.annotations.secret | nindent 4 }} +{{- end }} +type: Opaque +stringData: + auth-token: | + {{ coalesce .Values.joinParams.tokenName .Values.authToken }} +{{- end}} diff --git a/teleport-kube-agent-13.3.8/templates/serviceaccount.yaml b/teleport-kube-agent-13.3.8/templates/serviceaccount.yaml new file mode 100644 index 0000000..f75d202 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-kube-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.serviceAccount }} + labels: + {{- toYaml .Values.extraLabels.serviceAccount | nindent 4 }} +{{- end }} +{{- if .Values.annotations.serviceAccount }} + annotations: +{{- toYaml .Values.annotations.serviceAccount | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/statefulset.yaml b/teleport-kube-agent-13.3.8/templates/statefulset.yaml new file mode 100644 index 0000000..4f31010 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/statefulset.yaml @@ -0,0 +1,239 @@ +# +# Warning to maintainers, any changes to this file that are not specific to the StatefulSet need to also be duplicated +# in the deployment.yaml file. +# +{{- $replicaCount := (coalesce .Values.replicaCount .Values.highAvailability.replicaCount "1") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} + {{- if .Values.extraLabels.deployment }} + {{- toYaml .Values.extraLabels.deployment | nindent 4 }} + {{- end }} +spec: + serviceName: {{ .Release.Name }} + replicas: {{ $replicaCount }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + annotations: + # ConfigMap checksum, to recreate the pod on config changes. + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} +{{- if .Values.annotations.pod }} + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} + spec: + {{- if .Values.dnsConfig }} + dnsConfig: {{- toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} + {{- end }} + securityContext: + fsGroup: 9807 + {{- if or .Values.affinity (gt (int $replicaCount) 1) }} + affinity: + {{- if .Values.affinity }} + {{- if .Values.highAvailability.requireAntiAffinity }} + {{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }} + {{- end }} + {{- toYaml .Values.affinity | nindent 8 }} + {{- else }} + podAntiAffinity: + {{- if .Values.highAvailability.requireAntiAffinity }} + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- else if gt (int $replicaCount) 1 }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} + {{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml .Values.imagePullSecrets | nindent 6 }} +{{- end }} +{{- if .Values.initContainers }} + initContainers: {{- toYaml .Values.initContainers | nindent 6 }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if .Values.initSecurityContext }} + securityContext: {{- toYaml .Values.initSecurityContext | nindent 10 }} + {{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true + - mountPath: /var/lib/teleport + name: "{{ .Release.Name }}-teleport-data" + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} + {{- end }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent.serviceAccountName" . }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + containers: + - name: "teleport" + image: {{ include "teleport-kube-agent.image" . | quote }} + {{- if .Values.imagePullPolicy }} + imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} + {{- end }} + env: + # This variable is set for telemetry purposes. + # Telemetry is opt-in and controlled at the auth level. + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: {{ .Release.Name }} + {{- if .Values.updater.enabled }} + - name: TELEPORT_EXT_UPGRADER + value: kube + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} + {{- if .Values.extraEnv }} + {{- toYaml .Values.extraEnv | nindent 10 }} + {{- end }} + args: + - "--diag-addr=0.0.0.0:3000" + {{- if .Values.insecureSkipProxyTLSVerify }} + - "--insecure" + {{- end }} + {{- if .Values.extraArgs }} + {{- toYaml .Values.extraArgs | nindent 8 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} + ports: + - name: diag + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to start + periodSeconds: 5 # poll health every 5s + failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} + readinessProbe: + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 # wait 5s for agent to register + periodSeconds: 5 # poll health every 5s + failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) + timeoutSeconds: {{ .Values.probeTimeoutSeconds }} +{{- if .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /etc/teleport + name: "config" + readOnly: true + - mountPath: /etc/teleport-secrets + name: "auth-token" + readOnly: true +{{- if .Values.storage.enabled }} + - mountPath: /var/lib/teleport + name: "{{ .Release.Name }}-teleport-data" +{{- else }} + - mountPath: /var/lib/teleport + name: "data" +{{- end }} +{{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true +{{- end }} +{{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 8 }} +{{- end }} + volumes: + - name: "config" + configMap: + name: {{ .Release.Name }} + - name: "auth-token" + secret: + secretName: {{ coalesce .Values.secretName .Values.joinTokenSecret.name }} +{{- if not .Values.storage.enabled }} + - name: "data" + emptyDir: {} +{{- end}} +{{- if .Values.tls.existingCASecretName }} + - name: "teleport-tls-ca" + secret: + secretName: {{ .Values.tls.existingCASecretName }} +{{- end }} +{{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 6 }} +{{- end }} +{{- if and .Values.storage.enabled }} + volumeClaimTemplates: + - metadata: + name: "{{ .Release.Name }}-teleport-data" + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: {{ .Values.storage.storageClassName }} + resources: + requests: + storage: {{ .Values.storage.requests }} +{{- end }} diff --git a/teleport-kube-agent-13.3.8/templates/updater/_helpers.tpl b/teleport-kube-agent-13.3.8/templates/updater/_helpers.tpl new file mode 100644 index 0000000..59fb0c2 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/updater/_helpers.tpl @@ -0,0 +1,7 @@ +{{/* +Create the name of the service account to use +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name +*/}} +{{- define "teleport-kube-agent-updater.serviceAccountName" -}} +{{- coalesce .Values.updater.serviceAccount.name (include "teleport-kube-agent.serviceAccountName" . | printf "%s-updater") -}} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/updater/deployment.yaml b/teleport-kube-agent-13.3.8/templates/updater/deployment.yaml new file mode 100644 index 0000000..b214d3f --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/updater/deployment.yaml @@ -0,0 +1,113 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-updater + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }}-updater +{{- if $updater.extraLabels.deployment }} + {{- toYaml $updater.extraLabels.deployment | nindent 4 }} +{{- end }} +{{- if $updater.annotations.deployment }} + annotations: {{- toYaml $updater.annotations.deployment | nindent 4 }} +{{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }}-updater + template: + metadata: + annotations: +{{- if $updater.annotations.pod }} + {{- toYaml $updater.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }}-updater +{{- if $updater.extraLabels.pod }} + {{- toYaml $updater.extraLabels.pod | nindent 8 }} +{{- end }} + spec: +{{- if $updater.affinity }} + affinity: {{- toYaml $updater.affinity | nindent 8 }} +{{- end }} +{{- if $updater.tolerations }} + tolerations: {{- toYaml $updater.tolerations | nindent 8 }} +{{- end }} +{{- if $updater.imagePullSecrets }} + imagePullSecrets: {{- toYaml $updater.imagePullSecrets | nindent 8 }} +{{- end }} +{{- if $updater.nodeSelector }} + nodeSelector: {{- toYaml $updater.nodeSelector | nindent 8 }} +{{- end }} + containers: + - name: "kube-agent-updater" + image: "{{ $updater.image }}:{{ include "teleport-kube-agent.version" . }}" +{{- if $updater.imagePullPolicy }} + imagePullPolicy: {{ toYaml $updater.imagePullPolicy }} +{{- end }} +{{- if or $updater.extraEnv $updater.tls.existingCASecretName }} + env: + {{- if (gt (len $updater.extraEnv) 0) }} + {{- toYaml $updater.extraEnv | nindent 8 }} + {{- end }} + {{- if $updater.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + # Used to track whether a Teleport agent was installed using this method. + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: true + {{- end }} +{{- end }} + args: + - "--agent-name={{ .Release.Name }}" + - "--agent-namespace={{ .Release.Namespace }}" + - "--base-image={{ include "teleport-kube-agent.baseImage" . }}" + - "--version-server={{ $updater.versionServer }}" + - "--version-channel={{ $updater.releaseChannel }}" +{{- if $updater.securityContext }} + securityContext: {{- toYaml $updater.securityContext | nindent 10 }} +{{- end }} + ports: + - name: metrics + containerPort: 8080 + protocol: TCP + - name: healthz + containerPort: 8081 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 6 # consider unready after 30s + timeoutSeconds: 5 +{{- if $updater.resources }} + resources: {{- toYaml $updater.resources | nindent 10 }} +{{- end }} +{{- if $updater.tls.existingCASecretName }} + volumeMounts: + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + volumes: + - name: "teleport-tls-ca" + secret: + secretName: {{ $updater.tls.existingCASecretName }} +{{- end }} +{{- if $updater.priorityClassName }} + priorityClassName: {{ $updater.priorityClassName }} +{{- end }} + serviceAccountName: {{ template "teleport-kube-agent-updater.serviceAccountName" . }} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/updater/role.yaml b/teleport-kube-agent-13.3.8/templates/updater/role.yaml new file mode 100644 index 0000000..1260847 --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/updater/role.yaml @@ -0,0 +1,95 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +{{- if $updater.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-updater + namespace: {{ .Release.Namespace }} +{{- if $updater.extraLabels.role }} + labels: {{- toYaml $updater.extraLabels.role | nindent 4 }} +{{- end }} +rules: +# the updater needs to list pods to check their health +# it also needs to delete pods to unstuck Statefulset rollouts +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - watch + - list +# the updater needs to get the secret created by the agent containing the +# maintenance window +- apiGroups: + - "" + resources: + - secrets + verbs: + - watch + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + resourceNames: + - {{ .Release.Name }}-shared-state +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +# the controller in the updater must be able to watch deployments and +# statefulsets and get the one it should reconcile +- apiGroups: + - "apps" + resources: + - deployments + - statefulsets + - deployments/status + - statefulsets/status + verbs: + - get + - watch + - list +# However the updater should only update the agent it is watching +- apiGroups: + - "apps" + resources: + - deployments + - statefulsets + verbs: + - update + resourceNames: + - {{ .Release.Name }} +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resourceNames: + - {{ .Release.Name }} + resources: + - leases + verbs: + - get + - update +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/updater/rolebinding.yaml b/teleport-kube-agent-13.3.8/templates/updater/rolebinding.yaml new file mode 100644 index 0000000..6cacc3d --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/updater/rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +{{- if $updater.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-updater + namespace: {{ .Release.Namespace }} +{{- if $updater.extraLabels.roleBinding }} + labels: + {{- toYaml $updater.extraLabels.roleBinding | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-updater +subjects: +- kind: ServiceAccount + name: {{ template "teleport-kube-agent-updater.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/templates/updater/serviceaccount.yaml b/teleport-kube-agent-13.3.8/templates/updater/serviceaccount.yaml new file mode 100644 index 0000000..2382e3d --- /dev/null +++ b/teleport-kube-agent-13.3.8/templates/updater/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.updater.enabled -}} +{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}} +{{- if $updater.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-kube-agent-updater.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if $updater.extraLabels.serviceAccount }} + labels: {{- toYaml $updater.extraLabels.serviceAccount | nindent 4 }} +{{- end }} +{{- if $updater.annotations.serviceAccount }} + annotations: {{- toYaml $updater.annotations.serviceAccount | nindent 4 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/teleport-kube-agent-13.3.8/tests/README.md b/teleport-kube-agent-13.3.8/tests/README.md new file mode 100644 index 0000000..d81e659 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/README.md @@ -0,0 +1,23 @@ +## Unit tests for Helm charts + +Helm chart unit tests run here using the [helm-unittest](https://github.com/quintush/helm-unittest/) Helm plugin. + +*Note: there are multiple forks for the helm-unittest plugin. +They are not compatible and don't provide the same featureset (e.g. including templates from sub-directories). +Our tests rely on features and bugfixes that are only available on the quintush fork +(which seems to be the most maintained at the time of writing)* + +If you get a snapshot error during your testing, you should verify that your changes intended to alter the output, then run +this command from the root of your Teleport checkout to update the snapshots: + +```bash +make -C build.assets test-helm-update-snapshots +``` + +After this, re-run the tests to make sure everything is fine: + +```bash +make -C build.assets test-helm +``` + +Commit the updated snapshots along with your changes. diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap new file mode 100644 index 0000000..4becab4 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/admin_clusterrolebinding_test.yaml.snap @@ -0,0 +1,28 @@ +generate a admin cluster role binding when adminClusterRoleBinding.create is true: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: admin-k8s-cluster-group + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: cluster-admin +generate a admin cluster role binding when adminClusterRoleBinding.create is true and adminClusterRoleBinding.name is set: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: admin-k8s-cluster-group + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: my-cluster-admin diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrole_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrole_test.yaml.snap new file mode 100644 index 0000000..708bc3e --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrole_test.yaml.snap @@ -0,0 +1,57 @@ +creates a ClusterRole: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: RELEASE-NAME + rules: + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create +sets ClusterRole labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: clusterrole + name: RELEASE-NAME + rules: + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrolebinding_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrolebinding_test.yaml.snap new file mode 100644 index 0000000..8780c90 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/clusterrolebinding_test.yaml.snap @@ -0,0 +1,31 @@ +creates a ClusterRoleBinding: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: RELEASE-NAME + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE +sets ClusterRoleBinding labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: clusterrolebinding + name: RELEASE-NAME + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/config_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/config_test.yaml.snap new file mode 100644 index 0000000..3585d3b --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/config_test.yaml.snap @@ -0,0 +1,1130 @@ +does not generate a config for clusterrole.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +does not generate a config for pdb.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot and tests for annotations.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + annotations: + kubernetes.io/config: test-annotation + kubernetes.io/config-different: 2 + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot and tests for extra-labels.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: config + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for affinity.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for all-v6.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + apps: + - labels: + environment: test + name: grafana + uri: http://localhost:3000 + enabled: true + auth_service: + enabled: false + db_service: + databases: + - labels: + database: staging + name: aurora + protocol: postgres + uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 + enabled: true + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + labels: + cluster: testing + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + annotations: + kubernetes.io/config: test-annotation + kubernetes.io/config-different: 2 + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for aws-databases.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + aws: + - regions: + - us-east-1 + tags: + '*': '*' + types: + - rds + - regions: + - us-west-2 + tags: + env: development + types: + - rds + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for azure-databases.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + azure: + - tags: + '*': '*' + types: + - mysql + - postgres + - regions: + - eastus + - centralus + resource_groups: + - group1 + - group2 + subscriptions: + - subID1 + - subID2 + tags: + env: + - dev + - staging + origin: alice + types: + - mysql + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for backwards-compatibility.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for ca-pin.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + ca_pin: + - sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1 + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for db.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + databases: + - labels: + database: staging + name: aurora + protocol: postgres + uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for dynamic-app.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: true + resources: + - labels: + '*': '*' + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for dynamic-db.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: true + resources: + - labels: + '*': '*' + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for imagepullsecrets.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for initcontainers.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for join-params-iam.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: iam + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for join-params-token.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for log-basic.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: json + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for log-extra.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - level + - timestamp + - component + - caller + output: json + output: /var/lib/teleport/test.log + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for log-legacy.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for node-selector.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for pdb.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - level + - timestamp + - component + - caller + output: json + output: /var/lib/teleport/test.log + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for resources.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for stateful.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for tolerations.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for v10.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_servers: + - proxy.example.com:3080 + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for v11.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for volumes.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/deployment_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/deployment_test.yaml.snap new file mode 100644 index 0000000..1dd13be --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/deployment_test.yaml.snap @@ -0,0 +1,1950 @@ +sets Deployment annotations when specified if action is Upgrade: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + kubernetes.io/deployment: test-annotation + kubernetes.io/deployment-different: 3 + labels: + app: RELEASE-NAME + name: RELEASE-NAME + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: 80088923d2d7ce4344db0f2174d29d7cfb2d599424adfabf6f6818a9434794ca + kubernetes.io/pod: test-annotation + kubernetes.io/pod-different: 4 + labels: + app: RELEASE-NAME + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets Deployment labels when specified if action is Upgrade: + 1: | + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: pod + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets Pod annotations when specified if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets Pod labels when specified if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +sets by default a container security context if action is Upgrade: + 1: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + 2: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 +should add emptyDir for data when existingDataVolume is not set if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should add insecureSkipProxyTLSVerify to args when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + - --insecure + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should correctly configure existingDataVolume when set if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: teleport-kube-agent-data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should expose diag port if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have one replica when replicaCount is not set if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should mount extraVolumes and extraVolumeMounts if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /path/to/mount + name: my-mount + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: my-mount + secret: + secretName: mySecret +should mount tls.existingCASecretName and set environment when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should mount tls.existingCASecretName and set extra environment when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should provision initContainer correctly when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set SecurityContext if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set affinity when set in values if action is Upgrade: + 1: | + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set default serviceAccountName when not set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set dnsConfig when set in values if action is Upgrade: + 1: | + nameservers: + - 1.2.3.4 + options: + - name: ndots + value: "2" + - name: edns0 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix +should set environment when extraEnv set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set image and tag correctly if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set imagePullPolicy when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set nodeSelector if set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + nodeSelector: + gravitational.io/k8s-role: node + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set not set priorityClassName when not set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set preferred affinity when more than one replica is used if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set priorityClassName when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + priorityClassName: teleport-kube-agent + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set probeTimeoutSeconds when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set required affinity when highAvailability.requireAntiAffinity is set if action is Upgrade: + 1: | + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set resources when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set serviceAccountName when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: teleport-kube-agent-sa + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should set tolerations when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/job_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/job_test.yaml.snap new file mode 100644 index 0000000..cff8b14 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/job_test.yaml.snap @@ -0,0 +1,205 @@ +should create ServiceAccount for post-delete hook by default: + 1: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-4" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE +? should inherit ServiceAccount name from values and not create serviceAccount if + serviceAccount.create is false and serviceAccount.name is set +: 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: lint-serviceaccount +should not create ServiceAccount for post-delete hook if serviceAccount.create is false: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-3" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - delete + - list + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-2" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-delete-hook + subjects: + - kind: ServiceAccount + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + 3: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + helm.sh/hook: post-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-1" + name: RELEASE-NAME-delete-hook + namespace: NAMESPACE + spec: + template: + metadata: + name: RELEASE-NAME-delete-hook + spec: + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: lint-serviceaccount +should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: lint-serviceaccount +should set nodeSelector in post-delete hook: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + nodeSelector: + gravitational.io/k8s-role: node + restartPolicy: OnFailure + serviceAccountName: RELEASE-NAME-delete-hook +should set securityContext in post-delete hook: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: RELEASE-NAME-delete-hook diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/pdb_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/pdb_test.yaml.snap new file mode 100644 index 0000000..7103d98 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/pdb_test.yaml.snap @@ -0,0 +1,30 @@ +sets PodDisruptionBudget labels when specified: + 1: | + apiVersion: policy/v1beta1 + kind: PodDisruptionBudget + metadata: + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: poddisruptionbudget + name: RELEASE-NAME + namespace: NAMESPACE + spec: + minAvailable: 2 + selector: + matchLabels: + app: RELEASE-NAME +should create a PDB when enabled in values (pdb.yaml): + 1: | + apiVersion: policy/v1beta1 + kind: PodDisruptionBudget + metadata: + labels: + app: RELEASE-NAME + name: RELEASE-NAME + namespace: NAMESPACE + spec: + minAvailable: 2 + selector: + matchLabels: + app: RELEASE-NAME diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/psp_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/psp_test.yaml.snap new file mode 100644 index 0000000..9432715 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/psp_test.yaml.snap @@ -0,0 +1,123 @@ +creates a PodSecurityPolicy when enabled in values and supported: + 1: | + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + name: RELEASE-NAME + spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - '*' + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: RELEASE-NAME-psp + rules: + - apiGroups: + - policy + resourceNames: + - RELEASE-NAME + resources: + - podsecuritypolicies + verbs: + - use + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: RELEASE-NAME-psp + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-psp + subjects: + - kind: ServiceAccount + name: RELEASE-NAME +sets PodSecurityPolicy labels when specified: + 1: | + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: podsecuritypolicy + name: RELEASE-NAME + spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - '*' + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: RELEASE-NAME-psp + rules: + - apiGroups: + - policy + resourceNames: + - RELEASE-NAME + resources: + - podsecuritypolicies + verbs: + - use + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: RELEASE-NAME-psp + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-psp + subjects: + - kind: ServiceAccount + name: RELEASE-NAME diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/role_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/role_test.yaml.snap new file mode 100644 index 0000000..03820af --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/role_test.yaml.snap @@ -0,0 +1,37 @@ +creates a Role: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - update + - patch +sets Role labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: role + name: RELEASE-NAME + namespace: NAMESPACE + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - update + - patch diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/rolebinding_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/rolebinding_test.yaml.snap new file mode 100644 index 0000000..175158e --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/rolebinding_test.yaml.snap @@ -0,0 +1,33 @@ +creates a RoleBinding: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE +sets RoleBinding labels when specified: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: rolebinding + name: RELEASE-NAME + namespace: NAMESPACE + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME + subjects: + - kind: ServiceAccount + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/secret_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/secret_test.yaml.snap new file mode 100644 index 0000000..551299d --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/secret_test.yaml.snap @@ -0,0 +1,82 @@ +generate a secret when neither authToken nor joinParams.tokenName are provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: "" + type: Opaque +generates a secret when authToken is provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +generates a secret when joinParams.tokenName is provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +generates a secret with a custom name when authToken and joinTokenSecret.name are provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: some-other-secret-name + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +generates a secret with a custom name when authToken and secretName are provided: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: some-other-secret-name + namespace: NAMESPACE + stringData: + auth-token: | + sample-auth-token-dont-use-this + type: Opaque +sets Secret annotations when specified: + 1: | + apiVersion: v1 + kind: Secret + metadata: + annotations: + kubernetes.io/secret: test-annotation + kubernetes.io/secret-different: 6 + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + auth-token + type: Opaque +sets Secret labels when specified: + 1: | + apiVersion: v1 + kind: Secret + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: secret + name: teleport-kube-agent-join-token + namespace: NAMESPACE + stringData: + auth-token: | + auth-token + type: Opaque diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/serviceaccount_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/serviceaccount_test.yaml.snap new file mode 100644 index 0000000..a451b14 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/serviceaccount_test.yaml.snap @@ -0,0 +1,20 @@ +sets ServiceAccount annotations when specified: + 1: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + kubernetes.io/serviceaccount: test-annotation + kubernetes.io/serviceaccount-different: 5 + name: RELEASE-NAME + namespace: NAMESPACE +sets ServiceAccount labels when specified: + 1: | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/name: teleport-kube-agent + resource: serviceaccount + name: RELEASE-NAME + namespace: NAMESPACE diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/statefulset_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/statefulset_test.yaml.snap new file mode 100644 index 0000000..ba5becc --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/statefulset_test.yaml.snap @@ -0,0 +1,2490 @@ +sets Pod annotations when specified: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +sets Pod labels when specified: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +sets StatefulSet labels when specified: + 1: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: deployment + name: RELEASE-NAME + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + serviceName: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 + labels: + app: RELEASE-NAME + app.kubernetes.io/name: teleport-kube-agent + resource: pod + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + volumeClaimTemplates: + - metadata: + name: RELEASE-NAME-teleport-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 128Mi + storageClassName: aws-gp2 +sets by default a container security context: + 1: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + 2: | + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 +should add insecureSkipProxyTLSVerify to args when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + - --insecure + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should add volumeClaimTemplate for data volume when using StatefulSet and action is an Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should add volumeClaimTemplate for data volume when using StatefulSet and is Fresh Install: + 1: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app: RELEASE-NAME + name: RELEASE-NAME + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app: RELEASE-NAME + serviceName: RELEASE-NAME + template: + metadata: + annotations: + checksum/config: 6e010c147e8d81d244e7aafdcee7e652cdb4d5640fb7f14d0e1ebb7832f943a5 + labels: + app: RELEASE-NAME + spec: + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + volumeClaimTemplates: + - metadata: + name: RELEASE-NAME-teleport-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 128Mi + storageClassName: aws-gp2 +should add volumeMount for data volume when using StatefulSet: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should expose diag port: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should generate Statefulset when storage is disabled and mode is a Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should have multiple replicas when replicaCount is set (using .replicaCount, deprecated): + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should have multiple replicas when replicaCount is set (using highAvailability.replicaCount): + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should have one replica when replicaCount is not set: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should install Statefulset when storage is disabled and mode is a Fresh Install: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data +should mount extraVolumes and extraVolumeMounts: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + - mountPath: /path/to/mount + name: my-mount + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - name: my-mount + secret: + secretName: mySecret +should mount tls.existingCASecretName and set environment when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should mount tls.existingCASecretName and set extra environment when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca +should not add emptyDir for data when using StatefulSet: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should provision initContainer correctly when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set SecurityContext: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set affinity when set in values: + 1: | + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set default serviceAccountName when not set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set dnsConfig when set in values: + 1: | + nameservers: + - 1.2.3.4 + options: + - name: ndots + value: "2" + - name: edns0 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix +should set environment when extraEnv set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set image and tag correctly: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set imagePullPolicy when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set nodeSelector if set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + nodeSelector: + gravitational.io/k8s-role: node + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set preferred affinity when more than one replica is used: + 1: | + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set probeTimeoutSeconds when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set required affinity when highAvailability.requireAntiAffinity is set: + 1: | + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set resources when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set serviceAccountName when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: teleport-kube-agent-sa + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set storage.requests when set in values and action is an Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set storage.storageClassName when set in values and action is an Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token +should set tolerations when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/updater_deployment_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/updater_deployment_test.yaml.snap new file mode 100644 index 0000000..5b116c0 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/updater_deployment_test.yaml.snap @@ -0,0 +1,117 @@ +sets the affinity: + 1: | + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --agent-name=RELEASE-NAME + - --agent-namespace=NAMESPACE + - --base-image=public.ecr.aws/gravitational/teleport-distroless + - --version-server=https://my-custom-version-server/v1 + - --version-channel=custom/preview + image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: kube-agent-updater + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: healthz + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + serviceAccountName: RELEASE-NAME-updater +sets the tolerations: + 1: | + containers: + - args: + - --agent-name=RELEASE-NAME + - --agent-namespace=NAMESPACE + - --base-image=public.ecr.aws/gravitational/teleport-distroless + - --version-server=https://my-custom-version-server/v1 + - --version-channel=custom/preview + image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + name: kube-agent-updater + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: healthz + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + serviceAccountName: RELEASE-NAME-updater + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport diff --git a/teleport-kube-agent-13.3.8/tests/__snapshot__/updater_role_test.yaml.snap b/teleport-kube-agent-13.3.8/tests/__snapshot__/updater_role_test.yaml.snap new file mode 100644 index 0000000..0c1e6a6 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/__snapshot__/updater_role_test.yaml.snap @@ -0,0 +1,76 @@ +sets the correct role rules: + 1: | + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete + - apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - watch + - list + - apiGroups: + - "" + resourceNames: + - RELEASE-NAME-shared-state + resources: + - secrets + verbs: + - get + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - deployments/status + - statefulsets/status + verbs: + - get + - watch + - list + - apiGroups: + - apps + resourceNames: + - RELEASE-NAME + resources: + - deployments + - statefulsets + verbs: + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resourceNames: + - RELEASE-NAME + resources: + - leases + verbs: + - get + - update diff --git a/teleport-kube-agent-13.3.8/tests/admin_clusterrolebinding_test.yaml b/teleport-kube-agent-13.3.8/tests/admin_clusterrolebinding_test.yaml new file mode 100644 index 0000000..12998ef --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/admin_clusterrolebinding_test.yaml @@ -0,0 +1,35 @@ +suite: AdminClusterRoleBinding +templates: + - admin_clusterrolebinding.yaml +tests: + - it: don't generate a admin cluster role binding when adminClusterRoleBinding.create is false + asserts: + - hasDocuments: + count: 0 + - it: generate a admin cluster role binding when adminClusterRoleBinding.create is true + set: + adminClusterRoleBinding: + create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRoleBinding + - equal: + path: subjects[0].name + value: cluster-admin + - matchSnapshot: {} + - it: generate a admin cluster role binding when adminClusterRoleBinding.create is true and adminClusterRoleBinding.name is set + set: + adminClusterRoleBinding: + create: true + name: my-cluster-admin + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRoleBinding + - equal: + path: subjects[0].name + value: my-cluster-admin + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/clusterrole_test.yaml b/teleport-kube-agent-13.3.8/tests/clusterrole_test.yaml new file mode 100644 index 0000000..c589a7a --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/clusterrole_test.yaml @@ -0,0 +1,23 @@ +suite: ClusterRole +templates: + - clusterrole.yaml +tests: + - it: creates a ClusterRole + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRole + - matchSnapshot: {} + + - it: sets ClusterRole labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: clusterrole + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/clusterrolebinding_test.yaml b/teleport-kube-agent-13.3.8/tests/clusterrolebinding_test.yaml new file mode 100644 index 0000000..ce78e09 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/clusterrolebinding_test.yaml @@ -0,0 +1,23 @@ +suite: ClusterRoleBinding +templates: + - clusterrolebinding.yaml +tests: + - it: creates a ClusterRoleBinding + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRoleBinding + - matchSnapshot: {} + + - it: sets ClusterRoleBinding labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: clusterrolebinding + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/config_test.yaml b/teleport-kube-agent-13.3.8/tests/config_test.yaml new file mode 100644 index 0000000..2ee00d9 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/config_test.yaml @@ -0,0 +1,291 @@ +suite: ConfigMap +templates: + - config.yaml +tests: + - it: matches snapshot for affinity.yaml + values: + - ../.lint/affinity.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for all-v6.yaml + values: + - ../.lint/all-v6.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot and tests for extra-labels.yaml + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: config + - matchSnapshot: {} + + - it: matches snapshot and tests for annotations.yaml + values: + - ../.lint/annotations.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.annotations.kubernetes\.io/config + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/config-different + value: 2 + - matchSnapshot: {} + + - it: matches snapshot for aws-databases.yaml + values: + - ../.lint/aws-databases.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for azure-databases.yaml + values: + - ../.lint/azure-databases.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for backwards-compatibility.yaml + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for ca-pin.yaml + values: + - ../.lint/ca-pin.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: does not generate a config for clusterrole.yaml + values: + - ../.lint/clusterrole.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for db.yaml + values: + - ../.lint/db.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for dynamic-app.yaml + values: + - ../.lint/dynamic-app.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for dynamic-db.yaml + values: + - ../.lint/dynamic-db.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for imagepullsecrets.yaml + values: + - ../.lint/imagepullsecrets.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for initcontainers.yaml + values: + - ../.lint/initcontainers.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for join-params-iam.yaml + values: + - ../.lint/join-params-iam.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for join-params-token.yaml + values: + - ../.lint/join-params-token.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for log-basic.yaml + values: + - ../.lint/log-basic.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for log-extra.yaml + values: + - ../.lint/log-extra.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for log-legacy.yaml + values: + - ../.lint/log-legacy.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for node-selector.yaml + values: + - ../.lint/node-selector.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for pdb.yaml + values: + - ../.lint/log-extra.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: does not generate a config for pdb.yaml + values: + - ../.lint/pdb.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for resources.yaml + values: + - ../.lint/resources.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for stateful.yaml + values: + - ../.lint/stateful.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for tolerations.yaml + values: + - ../.lint/tolerations.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for volumes.yaml + values: + - ../.lint/volumes.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for v10.yaml + values: + - ../.lint/v10.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for v11.yaml + values: + - ../.lint/v11.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/deployment_test.yaml b/teleport-kube-agent-13.3.8/tests/deployment_test.yaml new file mode 100644 index 0000000..1c4926c --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/deployment_test.yaml @@ -0,0 +1,687 @@ +suite: Deployment +templates: + - deployment.yaml + - config.yaml +release: + upgrade: true +tests: + - it: creates a Deployment if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/all-v6.yaml + asserts: + - isKind: + of: Deployment + - hasDocuments: + count: 1 + + - it: sets Deployment labels when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: deployment + - matchSnapshot: + path: spec + + - it: sets Pod labels when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: spec.template.metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: spec.template.metadata.labels.resource + value: pod + - matchSnapshot: + path: spec.template.spec + + - it: sets Deployment annotations when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/deployment + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/deployment-different + value: 3 + - matchSnapshot: {} + + - it: sets Pod annotations when specified if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + - matchSnapshot: + path: spec.template.spec + + - it: should have one replica when replicaCount is not set if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.replicas + value: 1 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + replicaCount: 3 + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + highAvailability: + replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should set affinity when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/affinity.yaml + asserts: + - isNotNull: + path: spec.template.spec.affinity + - matchSnapshot: + path: spec.template.spec + + - it: should set required affinity when highAvailability.requireAntiAffinity is set if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + highAvailability: + replicaCount: 2 + requireAntiAffinity: true + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set preferred affinity when more than one replica is used if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + highAvailability: + replicaCount: 3 + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set tolerations when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/tolerations.yaml + asserts: + - isNotNull: + path: spec.template.spec.tolerations + - matchSnapshot: + path: spec.template.spec + + - it: should set resources when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should set SecurityContext if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities + value: + drop: + - all + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 9807 + - matchSnapshot: + path: spec.template.spec + + - it: should set image and tag correctly if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + teleportVersionOverride: 12.2.1 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + - matchSnapshot: + path: spec.template.spec + + - it: should mount extraVolumes and extraVolumeMounts if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/volumes.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /path/to/mount + name: my-mount + - contains: + path: spec.template.spec.volumes + content: + name: my-mount + secret: + secretName: mySecret + - matchSnapshot: + path: spec.template.spec + + - it: should set imagePullPolicy when set in values if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + imagePullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - matchSnapshot: + path: spec.template.spec + + - it: should set environment when extraEnv set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + proxyAddr: helm-lint.example.com + authToken: sample-auth-token-dont-use-this + kubeClusterName: helm-lint.example.com + extraEnv: + - name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + - matchSnapshot: + path: spec.template.spec + + - it: should provision initContainer correctly when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/initcontainers.yaml + asserts: + - contains: + path: spec.template.spec.initContainers[0].args + content: "echo test" + - equal: + path: spec.template.spec.initContainers[0].name + value: "teleport-init" + - equal: + path: spec.template.spec.initContainers[0].image + value: "alpine" + - equal: + path: spec.template.spec.initContainers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.initContainers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.initContainers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.initContainers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should add insecureSkipProxyTLSVerify to args when set in values if action is Upgrade + template: deployment.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + insecureSkipProxyTLSVerify: true + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--insecure" + - matchSnapshot: + path: spec.template.spec + + - it: should expose diag port if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].ports + content: + name: diag + containerPort: 3000 + protocol: TCP + - matchSnapshot: + path: spec.template.spec + + - it: should set nodeSelector if set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - matchSnapshot: + path: spec.template.spec + + - it: should add emptyDir for data when existingDataVolume is not set if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: data + emptyDir: {} + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/lib/teleport + name: data + - matchSnapshot: + path: spec.template.spec + + - it: should correctly configure existingDataVolume when set if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/existing-data-volume.yaml + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: data + emptyDir: {} + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/lib/teleport + name: teleport-kube-agent-data + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set environment when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set extra environment when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/existing-tls-secret-with-ca.yaml + - ../.lint/extra-env.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - matchSnapshot: + path: spec.template.spec + + - it: should set priorityClassName when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/priority-class-name.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: teleport-kube-agent + - matchSnapshot: + path: spec.template.spec + + - it: should set not set priorityClassName when not set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - isNull: + path: spec.template.spec.priorityClassName + - matchSnapshot: + path: spec.template.spec + + - it: should set serviceAccountName when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/service-account-name.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: teleport-kube-agent-sa + - matchSnapshot: + path: spec.template.spec + + - it: should set default serviceAccountName when not set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME + - matchSnapshot: + path: spec.template.spec + + - it: should set probeTimeoutSeconds when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/probe-timeout-seconds.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds + value: 5 + - matchSnapshot: + path: spec.template.spec + + - it: should set dnsConfig when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/dnsconfig.yaml + asserts: + - notEqual: + path: spec.template.spec.dnsConfig + value: null + - matchSnapshot: + path: spec.template.spec.dnsConfig + + - it: should set dnsPolicy when set in values if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/dnsconfig.yaml + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + + - it: should not render Deployment if action is fresh install without storage + template: deployment.yaml + release: + upgrade: false + values: + - ../.lint/all-v6.yaml + set: + storage: + enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: sets by default a container security context if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/initcontainers.yaml + asserts: + - matchSnapshot: + path: spec.template.spec.initContainers[0].securityContext + - matchSnapshot: + path: spec.template.spec.containers[0].securityContext + + - it: sets no container security context when manually unset and if action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/initcontainers.yaml + - ../.lint/security-context-empty.yaml + asserts: + - equal: + path: spec.template.spec.initContainers[0].securityContext + value: null + - equal: + path: spec.template.spec.containers[0].securityContext + value: null diff --git a/teleport-kube-agent-13.3.8/tests/job_test.yaml b/teleport-kube-agent-13.3.8/tests/job_test.yaml new file mode 100644 index 0000000..997dc79 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/job_test.yaml @@ -0,0 +1,208 @@ +suite: Job +templates: + - delete_hook.yaml + +release: + upgrade: true +tests: + - it: should create ServiceAccount, Role, RoleBinding and Job for post-delete hook by default + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + assets: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + - containsDocument: + kind: Job + apiVersion: batch/v1 + + - it: should set securityContext in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 3 + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities + value: + drop: + - all + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 9807 + - matchSnapshot: + path: spec.template.spec + + - it: should set nodeSelector in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 3 + values: + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - matchSnapshot: + path: spec.template.spec + + - it: should create ServiceAccount for post-delete hook by default + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 0 + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + - equal: + path: metadata.name + value: RELEASE-NAME-delete-hook + - matchSnapshot: + path: spec.template.spec + + - it: should create ServiceAccount for post-delete hook with a custom name if serviceAccount.name is set and serviceAccount.create is true + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 0 + values: + - ../.lint/backwards-compatibility.yaml + set: + serviceAccount: + create: true + name: lint-serviceaccount + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + - equal: + path: metadata.name + value: lint-serviceaccount + + - it: should create Role for post-delete hook by default + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should create RoleBinding for post-delete hook by default + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should not create ServiceAccount for post-delete hook if serviceAccount.create is false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + serviceAccount: + create: false + name: lint-serviceaccount + asserts: + - not: true + containsDocument: + kind: ServiceAccount + apiVersion: v1 + - matchSnapshot: + path: spec.template.spec + + - it: should inherit ServiceAccount name from values and not create serviceAccount if serviceAccount.create is false and serviceAccount.name is set + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + serviceAccount: + create: false + name: lint-serviceaccount + asserts: + - not: true + containsDocument: + kind: ServiceAccount + apiVersion: v1 + # ServiceAccount is not created in this mode + # documentIndex: 0=Role 1=RoleBinding 2=Job + - documentIndex: 2 + equal: + path: spec.template.spec.serviceAccountName + value: lint-serviceaccount + - documentIndex: 2 + matchSnapshot: + path: spec.template.spec + + - it: should not create Role for post-delete hook if rbac.create is false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + rbac: + create: false + asserts: + - not: true + containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should not create RoleBinding for post-delete hook if rbac.create is false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + rbac: + create: false + asserts: + - not: true + containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + + - it: should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false + template: delete_hook.yaml + values: + - ../.lint/backwards-compatibility.yaml + set: + rbac: + create: false + serviceAccount: + create: false + name: lint-serviceaccount + asserts: + - not: true + containsDocument: + kind: ServiceAccount + apiVersion: v1 + - not: true + containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + - not: true + containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + - matchSnapshot: + path: spec.template.spec diff --git a/teleport-kube-agent-13.3.8/tests/pdb_test.yaml b/teleport-kube-agent-13.3.8/tests/pdb_test.yaml new file mode 100644 index 0000000..9486b95 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/pdb_test.yaml @@ -0,0 +1,26 @@ +suite: PodDisruptionBudget +templates: + - pdb.yaml +tests: + - it: should create a PDB when enabled in values (pdb.yaml) + values: + - ../.lint/pdb.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - matchSnapshot: {} + + - it: sets PodDisruptionBudget labels when specified + values: + - ../.lint/pdb.yaml + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: poddisruptionbudget + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/podmonitor_test.yaml b/teleport-kube-agent-13.3.8/tests/podmonitor_test.yaml new file mode 100644 index 0000000..474f346 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/podmonitor_test.yaml @@ -0,0 +1,43 @@ +suite: PodMonitor +templates: + - podmonitor.yaml +tests: + - it: does not create a PodMonitor by default + set: + proxyAddr: proxy.example.com:3080 + kubeClusterName: test-kube-cluster-name + asserts: + - hasDocuments: + count: 0 + + - it: creates a PodMonitor when enabled + set: + proxyAddr: proxy.example.com:3080 + kubeClusterName: test-kube-cluster-name + podMonitor: + enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodMonitor + + - it: configures scrape interval if provided + set: + proxyAddr: proxy.example.com:3080 + kubeClusterName: test-kube-cluster-name + podMonitor: + enabled: true + interval: 2m + asserts: + - equal: + path: spec.podMetricsEndpoints[0].interval + value: 2m + + - it: wears additional labels if provided + asserts: + - equal: + path: metadata.labels.prometheus + value: default + values: + - ../.lint/podmonitor.yaml \ No newline at end of file diff --git a/teleport-kube-agent-13.3.8/tests/psp_test.yaml b/teleport-kube-agent-13.3.8/tests/psp_test.yaml new file mode 100644 index 0000000..816d12e --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/psp_test.yaml @@ -0,0 +1,55 @@ +suite: PodSecurityPolicy +templates: + - psp.yaml +tests: + - it: creates a PodSecurityPolicy when enabled in values and supported + capabilities: + majorVersion: 1 + minorVersion: 22 + set: + podSecurityPolicy: + enabled: true + asserts: + - hasDocuments: + count: 3 + - documentIndex: 0 + isKind: + of: PodSecurityPolicy + - documentIndex: 1 + isKind: + of: Role + - documentIndex: 2 + isKind: + of: RoleBinding + - matchSnapshot: {} + + - it: sets PodSecurityPolicy labels when specified + capabilities: + majorVersion: 1 + minorVersion: 22 + values: + - ../.lint/extra-labels.yaml + set: + podSecurityPolicy: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - documentIndex: 0 + equal: + path: metadata.labels.resource + value: podsecuritypolicy + - matchSnapshot: {} + + - it: does not create a PodSecurityPolicy when enabled in values but not supported + capabilities: + majorVersion: 1 + minorVersion: 25 + set: + podSecurityPolicy: + enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/teleport-kube-agent-13.3.8/tests/role_test.yaml b/teleport-kube-agent-13.3.8/tests/role_test.yaml new file mode 100644 index 0000000..7a72555 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/role_test.yaml @@ -0,0 +1,34 @@ +suite: Role +templates: + - role.yaml +tests: + - it: Create a Role when upgrading + release: + isupgrade: true + set: + unitTestUpgrade: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Role + + - it: creates a Role + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Role + - matchSnapshot: {} + + - it: sets Role labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: role + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/rolebinding_test.yaml b/teleport-kube-agent-13.3.8/tests/rolebinding_test.yaml new file mode 100644 index 0000000..bb13577 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/rolebinding_test.yaml @@ -0,0 +1,34 @@ +suite: RoleBinding +templates: + - rolebinding.yaml +tests: + - it: Create a RoleBinding when upgrading + release: + isupgrade: true + set: + unitTestUpgrade: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: RoleBinding + + - it: creates a RoleBinding + asserts: + - hasDocuments: + count: 1 + - isKind: + of: RoleBinding + - matchSnapshot: {} + + - it: sets RoleBinding labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: rolebinding + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/secret_test.yaml b/teleport-kube-agent-13.3.8/tests/secret_test.yaml new file mode 100644 index 0000000..086e2e4 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/secret_test.yaml @@ -0,0 +1,101 @@ +suite: Secret +templates: + - secret.yaml +tests: + - it: generate a secret when neither authToken nor joinParams.tokenName are provided + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - matchSnapshot: {} + - it: generates a secret when authToken is provided + set: + authToken: sample-auth-token-dont-use-this + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: teleport-kube-agent-join-token + - matchSnapshot: {} + + - it: generates a secret when joinParams.tokenName is provided + set: + joinParams: + tokenName: sample-auth-token-dont-use-this + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: teleport-kube-agent-join-token + - matchSnapshot: {} + + - it: generates a secret with a custom name when authToken and secretName are provided + set: + authToken: sample-auth-token-dont-use-this + secretName: some-other-secret-name + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: some-other-secret-name + - matchSnapshot: {} + + - it: generates a secret with a custom name when authToken and joinTokenSecret.name are provided + set: + authToken: sample-auth-token-dont-use-this + joinTokenSecret: + name: some-other-secret-name + create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - equal: + path: metadata.name + value: some-other-secret-name + - matchSnapshot: {} + + - it: does not create a secret when joinTokenSecret.create is false + set: + authToken: sample-auth-token-dont-use-this + joinTokenSecret: + name: some-other-secret-name + create: false + asserts: + - hasDocuments: + count: 0 + + - it: sets Secret labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: secret + - matchSnapshot: {} + + - it: sets Secret annotations when specified + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/secret + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/secret-different + value: 6 + - matchSnapshot: {} diff --git a/teleport-kube-agent-13.3.8/tests/serviceaccount_test.yaml b/teleport-kube-agent-13.3.8/tests/serviceaccount_test.yaml new file mode 100644 index 0000000..4b17670 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/serviceaccount_test.yaml @@ -0,0 +1,33 @@ +suite: ServiceAccount +templates: + - serviceaccount.yaml +tests: + - it: sets ServiceAccount labels when specified + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: serviceaccount + - matchSnapshot: {} + + - it: sets ServiceAccount annotations when specified + values: + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/serviceaccount + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/serviceaccount-different + value: 5 + - matchSnapshot: {} + - it: skips ServiceAccount creation + set: + serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 \ No newline at end of file diff --git a/teleport-kube-agent-13.3.8/tests/statefulset_test.yaml b/teleport-kube-agent-13.3.8/tests/statefulset_test.yaml new file mode 100644 index 0000000..b950b97 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/statefulset_test.yaml @@ -0,0 +1,721 @@ +suite: StatefulSet +templates: + - statefulset.yaml + - config.yaml +tests: + - it: creates a StatefulSet + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + elease: + isupgrade: true + asserts: + - isKind: + of: StatefulSet + - hasDocuments: + count: 1 + + - it: sets StatefulSet labels when specified + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: metadata.labels.resource + value: deployment + - matchSnapshot: {} + + - it: sets Pod labels when specified + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: spec.template.metadata.labels.app\.kubernetes\.io/name + value: teleport-kube-agent + - equal: + path: spec.template.metadata.labels.resource + value: pod + - matchSnapshot: + path: spec.template.spec + + - it: sets Pod annotations when specified + template: statefulset.yaml + values: + - ../.lint/annotations.yaml + - ../.lint/stateful.yaml + asserts: + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + - matchSnapshot: + path: spec.template.spec + + - it: should have one replica when replicaCount is not set + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - equal: + path: spec.replicas + value: 1 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + highAvailability: + replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + - matchSnapshot: + path: spec.template.spec + + - it: should set affinity when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/affinity.yaml + asserts: + - isNotNull: + path: spec.template.spec.affinity + - matchSnapshot: + path: spec.template.spec + + - it: should set required affinity when highAvailability.requireAntiAffinity is set + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + highAvailability: + replicaCount: 2 + requireAntiAffinity: true + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set preferred affinity when more than one replica is used + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + highAvailability: + replicaCount: 3 + asserts: + - isNotNull: + path: spec.template.spec.affinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity + - isNotNull: + path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution + - isNull: + path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution + - matchSnapshot: + path: spec.template.spec + + - it: should set tolerations when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/tolerations.yaml + asserts: + - isNotNull: + path: spec.template.spec.tolerations + - matchSnapshot: + path: spec.template.spec + + - it: should set resources when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should set SecurityContext + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities + value: + drop: + - all + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 9807 + - matchSnapshot: + path: spec.template.spec + + - it: should set image and tag correctly + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + teleportVersionOverride: 12.2.1 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: public.ecr.aws/gravitational/teleport-distroless:12.2.1 + - matchSnapshot: + path: spec.template.spec + + - it: should mount extraVolumes and extraVolumeMounts + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/volumes.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /path/to/mount + name: my-mount + - contains: + path: spec.template.spec.volumes + content: + name: my-mount + secret: + secretName: mySecret + - matchSnapshot: + path: spec.template.spec + + - it: should mount auth token if token is provided + template: statefulset.yaml + values: + - ../.lint/join-params-token.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: auth-token + secret: + secretName: teleport-kube-agent-join-token + + - it: should set imagePullPolicy when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + imagePullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - matchSnapshot: + path: spec.template.spec + + - it: should set environment when extraEnv set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + extraEnv: + - name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "http://username:password@my.proxy.host:3128" + - matchSnapshot: + path: spec.template.spec + + - it: should provision initContainer correctly when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/initcontainers.yaml + asserts: + - contains: + path: spec.template.spec.initContainers[0].args + content: "echo test" + - equal: + path: spec.template.spec.initContainers[0].name + value: "teleport-init" + - equal: + path: spec.template.spec.initContainers[0].image + value: "alpine" + - equal: + path: spec.template.spec.initContainers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.initContainers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.initContainers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.initContainers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec + + - it: should add insecureSkipProxyTLSVerify to args when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + insecureSkipProxyTLSVerify: true + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--insecure" + - matchSnapshot: + path: spec.template.spec + + - it: should expose diag port + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].ports + content: + name: diag + containerPort: 3000 + protocol: TCP + - matchSnapshot: + path: spec.template.spec + + - it: should set nodeSelector if set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - matchSnapshot: + path: spec.template.spec + + - it: should not add emptyDir for data when using StatefulSet + template: statefulset.yaml + release: + isupgrade: true + set: + unitTestUpgrade: true + values: + - ../.lint/stateful.yaml + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: data + emptyDir: {} + - matchSnapshot: + path: spec.template.spec + + - it: should add volumeMount for data volume when using StatefulSet + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: data + mountPath: RELEASE-NAME-teleport-data + - matchSnapshot: + path: spec.template.spec + + - it: should add volumeClaimTemplate for data volume when using StatefulSet and action is an Upgrade + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + release: + isupgrade: true + asserts: + - isNotNull: + path: spec.volumeClaimTemplates[0].spec + - matchSnapshot: + path: spec.template.spec + + - it: should add volumeClaimTemplate for data volume when using StatefulSet and is Fresh Install + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + release: + isupgrade: false + asserts: + - isNotNull: + path: spec.volumeClaimTemplates + - matchSnapshot: {} + + - it: should set storage.storageClassName when set in values and action is an Upgrade + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + release: + isupgrade: true + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + + storage: + storageClassName: helm-lint-storage-class + asserts: + - equal: + path: spec.volumeClaimTemplates[0].spec.storageClassName + value: helm-lint-storage-class + - matchSnapshot: + path: spec.template.spec + + - it: should set storage.requests when set in values and action is an Upgrade + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + release: + isupgrade: true + set: + storage: + requests: 256Mi + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + asserts: + - equal: + path: spec.volumeClaimTemplates[0].spec.resources.requests.storage + value: 256Mi + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set environment when set in values + template: statefulset.yaml + values: + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - matchSnapshot: + path: spec.template.spec + + - it: should mount tls.existingCASecretName and set extra environment when set in values + template: statefulset.yaml + values: + - ../.lint/existing-tls-secret-with-ca.yaml + - ../.lint/extra-env.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - matchSnapshot: + path: spec.template.spec + + + - it: should set serviceAccountName when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/service-account-name.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: teleport-kube-agent-sa + - matchSnapshot: + path: spec.template.spec + + - it: should set default serviceAccountName when not set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME + - matchSnapshot: + path: spec.template.spec + + - it: should set probeTimeoutSeconds when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/probe-timeout-seconds.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds + value: 5 + - matchSnapshot: + path: spec.template.spec + + - it: should set dnsConfig when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/dnsconfig.yaml + asserts: + - notEqual: + path: spec.template.spec.dnsConfig + value: null + - matchSnapshot: + path: spec.template.spec.dnsConfig + + - it: should set dnsPolicy when set in values + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/dnsconfig.yaml + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + + - it: should install Statefulset when storage is disabled and mode is a Fresh Install + template: statefulset.yaml + release: + isupgrade: false + values: + - ../.lint/stateful.yaml + set: + storage: + enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: data + mountPath: RELEASE-NAME-teleport-data + - isNull: + path: spec.volumeClaimTemplates + - matchSnapshot: + path: spec.template.spec + + - it: should generate Statefulset when storage is disabled and mode is a Upgrade + template: statefulset.yaml + release: + isupgrade: true + values: + - ../.lint/stateful.yaml + set: + unitTestUpgrade: false + storage: + enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: data + mountPath: RELEASE-NAME-teleport-data + - isNull: + path: spec.volumeClaimTemplates + - matchSnapshot: + path: spec.template.spec + + - it: sets by default a container security context + template: statefulset.yaml + values: + - ../.lint/initcontainers.yaml + asserts: + - matchSnapshot: + path: spec.template.spec.initContainers[0].securityContext + - matchSnapshot: + path: spec.template.spec.containers[0].securityContext + + - it: sets no container security context when manually unset + template: statefulset.yaml + values: + - ../.lint/initcontainers.yaml + - ../.lint/security-context-empty.yaml + asserts: + - equal: + path: spec.template.spec.initContainers[0].securityContext + value: null + - equal: + path: spec.template.spec.containers[0].securityContext + value: null + + - it: should enable maintenance schedule export when updater is enabled + template: statefulset.yaml + values: + - ../.lint/existing-tls-secret-with-ca.yaml + - ../.lint/updater.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_EXT_UPGRADER + value: kube + + - it: should set the installation method environment variable + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + + - it: should set the hostAliases when specified + template: statefulset.yaml + values: + - ../.lint/stateful.yaml + - ../.lint/host-aliases.yaml + asserts: + - equal: + path: spec.template.spec.hostAliases + value: + - ip: "127.0.0.1" + hostnames: + - "foo.local" + - "bar.local" + - ip: "10.1.2.3" + hostnames: + - "foo.remote" + - "bar.remote" diff --git a/teleport-kube-agent-13.3.8/tests/updater_deployment_test.yaml b/teleport-kube-agent-13.3.8/tests/updater_deployment_test.yaml new file mode 100644 index 0000000..1ec3429 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/updater_deployment_test.yaml @@ -0,0 +1,227 @@ +suite: Updater Deployment +templates: + - updater/deployment.yaml +tests: + # + # Basic tests + # + - it: does not create a Deployment when updater.enabled is false (default) + asserts: + - hasDocuments: + count: 0 + - it: creates a Deployment when updater.enabled is true + values: + - ../.lint/updater.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: RELEASE-NAME-updater + namespace: NAMESPACE + # + # Testing the agent configuration + # + - it: sets the updater base image + values: + - ../.lint/updater.yaml + set: + image: repo.example.com/gravitational/teleport-distroless + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--base-image=repo.example.com/gravitational/teleport-distroless" + - it: sets the updater base entreprise image + values: + - ../.lint/updater.yaml + set: + enterprise: true + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--base-image=public.ecr.aws/gravitational/teleport-ent-distroless" + - it: sets the updater agent name + values: + - ../.lint/updater.yaml + release: + name: my-release + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--agent-name=my-release" + - it: sets the updater agent namespace + values: + - ../.lint/updater.yaml + release: + namespace: my-namespace + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--agent-namespace=my-namespace" + - it: sets the updater version server + values: + - ../.lint/updater.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--version-server=https://my-custom-version-server/v1" + - it: sets the updater release channel + values: + - ../.lint/updater.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--version-channel=custom/preview" + # + # Kubernetes-related tests + # + - it: sets the deployment annotations + values: + - ../.lint/updater.yaml + - ../.lint/annotations.yaml + asserts: + - equal: + path: metadata.annotations.kubernetes\.io/deployment + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/deployment-different + value: 3 + - it: sets the pod annotations + values: + - ../.lint/updater.yaml + - ../.lint/annotations.yaml + asserts: + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + - it: sets the affinity + values: + - ../.lint/updater.yaml + - ../.lint/affinity.yaml + asserts: + - isNotNull: + path: spec.template.spec.affinity + - matchSnapshot: + path: spec.template.spec + - it: sets the tolerations + values: + - ../.lint/updater.yaml + - ../.lint/tolerations.yaml + asserts: + - isNotNull: + path: spec.template.spec.tolerations + - matchSnapshot: + path: spec.template.spec + - it: sets the imagePullSecrets + values: + - ../.lint/updater.yaml + - ../.lint/imagepullsecrets.yaml + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: myRegistryKeySecretName + - it: sets the nodeSelector + values: + - ../.lint/updater.yaml + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - it: sets the updater container image and version + values: + - ../.lint/updater.yaml + set: + teleportVersionOverride: 12.2.1 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: public.ecr.aws/gravitational/teleport-kube-agent-updater:12.2.1 + - it: sets the updater container imagePullPolicy + values: + - ../.lint/updater.yaml + - ../.lint/image-pull-policy.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - it: mounts the tls CA if provided and set the env var + values: + - ../.lint/updater.yaml + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - it: sets the updater container extraEnv + values: + - ../.lint/updater.yaml + - ../.lint/extra-env.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + - it: sets the pod resources + values: + - ../.lint/updater.yaml + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + - it: sets the pod priorityClass + values: + - ../.lint/updater.yaml + - ../.lint/priority-class-name.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: teleport-kube-agent + - it: sets the pod service-account + values: + - ../.lint/updater.yaml + - ../.lint/service-account-name.yaml + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: teleport-kube-agent-sa-updater + - it: sets the pod service-account (override) + values: + - ../.lint/updater.yaml + - ../.lint/service-account-name.yaml + set: + updater: + serviceAccount: + name: distinct-updater-sa + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: distinct-updater-sa diff --git a/teleport-kube-agent-13.3.8/tests/updater_role_test.yaml b/teleport-kube-agent-13.3.8/tests/updater_role_test.yaml new file mode 100644 index 0000000..c0266c7 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/updater_role_test.yaml @@ -0,0 +1,39 @@ +suite: Updater Role +templates: + - updater/role.yaml +tests: + # + # Basic tests + # + - it: does not create a Role when updater.enabled is false (default) + asserts: + - hasDocuments: + count: 0 + - it: creates a Role when updater.enabled is true + values: + - ../.lint/updater.yaml + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-updater + namespace: NAMESPACE + - it: does not create a Role when updater.enabled is true but rbac creation is disabled + values: + - ../.lint/updater.yaml + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + # + # Catch-all content test + # + - it: sets the correct role rules + values: + - ../.lint/updater.yaml + asserts: + - matchSnapshot: + path: rules diff --git a/teleport-kube-agent-13.3.8/tests/updater_rolebinding_test.yaml b/teleport-kube-agent-13.3.8/tests/updater_rolebinding_test.yaml new file mode 100644 index 0000000..2b04f74 --- /dev/null +++ b/teleport-kube-agent-13.3.8/tests/updater_rolebinding_test.yaml @@ -0,0 +1,49 @@ +suite: Updater Role +templates: + - updater/rolebinding.yaml +tests: + # + # Basic tests + # + - it: does not create a RoleBinding when updater.enabled is false (default) + asserts: + - hasDocuments: + count: 0 + - it: creates a RoleBinding when updater.enabled is true + values: + - ../.lint/updater.yaml + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-updater + namespace: NAMESPACE + - it: does not create a RoleBinding when updater.enabled is true but rbac creation is disabled + values: + - ../.lint/updater.yaml + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + # + # Catch-all content test + # + - it: sets the correct rolebinding content + values: + - ../.lint/updater.yaml + asserts: + - equal: + path: roleRef + value: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: RELEASE-NAME-updater + - equal: + path: subjects + value: + - kind: ServiceAccount + name: RELEASE-NAME-updater + namespace: NAMESPACE diff --git a/teleport-kube-agent/values-home.yaml b/teleport-kube-agent-13.3.8/values-home.yaml similarity index 100% rename from teleport-kube-agent/values-home.yaml rename to teleport-kube-agent-13.3.8/values-home.yaml diff --git a/teleport-kube-agent-13.3.8/values.schema.json b/teleport-kube-agent-13.3.8/values.schema.json new file mode 100644 index 0000000..cd0b57b --- /dev/null +++ b/teleport-kube-agent-13.3.8/values.schema.json @@ -0,0 +1,647 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "required": [ + "proxyAddr", + "roles", + "joinParams", + "kubeClusterName", + "apps", + "appResources", + "awsDatabases", + "azureDatabases", + "databases", + "databaseResources", + "teleportVersionOverride", + "insecureSkipProxyTLSVerify", + "teleportConfig", + "existingDataVolume", + "podSecurityPolicy", + "labels", + "image", + "clusterRoleName", + "clusterRoleBindingName", + "roleName", + "roleBindingName", + "podMonitor", + "serviceAccountName", + "secretName", + "log", + "affinity", + "annotations", + "extraVolumes", + "extraVolumeMounts", + "imagePullPolicy", + "initContainers", + "resources", + "tolerations", + "probeTimeoutSeconds" + ], + "properties": { + "authToken": { + "$id": "#/properties/authToken", + "type": "string", + "default": "" + }, + "proxyAddr": { + "$id": "#/properties/proxyAddr", + "type": "string", + "default": "" + }, + "roles": { + "$id": "#/properties/roles", + "type": "string", + "default": "kube" + }, + "joinParams": { + "$id": "#/properties/joinParams", + "type": "object", + "required": ["method"], + "properties": { + "tokenName": { + "$id": "#/properties/joinParams/tokenName", + "type": "string", + "default": "" + }, + "method": { + "$id": "#/properties/joinParams/method", + "type": "string", + "default": "token" + }, + "additionalProperties": false + } + }, + "kubeClusterName": { + "$id": "#/properties/kubeClusterName", + "type": "string", + "default": "" + }, + "apps": { + "$id": "#/properties/apps", + "type": "array", + "default": [], + "required": [ + "name", + "uri" + ], + "properties": { + "name": { + "$id": "#/properties/apps/name", + "type": "string", + "default": "" + }, + "uri": { + "$id": "#/properties/apps/uri", + "type": "string", + "default": "" + }, + "additionalProperties": true + } + }, + "appResources": { + "$id": "#/properties/appResources", + "type": "array", + "default": [], + "required": [ + "labels" + ], + "properties": { + "labels": { + "$id": "#/properties/appResources/labels", + "type": "object" + }, + "additionalProperties": false + } + }, + "awsDatabases": { + "$id": "#/properties/awsDatabases", + "type": "array", + "default": [], + "required": [ + "types", + "regions", + "tags" + ], + "properties": { + "types": { + "$id": "#/properties/awsDatabases/types", + "type": "array", + "default": [] + }, + "regions": { + "$id": "#/properties/awsDatabases/regions", + "type": "string", + "default": [] + }, + "tags": { + "$id": "#/properties/awsDatabases/tags", + "type": "string", + "default": [] + }, + "additionalProperties": false + } + }, + "azureDatabases": { + "$id": "#/properties/azureDatabases", + "type": "array", + "default": [], + "items": { + "type": "object", + "default": {}, + "required": [ + "types", + "tags" + ], + "properties": { + "types": { + "$id": "#/properties/azureDatabases/types", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "tags": { + "$id": "#/properties/azureDatabases/tags", + "type": "object", + "default": {}, + "additionalProperties": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + } + }, + "subscriptions": { + "$id": "#/properties/azureDatabases/subscriptions", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "regions": { + "$id": "#/properties/azureDatabases/regions", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "resource_groups": { + "$id": "#/properties/azureDatabases/resource_groups", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "additionalProperties": false + } + } + }, + "databases": { + "$id": "#/properties/databases", + "type": "array", + "default": [] + }, + "databaseResources": { + "$id": "#/properties/databaseResources", + "type": "array", + "default": [], + "required": [ + "labels" + ], + "properties": { + "labels": { + "$id": "#/properties/databaseResources/labels", + "type": "object" + }, + "additionalProperties": false + } + }, + "teleportVersionOverride": { + "$id": "#/properties/teleportVersionOverride", + "type": "string", + "default": "" + }, + "caPin": { + "$id": "#/properties/caPin", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "insecureSkipProxyTLSVerify": { + "$id": "#/properties/insecureSkipProxyTLSVerify", + "type": "boolean", + "default": false + }, + "teleportConfig": { + "$id": "#/properties/teleportConfig", + "type": "object", + "default": {} + }, + "tls": { + "$id": "#/properties/tls", + "type": "object", + "required": [ + "existingCASecretName" + ], + "properties": { + "existingCASecretName": { + "$id": "#/properties/tls/properties/existingCASecretName", + "type": "string", + "default": "" + } + } + }, + "existingDataVolume": { + "$id": "#/properties/existingDataVolume", + "type": "string", + "default": "" + }, + "podSecurityPolicy": { + "$id": "#/properties/podSecurityPolicy", + "type": "object", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "$id": "#/properties/podSecurityPolicy/properties/enabled", + "type": "boolean", + "default": true + } + } + }, + "labels": { + "$id": "#/properties/labels", + "type": "object", + "default": {} + }, + "image": { + "$id": "#/properties/image", + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-distroless" + }, + "enterpriseImage": { + "$id": "#/properties/enterpriseImage", + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-ent-distroless" + }, + "imagePullSecrets": { + "$id": "#/properties/imagePullSecrets", + "type": "array", + "default": [] + }, + "replicaCount": { + "$id": "#/properties/replicaCount", + "type": "integer", + "default": 1 + }, + "clusterRoleName": { + "$id": "#/properties/clusterRoleName", + "type": "string", + "default": "" + }, + "clusterRoleBindingName": { + "$id": "#/properties/clusterRoleBindingName", + "type": "string", + "default": "" + }, + "roleName": { + "$id": "#/properties/roleName", + "type": "string", + "default": "" + }, + "roleBindingName": { + "$id": "#/properties/roleBindingName", + "type": "string", + "default": "" + }, + "highAvailability": { + "$id": "#/properties/highAvailability", + "type": "object", + "required": [ + "podDisruptionBudget", + "replicaCount", + "requireAntiAffinity" + ], + "properties": { + "podDisruptionBudget": { + "$id": "#/properties/highAvailability/properties/podDisruptionBudget", + "type": "object", + "required": [ + "enabled", + "minAvailable" + ], + "properties": { + "enabled": { + "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled", + "type": "boolean", + "default": false + }, + "minAvailable": { + "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable", + "type": "integer", + "default": 1 + } + } + }, + "replicaCount": { + "$id": "#/properties/highAvailability/properties/replicaCount", + "type": "integer", + "default": 1 + }, + "requireAntiAffinity": { + "$id": "#/properties/highAvailability/properties/requireAntiAffinity", + "type": "boolean", + "default": false + } + } + }, + "podMonitor": { + "$id": "#/properties/podMonitor", + "type": "object", + "required": ["enabled"], + "properties": { + "enabled": { + "$id": "#/properties/podMonitor/enabled", + "type": "boolean", + "default": false + }, + "additionalLabels": { + "$id": "#/properties/podMonitor/additionalLabels", + "type": "object", + "default": {"prometheus": "default"}, + "additionalProperties": {"type": "string"} + }, + "interval": { + "$id": "#/properties/podMonitor/interval", + "type": "string", + "default": "30s" + } + } + }, + "priorityClassName": { + "$id": "#/properties/priorityClassName", + "type": "string", + "default": "" + }, + "serviceAccountName": { + "$id": "#/properties/serviceAccountName", + "type": "string", + "default": "" + }, + "secretName": { + "$id": "#/properties/secretName", + "type": "string", + "default": "teleport-kube-agent-join-token" + }, + "log": { + "$id": "#/properties/log", + "type": "object", + "required": [ + "output", + "format", + "extraFields" + ], + "properties": { + "level": { + "$id": "#/properties/log/properties/level", + "type": "string", + "enum": [ + "DEBUG", + "INFO", + "WARN", + "WARNING", + "ERROR" + ], + "default": "INFO" + }, + "deployment": { + "$id": "#/properties/log/properties/output", + "type": "string", + "default": {} + }, + "pod": { + "$id": "#/properties/log/properties/format", + "type": "string", + "default": {} + }, + "service": { + "$id": "#/properties/log/properties/extraFields", + "type": "array", + "default": {} + } + } + }, + "affinity": { + "$id": "#/properties/affinity", + "type": "object", + "default": {} + }, + "dnsConfig": { + "$id": "#/properties/dnsConfig", + "type": "object", + "default": {} + }, + "dnsPolicy": { + "$id": "#/properties/dnsPolicy", + "type": "string", + "default": "" + }, + "extraLabels": { + "$id": "#/properties/extraLabels", + "type": "object", + "properties": { + "clusterRole": { + "$id": "#/properties/extraLabels/properties/clusterRole", + "type": "object", + "default": {} + }, + "clusterRoleBinding": { + "$id": "#/properties/extraLabels/properties/clusterRoleBinding", + "type": "object", + "default": {} + }, + "role": { + "$id": "#/properties/extraLabels/properties/role", + "type": "object", + "default": {} + }, + "roleBinding": { + "$id": "#/properties/extraLabels/properties/roleBinding", + "type": "object", + "default": {} + }, + "config": { + "$id": "#/properties/extraLabels/properties/config", + "type": "object", + "default": {} + }, + "deployment": { + "$id": "#/properties/extraLabels/properties/deployment", + "type": "object", + "default": {} + }, + "pod": { + "$id": "#/properties/extraLabels/properties/pod", + "type": "object", + "default": {} + }, + "podDisruptionBudget": { + "$id": "#/properties/extraLabels/properties/podDisruptionBudget", + "type": "object", + "default": {} + }, + "podSecurityPolicy": { + "$id": "#/properties/extraLabels/properties/podSecurityPolicy", + "type": "object", + "default": {} + }, + "secret": { + "$id": "#/properties/extraLabels/properties/secret", + "type": "object", + "default": {} + }, + "serviceAccount": { + "$id": "#/properties/extraLabels/properties/serviceAccount", + "type": "object", + "default": {} + } + } + }, + "annotations": { + "$id": "#/properties/annotations", + "type": "object", + "required": [ + "config", + "deployment", + "pod", + "secret", + "serviceAccount" + ], + "properties": { + "config": { + "$id": "#/properties/annotations/properties/config", + "type": "object", + "default": {} + }, + "deployment": { + "$id": "#/properties/annotations/properties/deployment", + "type": "object", + "default": {} + }, + "pod": { + "$id": "#/properties/annotations/properties/pod", + "type": "object", + "default": {} + }, + "secret": { + "$id": "#/properties/annotations/properties/secret", + "type": "object", + "default": {} + }, + "serviceAccount": { + "$id": "#/properties/annotations/properties/serviceAccount", + "type": "object", + "default": {} + } + } + }, + "serviceAccount": { + "$id": "#/properties/serviceAccount", + "type": "object", + "required": [], + "properties": { + "name": { + "$id": "#properties/serviceAccount/name", + "type": "string", + "default": "" + }, + "create": { + "$id": "#properties/serviceAccount/create", + "type": "boolean", + "default": true + } + } + }, + "rbac": { + "$id": "#/properties/rbac", + "type": "object", + "required": [], + "properties": { + "create": { + "$id": "#properties/rbac/create", + "type": "boolean", + "default": true + } + } + }, + "extraArgs": { + "$id": "#/properties/extraArgs", + "type": "array", + "default": [] + }, + "extraEnv": { + "$id": "#/properties/extraEnv", + "type": "array", + "default": [] + }, + "extraVolumes": { + "$id": "#/properties/extraVolumes", + "type": "array", + "default": [] + }, + "extraVolumeMounts": { + "$id": "#/properties/extraVolumeMounts", + "type": "array", + "default": [] + }, + "hostAliases": { + "$id": "#/properties/hostAliases", + "type": "array", + "default": [] + }, + "imagePullPolicy": { + "$id": "#/properties/imagePullPolicy", + "type": "string", + "enum": [ + "Never", + "IfNotPresent", + "Always" + ], + "default": "IfNotPresent" + }, + "initContainers": { + "$id": "#/properties/initContainers", + "type": "array", + "default": [] + }, + "resources": { + "$id": "#/properties/resources", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/tolerations", + "type": "array", + "default": [] + }, + "probeTimeoutSeconds": { + "$id": "#/properties/probeTimeoutSeconds", + "type": "integer", + "default": 1 + } + } +} diff --git a/teleport-kube-agent-13.3.8/values.yaml b/teleport-kube-agent-13.3.8/values.yaml new file mode 100644 index 0000000..6c29c85 --- /dev/null +++ b/teleport-kube-agent-13.3.8/values.yaml @@ -0,0 +1,452 @@ +################################################################ +# Values that must always be provided by the user. +################################################################ + +# Join token for the cluster. `joinParams` can also pass the join token, +# but supports more join methods and takes precedence if set. +authToken: "" + +# Address of the teleport proxy with port (usually :3080). +proxyAddr: "" +# Comma-separated list of roles to enable (any of: kube,db,app) +roles: "kube" + +################################################################ +# Values that must be provided if IAM or EC2 joining is enabled. +################################################################ + +# Specify how to join the Teleport cluster +joinParams: + # Supported join methods are "token", "ec2", "iam". + # method "token", is equivalent to using authToken to join a cluster + method: "token" + + # Leave empty only when method is "token" and the secret + # "teleport-kube-agent-join-token" has been created before and + # contains a valid join token. + tokenName: "" + +################################################################ +# Values that must be provided if Kubernetes access is enabled. +################################################################ + +# Name for this kubernetes cluster to be used by teleport users. +kubeClusterName: "" + +################################################################ +# Values that must be provided if Application access is enabled. +################################################################ + +# At least one of 'apps', 'appResources' must be provided +# when application access is enabled. See the README for more details. + +# Details of at least one app to be proxied. Example: +# apps: +# - name: grafana +# uri: http://localhost:3000 +apps: [] + +# Dynamic application configuration mode. Example: +# appResources: +# - labels: +# "*": "*" +appResources: [] + +################################################################ +# Values that must be provided if Database access is enabled. +################################################################ + +# At least one of 'databases', 'awsDatabases', 'azureDatabases', or 'databaseResources' must be provided +# when database access is enabled. See the README for more details. + +# Database auto-discovery mode (AWS) +# Details of at least one awsDatabase discovery pattern to be discovered +# and proxied. Example: +# awsDatabases: +# - types: ["rds"] +# regions: ["us-east-1"] +# tags: +# "environment": "production" +awsDatabases: [] + +# Database auto-discovery mode (Azure) +# Details of at least one azureDatabase discovery pattern to be discovered +# and proxied. Example: +# azureDatabases: +# - types: ["mysql", "postgres"] +# tags: +# "environment": "production" +# regions: ["eastus", "centralus"] +# subscriptions: ["subID1", "subID2"] +# resource_groups: ["group1", "group2"] +# Note that regions, subscriptions, and resource_groups are optional, and by default +# the pattern for these selectors is ["*"] which will match all regions, subscriptions, or resource groups. +azureDatabases: [] + +# Manual database configuration mode +# Details of at least one database to be proxied. Example: +# databases: +# - name: aurora +# uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" +# protocol: "postgres" +# static_labels: +# env: "prod" +databases: [] + +# Dynamic database configuration mode. Example: +# databaseResources: +# - labels: +# "*": "*" +databaseResources: [] + +################################################################ +# Values that you may need to change. +################################################################ + +# Version of teleport image, if different from chart version in Chart.yaml. +# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. +# This chart is designed to run a specific teleport version (see Chart.yaml). +# You will face compatibility issues trying to run a different Teleport version with it. +# +# If you want to run Teleport version X, you should use `helm --version X` instead. +teleportVersionOverride: "" + +# Optional CA pins of the auth server. This enables a more secure way of +# adding new nodes to a cluster. See "Adding Nodes to the Cluster" +# (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster). +# Each list element can be the pin itself (recommended), or a path to a file +# containing the pin. For the latter it is your responsibility to mount +# the file, using extraVolumes. +caPin: [] + +# When set to true, the agent will skip the verification of proxy TLS +# certificate. +insecureSkipProxyTLSVerify: false + +# Set enterprise to true to use enterprise image. +enterprise: false + +# teleportConfig contains additional teleport configuration +# The configuration will be merged with the chart-generated configuration +# and will take precedence in case of conflict +teleportConfig: {} + +# Settings for mounting your own TLS material in the agent pod. +# The agent does not expose a TLS server, so this is only used to trust CAs. +tls: + # Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. + # This is useful to trust private CAs. + # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. + # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem` + # The filename inside the secret is important - it _must_ be ca.pem + existingCASecretName: "" + +updater: + enabled: false + # `updater.versionServer` is the URL of the version server the agent fetches + # the target version from. The complete version endpoint is built by + # concatenating `versionServer` and `releaseChannel`. + versionServer: "https://updates.releases.teleport.dev/v1/" + # Release channel the agent subscribes to. + releaseChannel: "stable/cloud" + image: public.ecr.aws/gravitational/teleport-kube-agent-updater + serviceAccount: + # service account name defaults to "-updater" + name: "" + +# If set, will use an existing volume mounted via extraVolumes +# as the Teleport data directory. +# If anything is set under the "storage" key, this will be ignored. +existingDataVolume: "" + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. +# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ +podSecurityPolicy: + enabled: true + +# Labels is a map of key values pairs about this cluster +labels: {} + +# Settings for high availability. +highAvailability: + # Set to >1 for a high availability mode where multiple Teleport agent pods will be deployed. + replicaCount: 1 + # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the + # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. + # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. + # This setting only has any effect when replicaCount is greater than 1. + requireAntiAffinity: false + # If enabled will create a Pod Disruption Budget + # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + +# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) +# This CRD is managed by the prometheus-operator and allows workload to +# get monitored. To use this value, you need to run a `prometheus-operator` +# in the cluster for this value to take effect. +# See https://prometheus-operator.dev/docs/prologue/introduction/ +podMonitor: + # Whether the chart should deploy a PodMonitor. + # Disabled by default as it requires the PodMonitor CRD to be installed. + enabled: false + # additionalLabels to put on the PodMonitor. + # This is used to be selected by a specific prometheus instance. + additionalLabels: {} + # interval is the interval between two metrics scrapes. Defaults to 30s + interval: 30s + +################################################################ +# Values that must be provided if using persistent storage for Teleport. +# +# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`. +# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV +# to survive restarts and rotations while using short-lived joining tokens. +# +# Fields: +# enabled: Set to true to enable the use of Persistent volumes. +# storageClassName: The name of the kubernetes storage class to use when creating volumes. See https://kubernetes.io/docs/concepts/storage/storage-classes/ +# requests: The size of the volume to request from the persistent storage system +################################################################ +storage: + enabled: false + storageClassName: "" + requests: 128Mi + +# Settings for configuring an cluster admin role binding. +# This is useful for granting cluster admin permissions to a Kubernetes Group +# other than the default "system:masters" group. +# GKE Autopilot clusters forbid using the "system:masters" group for impersonation +# and require a custom group to be used instead. +adminClusterRoleBinding: + create: false + name: "cluster-admin" + +################################################################ +# Values that you shouldn't need to change. +################################################################ + +# Container image for the cluster. +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport`. Those images will be +# removed with teleport 14. +image: public.ecr.aws/gravitational/teleport-distroless +# Enterprise version of the image +# Since version 13, hardened distroless images are used by default. +# You can use the deprecated debian-based images by setting the value to +# `public.ecr.aws/gravitational/teleport-ent`. Those images will be +# removed with teleport 14. +enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless +# Optional array of imagePullSecrets, to use when pulling from a private registry +imagePullSecrets: [] +# - name: myRegistryKeySecretName +# Number of replicas for the agent deployment. +# DEPRECATED Use highAvailability:replicaCount instead +# replicaCount: 1 +# (optional) Override the name of the ClusterRole used by the agent's service account. +clusterRoleName: "" +# (optional) Override the name of the ClusterRoleBinding used by the agent's service account. +clusterRoleBindingName: "" +# (optional) Override the name of the Role used by the agent's service account for Secret access. +roleName: "" +# (optional) Override the name of the RoleBinding used by the agent's service account. +roleBindingName: "" +# (optional) Override the name of the service account used by the agent. +# DEPRECATED Use serviceAccount:name instead +serviceAccountName: "" +# (optional) Kubernetes service account to create/use. +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and serviceAccount.create is true, the name is generated using the release name. + # If create is false, the name will be used to reference an existing service account. + name: "" + +# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. +rbac: + # Specifies whether a ClusterRole and ClusterRoleBinding should be created. + # Set to false if your cluster level resources are managed separately. + create: true + +# Name of the Secret to store the teleport join token. +# DEPRECATED Use joinTokenSecret.name instead +secretName: "" + +# Manages the join token secret creation and its name. +joinTokenSecret: + # create controls whether the Helm chart should create and manage the join token + # secret. + # If false, the chart assumes that the secret with the configured name already exists at the + # installation namespace. + create: true + # Name of the Secret to store the teleport join token. + name: teleport-kube-agent-join-token + +# Teleport logging configuration +log: + # Log level for the Teleport process. + # Available log levels are: DEBUG, INFO, WARNING, ERROR. + # The default is INFO, which is recommended in production. + # DEBUG is useful during first-time setup or to see more detailed logs for debugging. + level: INFO + # Log output + # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' + # Other supported values: 'stdout', 'stderr' and 'syslog' + output: stderr + # Log format configuration + # Possible output values are 'json' and 'text' (default). + format: text + # Possible extra_fields values include: timestamp, component, caller, and level. + # All extra fields are included by default. + extraFields: ["timestamp", "level", "component", "caller"] + +################################## +# Extra Kubernetes configuration # +################################## + +# Affinity for pod assignment +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +# Pod's DNS Configuration +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs. +dnsConfig: {} +# nameservers: +# - 1.2.3.4 +# searches: +# - ns1.svc.cluster-domain.example +# - my.dns.search.suffix +# options: +# - name: ndots +# value: "2" + +# Pod's DNS Policy +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" + +# nodeSelector to apply for pod assignment +# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +nodeSelector: {} + +# Kubernetes labels to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +extraLabels: + # Labels for the Cluster Role + clusterRole: {} + # Labels for the Cluster Role Binding + clusterRoleBinding: {} + # Labels for the Role + role: {} + # Labels for the Role Binding + roleBinding: {} + # Labels for the ConfigMap + config: {} + # Labels for the Deployment/StatefulSet + deployment: {} + # Labels for each Pod in the Deployment/StatefulSet + pod: {} + # Labels for the Pod Disruption Budget (ignored when disabled) + podDisruptionBudget: {} + # Labels for the Pod Security Policy (ignored when disabled) + podSecurityPolicy: {} + # Labels for the Secret (ignored when disabled) + secret: {} + # Labels for the ServiceAccount object + serviceAccount: {} + +# Kubernetes annotations to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +annotations: + # Annotations for the ConfigMap + config: {} + # Annotations for the Deployment + deployment: {} + # Annotations for each Pod in the Deployment + pod: {} + # Annotations for the Secret (has no effect when `joinTokenSecret.create` is false) + secret: {} + # Annotations for the ServiceAccount object + serviceAccount: {} + +# Extra arguments to pass to 'teleport start' for the main Teleport pod +extraArgs: [] + +# Extra environment to be configured on the Teleport pod +extraEnv: [] + +# Extra volumes to mount into the Teleport pods +# https://kubernetes.io/docs/concepts/storage/volumes/ +extraVolumes: [] +# - name: myvolume +# secret: +# secretName: testSecret + +# Extra volume mounts corresponding to the volumes mounted above +extraVolumeMounts: [] +# - name: myvolume +# mountPath: /path/on/host + +# Pod Host aliases (see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" + +# Allow the imagePullPolicy to be overridden +imagePullPolicy: IfNotPresent + +# A list of initContainers to run before each Teleport pod starts +# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +initContainers: [] +# - name: "teleport-init" +# image: "alpine" +# args: ["echo test"] + +# Resources to request for each pod in the deployment +# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +resources: {} +# requests: +# cpu: "1" +# memory: "2Gi" + +# Security context to add to the initContainer +initSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + +# Security context to add to other containers +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + +# Priority class name to add to the deployment +priorityClassName: "" + +# Tolerations for pod assignment +# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Timeouts for the readiness and liveness probes +# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +probeTimeoutSeconds: 1 diff --git a/teleport-kube-agent/.lint/all-v6.yaml b/teleport-kube-agent/.lint/all-v6.yaml index 7b8f28b..09ce83d 100644 --- a/teleport-kube-agent/.lint/all-v6.yaml +++ b/teleport-kube-agent/.lint/all-v6.yaml @@ -1,6 +1,6 @@ authToken: auth-token proxyAddr: proxy.example.com:3080 -roles: kube,app,db +roles: kube,app,db,jamf kubeClusterName: test-kube-cluster-name labels: cluster: testing @@ -15,6 +15,9 @@ databases: protocol: "postgres" labels: database: staging +jamfApiEndpoint: "testjamf.jamfcloud.com/api" +jamfClientId: teleport-jamf-client-id +jamfClientSecret: secret-jamf-client-secret annotations: config: kubernetes.io/config: "test-annotation" diff --git a/teleport-kube-agent/.lint/app-discovery-full.yaml b/teleport-kube-agent/.lint/app-discovery-full.yaml new file mode 100644 index 0000000..7202a28 --- /dev/null +++ b/teleport-kube-agent/.lint/app-discovery-full.yaml @@ -0,0 +1,11 @@ +roles: app,discovery +proxyAddr: teleport.example.com +kubeClusterName: example +apps: + - name: test + uri: https://console.aws.amazon.com/ec2/v2/home + labels: + env: test +appResources: + - labels: + "*": "*" diff --git a/teleport-kube-agent/.lint/app-discovery-minimal.yaml b/teleport-kube-agent/.lint/app-discovery-minimal.yaml new file mode 100644 index 0000000..13305a7 --- /dev/null +++ b/teleport-kube-agent/.lint/app-discovery-minimal.yaml @@ -0,0 +1,4 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube,app,discovery +kubeClusterName: test-kube-cluster diff --git a/teleport-kube-agent/.lint/extra-containers.yaml b/teleport-kube-agent/.lint/extra-containers.yaml new file mode 100644 index 0000000..7d7dd36 --- /dev/null +++ b/teleport-kube-agent/.lint/extra-containers.yaml @@ -0,0 +1,15 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: kube +kubeClusterName: test-kube-cluster +extraContainers: + - name: nscenter + command: + - /bin/bash + - -c + - sleep infinity & wait + image: praqma/network-multitool + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + runAsNonRoot: false diff --git a/teleport-kube-agent/.lint/extra-labels.yaml b/teleport-kube-agent/.lint/extra-labels.yaml index 293e8b3..edcbde5 100644 --- a/teleport-kube-agent/.lint/extra-labels.yaml +++ b/teleport-kube-agent/.lint/extra-labels.yaml @@ -20,6 +20,9 @@ extraLabels: deployment: app.kubernetes.io/name: "teleport-kube-agent" resource: "deployment" + job: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "job" pod: app.kubernetes.io/name: "teleport-kube-agent" resource: "pod" diff --git a/teleport-kube-agent/.lint/jamf-service-existing-secret.yaml b/teleport-kube-agent/.lint/jamf-service-existing-secret.yaml new file mode 100644 index 0000000..bcc353c --- /dev/null +++ b/teleport-kube-agent/.lint/jamf-service-existing-secret.yaml @@ -0,0 +1,8 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: jamf +jamfApiEndpoint: "https://testjamf.jamfcloud.com/api" +jamfClientId: teleport-jamf-client-id +jamfCredentialsSecret: + create: false + name: existing-teleport-jamf-secret diff --git a/teleport-kube-agent/.lint/jamf-service.yaml b/teleport-kube-agent/.lint/jamf-service.yaml new file mode 100644 index 0000000..bdb4f83 --- /dev/null +++ b/teleport-kube-agent/.lint/jamf-service.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: jamf +jamfApiEndpoint: "https://testjamf.jamfcloud.com/api" +jamfClientId: teleport-jamf-client-id +jamfClientSecret: secret-jamf-client-secret diff --git a/teleport-kube-agent/.lint/updater-secret-docker.yaml b/teleport-kube-agent/.lint/updater-secret-docker.yaml new file mode 100644 index 0000000..9dc3e7f --- /dev/null +++ b/teleport-kube-agent/.lint/updater-secret-docker.yaml @@ -0,0 +1,23 @@ +proxyAddr: proxy.example.com:3080 +roles: "custom" +updater: + enabled: true + versionServer: https://my-custom-version-server/v1 + releaseChannel: custom/preview + pullCredentials: docker + extraEnv: + - name: DOCKER_CONFIG + value: /mnt/docker/ + extraVolumes: + - name: docker-config + projected: + sources: + - secret: + name: my-pull-secret + items: + - key: .dockerconfigjson + path: config.json + extraVolumeMounts: + - name: docker-config + mountPath: "/mnt/docker" + readOnly: true diff --git a/teleport-kube-agent/Chart.yaml b/teleport-kube-agent/Chart.yaml index c559b3e..b3e2c93 100644 --- a/teleport-kube-agent/Chart.yaml +++ b/teleport-kube-agent/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 13.3.8 +appVersion: 16.1.7 description: Teleport provides a secure SSH, Kubernetes, database and application remote access solution that doesn't get in the way. -icon: https://goteleport.com/images/logos/logo-teleport-square.svg +icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-kube-agent -version: 13.3.8 +version: 16.1.7 diff --git a/teleport-kube-agent/README.md b/teleport-kube-agent/README.md index 903398c..16b0be2 100644 --- a/teleport-kube-agent/README.md +++ b/teleport-kube-agent/README.md @@ -5,6 +5,8 @@ with an existing Teleport cluster: - Teleport Kubernetes access - Teleport Application access - Teleport Database access +- Teleport Kubernetes App Discovery +- Teleport Jamf service To use it, you will need: - an existing Teleport cluster (at least proxy and auth services) @@ -22,7 +24,7 @@ To use it, you will need: ## Combining roles -You can combine multiple roles as a comma-separated list: `--set roles=kube\,db\,app` +You can combine multiple roles as a comma-separated list: `--set roles=kube\,db\,app\,discovery` Note that commas must be escaped if the values are provided on the command line. This is due to the way that Helm parses arguments. @@ -132,14 +134,14 @@ Set the values in the above command as appropriate for your setup. These are the supported values for the `apps` map: -| Key | Description | Example | Default | Required | -| --- | --- | --- | --- | --- | -| `name` | Name of the app to be accessed | `apps[0].name=grafana` | | Yes | -| `uri` | URI of the app to be accessed | `apps[0].uri=http://localhost:3000` | | Yes | -| `public_addr` | Public address used to access the app | `apps[0].public_addr=grafana.teleport.example.com` | | No | -| `labels.[name]` | Key-value pairs to set against the app for grouping/RBAC | `apps[0].labels.env=local,apps[0].labels.region=us-west-1` | | No | -| `insecure_skip_verify` | Whether to skip validation of TLS certificates presented by backend apps | `apps[0].insecure_skip_verify=true` | `false` | No | -| `rewrite.redirect` | A list of URLs to rewrite to the public address of the app service | `apps[0].rewrite.redirect[0]=https://192.168.1.1` | | No +| Key | Description | Example | Default | Required | +| ---------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------- | ------- | -------- | +| `name` | Name of the app to be accessed | `apps[0].name=grafana` | | Yes | +| `uri` | URI of the app to be accessed | `apps[0].uri=http://localhost:3000` | | Yes | +| `public_addr` | Public address used to access the app | `apps[0].public_addr=grafana.teleport.example.com` | | No | +| `labels.[name]` | Key-value pairs to set against the app for grouping/RBAC | `apps[0].labels.env=local,apps[0].labels.region=us-west-1` | | No | +| `insecure_skip_verify` | Whether to skip validation of TLS certificates presented by backend apps | `apps[0].insecure_skip_verify=true` | `false` | No | +| `rewrite.redirect` | A list of URLs to rewrite to the public address of the app service | `apps[0].rewrite.redirect[0]=https://192.168.1.1` | | No | You can add multiple apps using `apps[1].name`, `apps[1].uri`, `apps[2].name`, `apps[2].uri` etc. @@ -218,20 +220,98 @@ Set the values in the above command as appropriate for your setup. These are the supported values for the `databases` map: -| Key | Description | Example | Default | Required | -| --- | --- | --- | --- | --- | -| `name` | Name of the database to be accessed | `databases[0].name=aurora` | | Yes | -| `uri` | URI of the database to be accessed | `databases[0].uri=postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432` | | Yes | -| `protocol` | Database protocol | `databases[0].protocol=postgres` | | Yes | -| `description` | Free-form description of the database proxy instance | `databases[0].description='AWS Aurora instance of PostgreSQL 13.0'` | | No | -| `aws.region` | AWS-specific region configuration (only used for RDS/Aurora) | `databases[0].aws.region=us-east-1` | | No | -| `labels.[name]` | Key-value pairs to set against the database for grouping/RBAC | `databases[0].labels.db=postgres-dev,apps[0].labels.region=us-east-1` | | No | +| Key | Description | Example | Default | Required | +| --------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ------- | -------- | +| `name` | Name of the database to be accessed | `databases[0].name=aurora` | | Yes | +| `uri` | URI of the database to be accessed | `databases[0].uri=postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432` | | Yes | +| `protocol` | Database protocol | `databases[0].protocol=postgres` | | Yes | +| `description` | Free-form description of the database proxy instance | `databases[0].description='AWS Aurora instance of PostgreSQL 13.0'` | | No | +| `aws.region` | AWS-specific region configuration (only used for RDS/Aurora) | `databases[0].aws.region=us-east-1` | | No | +| `labels.[name]` | Key-value pairs to set against the database for grouping/RBAC | `databases[0].labels.db=postgres-dev,apps[0].labels.region=us-east-1` | | No | You can add multiple databases using `databases[1].name`, `databases[1].uri`, `databases[1].protocol`, `databases[2].name`, `databases[2].uri`, `databases[2].protocol` etc. After installing, the new database should show up in `tsh db ls` after a few minutes. +## Kubernetes App Discovery + +Teleport can be used to automatically discover apps based on services found in the Kubernetes cluster. +To run Teleport discovery you will need to enabled roles `discovery` and `app` and also provide token that allows access for these roles. + +To install the agent, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=kube,app,discovery \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} +``` + +With default settings Teleport will try to discovery all apps available in the cluster. To control what namespaces and what service labels +to use for discovery you can use `kubernetesDiscovery` property of the chart. + +When discovery is running, `kubeClusterName` should be set in values, since it is used as a name for discovery field and as a target label +for the app service, so it can expose discovered apps. + +## Jamf service + +To use [Teleport Jamf service](https://goteleport.com/docs/access-controls/device-trust/jamf-integration/), +you will also need: +- provide your Jamf Pro API endpoint +- provide your Jamf Pro API credentials + +To install the agent with Jamf API credentials, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=jamf \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set jamfApiEndpoint=${JAMF_API_ENDPOINT?} \ + --set jamfClientId=${JAMF_CLIENT_ID?} \ + --set jamfClientSecret=${JAMF_CLIENT_SECRET?} +``` + +Set the values in the above command as appropriate for your setup. + +The Helm chart will install Secrets by default. To avoid specifying the Jamf API credentials in plain text, it's possible to create a secret containing the password beforehand. To do so, run: + +```sh +export JAMF_CLIENT_SECRET=` | base64 -w0` +export JAMF_SECRET_NAME=teleport-jamf-api-credentials +export TELEPORT_NAMESPACE=teleport + +cat < secrets.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ${JAMF_SECRET_NAME} + namespace: ${TELEPORT_NAMESPACE?} +type: Opaque +data: + jamfSecret: ${JAMF_CLIENT_SECRET?} +EOF + +$ kubectl apply -f secret.yaml + +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace ${TELEPORT_NAMESPACE?} \ + --set roles=jamf \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set jamfApiEndpoint=${JAMF_API_ENDPOINT?} \ + --set jamfClientId=${JAMF_CLIENT_ID?} \ + --set jamfCredentialsSecret.name=${JAMF_SECRET_NAME?} \ + --set jamfCredentialsSecret.create=false +``` + ## Troubleshooting If the service for a given role doesn't show up, look into the agent logs with: diff --git a/teleport-kube-agent/templates/NOTES.txt b/teleport-kube-agent/templates/NOTES.txt index 9a35a1e..435acf9 100644 --- a/teleport-kube-agent/templates/NOTES.txt +++ b/teleport-kube-agent/templates/NOTES.txt @@ -36,7 +36,7 @@ To do so, you can use the following Teleport Role resource: kind: role metadata: name: gke-kube-access - version: v6 + version: v7 spec: allow: kubernetes_labels: diff --git a/teleport-kube-agent/templates/_config.tpl b/teleport-kube-agent/templates/_config.tpl index 7d34788..adb708d 100644 --- a/teleport-kube-agent/templates/_config.tpl +++ b/teleport-kube-agent/templates/_config.tpl @@ -1,5 +1,8 @@ {{- define "teleport-kube-agent.config" -}} {{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}} +{{- $appRolePresent := contains "app" (.Values.roles | toString) -}} +{{- $discoveryEnabled := contains "discovery" (.Values.roles | toString) -}} +{{- $appDiscoveryEnabled := and ($appRolePresent) ($discoveryEnabled) -}} {{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }} version: v3 {{- end }} @@ -13,7 +16,7 @@ teleport: auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"] {{- end }} {{- if .Values.caPin }} - ca_pin: {{- toYaml .Values.caPin | nindent 8 }} + ca_pin: {{- toYaml .Values.caPin | nindent 4 }} {{- end }} log: severity: {{ $logLevel }} @@ -27,18 +30,22 @@ kubernetes_service: enabled: true kube_cluster_name: {{ required "kubeClusterName is required in chart values when kube role is enabled, see README" .Values.kubeClusterName }} {{- if .Values.labels }} - labels: {{- toYaml .Values.labels | nindent 8 }} + labels: {{- toYaml .Values.labels | nindent 4 }} {{- end }} {{- else }} enabled: false {{- end }} +{{- if and (or (.Values.apps) (.Values.appResources)) (not ($appRolePresent)) }} + {{- fail "app role should be enabled if one of 'apps' or 'appResources' is set, see README" }} +{{- end }} + app_service: - {{- if contains "app" (.Values.roles | toString) }} + {{- if $appRolePresent }} + {{- if not (or (.Values.apps) (.Values.appResources) ($appDiscoveryEnabled)) }} + {{- fail "app service is enabled, but no application source is enabled. You must either statically define apps through `apps`, dynamically through `appResources`, or enable in-cluster discovery." }} + {{- end }} enabled: true - {{- if not (or (.Values.apps) (.Values.appResources)) }} - {{- fail "at least one of 'apps' and 'appResources' is required in chart values when app role is enabled, see README" }} - {{- end }} {{- if .Values.apps }} {{- range $app := .Values.apps }} {{- if not (hasKey $app "name") }} @@ -49,12 +56,17 @@ app_service: {{- end }} {{- end }} apps: - {{- toYaml .Values.apps | nindent 8 }} - {{- end }} - {{- if .Values.appResources }} + {{- toYaml .Values.apps | nindent 4 }} + {{- end }} resources: - {{- toYaml .Values.appResources | nindent 8 }} - {{- end }} + {{- if .Values.appResources }} + {{- toYaml .Values.appResources | nindent 4 }} + {{- end }} + {{- if $appDiscoveryEnabled }} + - labels: + "teleport.dev/kubernetes-cluster": "{{ required "kubeClusterName is required in chart values when kube or discovery role is enabled, see README" .Values.kubeClusterName }}" + "teleport.dev/origin": "discovery-kubernetes" + {{- end }} {{- else }} enabled: false {{- end }} @@ -78,11 +90,11 @@ db_service: {{- fail "'tags' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} {{- end }} {{- end }} - {{- toYaml .Values.awsDatabases | nindent 6 }} + {{- toYaml .Values.awsDatabases | nindent 4 }} {{- end }} {{- if .Values.azureDatabases }} azure: - {{- toYaml .Values.azureDatabases | nindent 6 }} + {{- toYaml .Values.azureDatabases | nindent 4 }} {{- end}} {{- if .Values.databases }} databases: @@ -97,16 +109,35 @@ db_service: {{- fail "'protocol' is required for all 'databases' in chart values when db role is enabled, see README" }} {{- end }} {{- end }} - {{- toYaml .Values.databases | nindent 6 }} + {{- toYaml .Values.databases | nindent 4 }} {{- end }} {{- if .Values.databaseResources }} resources: - {{- toYaml .Values.databaseResources | nindent 6 }} + {{- toYaml .Values.databaseResources | nindent 4 }} {{- end }} {{- else }} enabled: false {{- end }} +discovery_service: +{{- if $discoveryEnabled }} + enabled: true + discovery_group: {{ required "kubeClusterName is required in chart values when kube or discovery role is enabled, see README" .Values.kubeClusterName }} + kubernetes: {{- toYaml .Values.kubernetesDiscovery | nindent 4 }} +{{- else }} + enabled: false +{{- end }} + +jamf_service: + {{- if contains "jamf" (.Values.roles | toString) }} + enabled: true + api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }} + client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }} + client_secret_file: "/etc/teleport-jamf-api-credentials/credential" + {{- else }} + enabled: false + {{- end }} + auth_service: enabled: false ssh_service: diff --git a/teleport-kube-agent/templates/_helpers.tpl b/teleport-kube-agent/templates/_helpers.tpl index 8827f34..3e00e27 100644 --- a/teleport-kube-agent/templates/_helpers.tpl +++ b/teleport-kube-agent/templates/_helpers.tpl @@ -22,7 +22,11 @@ Create the name of the service account to use for the post-delete hook if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name-delete-hook */}} {{- define "teleport-kube-agent.deleteHookServiceAccountName" -}} -{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName (printf "%s-delete-hook" .Release.Name) -}} +{{- if .Values.serviceAccount.create -}} +{{- printf "%s-delete-hook" (include "teleport-kube-agent.serviceAccountName" . ) -}} +{{- else -}} +{{- (include "teleport-kube-agent.serviceAccountName" . ) -}} +{{- end -}} {{- end -}} {{- define "teleport-kube-agent.version" -}} diff --git a/teleport-kube-agent/templates/clusterrole.yaml b/teleport-kube-agent/templates/clusterrole.yaml index c6f3c73..b987fab 100644 --- a/teleport-kube-agent/templates/clusterrole.yaml +++ b/teleport-kube-agent/templates/clusterrole.yaml @@ -16,6 +16,14 @@ rules: - serviceaccounts verbs: - impersonate +{{- if contains "discovery" (.Values.roles | toString) }} +- apiGroups: + - "" + resources: + - services + verbs: + - list +{{- end}} - apiGroups: - "" resources: diff --git a/teleport-kube-agent/templates/delete_hook.yaml b/teleport-kube-agent/templates/delete_hook.yaml index 0b8cd06..3690ae7 100644 --- a/teleport-kube-agent/templates/delete_hook.yaml +++ b/teleport-kube-agent/templates/delete_hook.yaml @@ -8,6 +8,10 @@ metadata: "helm.sh/hook": post-delete "helm.sh/hook-weight": "-4" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- if .Values.extraLabels.serviceAccount }} + labels: + {{- toYaml .Values.extraLabels.serviceAccount | nindent 4 }} +{{- end }} --- {{- end }} {{- if .Values.rbac.create }} @@ -20,6 +24,10 @@ metadata: "helm.sh/hook": post-delete "helm.sh/hook-weight": "-3" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- if .Values.extraLabels.role }} + labels: + {{- toYaml .Values.extraLabels.role | nindent 4 }} +{{- end }} rules: - apiGroups: [""] resources: ["secrets",] @@ -34,13 +42,17 @@ metadata: "helm.sh/hook": post-delete "helm.sh/hook-weight": "-2" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- if .Values.extraLabels.roleBinding }} + labels: + {{- toYaml .Values.extraLabels.roleBinding | nindent 4 }} +{{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ .Release.Name }}-delete-hook subjects: - kind: ServiceAccount - name: {{ .Release.Name }}-delete-hook + name: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- {{- end }} @@ -53,6 +65,10 @@ metadata: "helm.sh/hook": post-delete "helm.sh/hook-weight": "-1" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- if .Values.extraLabels.job }} + labels: + {{- toYaml .Values.extraLabels.job | nindent 4 }} +{{- end }} spec: template: metadata: diff --git a/teleport-kube-agent/templates/deployment.yaml b/teleport-kube-agent/templates/deployment.yaml index 30b7924..4eb3f5d 100644 --- a/teleport-kube-agent/templates/deployment.yaml +++ b/teleport-kube-agent/templates/deployment.yaml @@ -43,6 +43,9 @@ spec: {{- if .Values.dnsPolicy }} dnsPolicy: {{ .Values.dnsPolicy | quote }} {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8}} + {{- end }} {{- if .Values.hostAliases }} hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} {{- end }} @@ -108,6 +111,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -130,6 +138,12 @@ spec: {{- if .Values.updater.enabled }} - name: TELEPORT_EXT_UPGRADER value: kube + - name: TELEPORT_EXT_UPGRADER_VERSION + value: {{ include "teleport-kube-agent.version" . }} + {{- end }} + {{- if .Values.clusterDomain }} + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: {{ .Values.clusterDomain | quote }} {{- end }} {{- if (gt (len .Values.extraEnv) 0) }} {{- toYaml .Values.extraEnv | nindent 8 }} @@ -187,8 +201,16 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} +{{- end }} +{{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 6 }} {{- end }} volumes: - name: "config" @@ -206,6 +228,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} + {{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/teleport-kube-agent/templates/role.yaml b/teleport-kube-agent/templates/role.yaml index 9cffd88..22b53a1 100644 --- a/teleport-kube-agent/templates/role.yaml +++ b/teleport-kube-agent/templates/role.yaml @@ -11,4 +11,4 @@ rules: - apiGroups: [""] # objects is "secrets" resources: ["secrets"] - verbs: ["create", "get", "update","patch"] \ No newline at end of file + verbs: ["create", "get", "update", "patch"] diff --git a/teleport-kube-agent/templates/secret.yaml b/teleport-kube-agent/templates/secret.yaml index 0b23ec1..3489968 100644 --- a/teleport-kube-agent/templates/secret.yaml +++ b/teleport-kube-agent/templates/secret.yaml @@ -17,3 +17,23 @@ stringData: auth-token: | {{ coalesce .Values.joinParams.tokenName .Values.authToken }} {{- end}} + +{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.jamfCredentialsSecret.name }} + namespace: {{ .Release.Namespace }} + {{- if .Values.extraLabels.secret }} + labels: + {{- toYaml .Values.extraLabels.secret | nindent 4 }} + {{- end }} + {{- if .Values.annotations.secret }} + annotations: + {{- toYaml .Values.annotations.secret | nindent 4 }} + {{- end }} +type: Opaque +stringData: + credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }} +{{- end}} diff --git a/teleport-kube-agent/templates/statefulset.yaml b/teleport-kube-agent/templates/statefulset.yaml index 4f31010..1df3dcd 100644 --- a/teleport-kube-agent/templates/statefulset.yaml +++ b/teleport-kube-agent/templates/statefulset.yaml @@ -42,8 +42,9 @@ spec: {{- if .Values.hostAliases }} hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} {{- end }} - securityContext: - fsGroup: 9807 + {{- if .Values.podSecurityContext }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8}} + {{- end }} {{- if or .Values.affinity (gt (int $replicaCount) 1) }} affinity: {{- if .Values.affinity }} @@ -106,6 +107,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -142,6 +148,8 @@ spec: {{- if .Values.updater.enabled }} - name: TELEPORT_EXT_UPGRADER value: kube + - name: TELEPORT_EXT_UPGRADER_VERSION + value: {{ include "teleport-kube-agent.version" . }} {{- end }} {{- if .Values.tls.existingCASecretName }} - name: SSL_CERT_FILE @@ -204,8 +212,16 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true +{{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} +{{- end }} +{{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 6 }} {{- end }} volumes: - name: "config" @@ -223,6 +239,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} +{{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/teleport-kube-agent/templates/updater/deployment.yaml b/teleport-kube-agent/templates/updater/deployment.yaml index b214d3f..0487aea 100644 --- a/teleport-kube-agent/templates/updater/deployment.yaml +++ b/teleport-kube-agent/templates/updater/deployment.yaml @@ -56,17 +56,20 @@ spec: {{- if $updater.tls.existingCASecretName }} - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - # Used to track whether a Teleport agent was installed using this method. - - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT - value: true {{- end }} {{- end }} args: - "--agent-name={{ .Release.Name }}" - "--agent-namespace={{ .Release.Namespace }}" - "--base-image={{ include "teleport-kube-agent.baseImage" . }}" - - "--version-server={{ $updater.versionServer }}" + - "--version-server={{ tpl $updater.versionServer . }}" - "--version-channel={{ $updater.releaseChannel }}" +{{- if $updater.pullCredentials }} + - "--pull-credentials={{ $updater.pullCredentials }}" +{{- end }} +{{- if .Values.updater.extraArgs }} + {{- toYaml .Values.updater.extraArgs | nindent 10 }} +{{- end }} {{- if $updater.securityContext }} securityContext: {{- toYaml $updater.securityContext | nindent 10 }} {{- end }} @@ -96,15 +99,27 @@ spec: {{- if $updater.resources }} resources: {{- toYaml $updater.resources | nindent 10 }} {{- end }} -{{- if $updater.tls.existingCASecretName }} +{{- if or $updater.tls.existingCASecretName .Values.updater.extraVolumeMounts }} volumeMounts: - - mountPath: /etc/teleport-tls-ca - name: "teleport-tls-ca" - readOnly: true + {{- if $updater.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} + {{- if .Values.updater.extraVolumeMounts }} + {{- toYaml .Values.updater.extraVolumeMounts | nindent 10 }} + {{- end }} +{{- end }} +{{- if or $updater.tls.existingCASecretName .Values.updater.extraVolumes }} volumes: - - name: "teleport-tls-ca" - secret: - secretName: {{ $updater.tls.existingCASecretName }} + {{- if .Values.updater.extraVolumes }} + {{- toYaml $updater.extraVolumes | nindent 8 }} + {{- end }} + {{- if $updater.tls.existingCASecretName }} + - name: "teleport-tls-ca" + secret: + secretName: {{ $updater.tls.existingCASecretName }} + {{- end }} {{- end }} {{- if $updater.priorityClassName }} priorityClassName: {{ $updater.priorityClassName }} diff --git a/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap index 708bc3e..66a446c 100644 --- a/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap +++ b/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap @@ -1,3 +1,36 @@ +adds services listing permission if discovery is enabled: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: RELEASE-NAME + rules: + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - services + verbs: + - list + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create creates a ClusterRole: 1: | apiVersion: rbac.authorization.k8s.io/v1 @@ -25,6 +58,33 @@ creates a ClusterRole: - selfsubjectaccessreviews verbs: - create +does not add services listing permission if discovery is disabled: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: RELEASE-NAME + rules: + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create sets ClusterRole labels when specified: 1: | apiVersion: rbac.authorization.k8s.io/v1 diff --git a/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap index 3585d3b..ad817a9 100644 --- a/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap +++ b/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap @@ -9,6 +9,10 @@ does not generate a config for clusterrole.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -47,6 +51,10 @@ does not generate a config for pdb.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -85,6 +93,10 @@ matches snapshot and tests for annotations.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -126,6 +138,10 @@ matches snapshot and tests for extra-labels.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -167,6 +183,10 @@ matches snapshot for affinity.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -206,6 +226,7 @@ matches snapshot for all-v6.yaml: name: grafana uri: http://localhost:3000 enabled: true + resources: null auth_service: enabled: false db_service: @@ -216,6 +237,13 @@ matches snapshot for all-v6.yaml: protocol: postgres uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 enabled: true + discovery_service: + enabled: false + jamf_service: + api_endpoint: testjamf.jamfcloud.com/api + client_id: teleport-jamf-client-id + client_secret_file: /etc/teleport-jamf-api-credentials/credential + enabled: true kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -248,6 +276,120 @@ matches snapshot for all-v6.yaml: kubernetes.io/config-different: 2 name: RELEASE-NAME namespace: NAMESPACE +matches snapshot for app-discovery-full.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + apps: + - labels: + env: test + name: test + uri: https://console.aws.amazon.com/ec2/v2/home + enabled: true + resources: + - labels: + '*': '*' + - labels: + teleport.dev/kubernetes-cluster: example + teleport.dev/origin: discovery-kubernetes + auth_service: + enabled: false + db_service: + enabled: false + discovery_service: + discovery_group: example + enabled: true + kubernetes: + - labels: + '*': '*' + namespaces: + - '*' + types: + - app + jamf_service: + enabled: false + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: teleport.example.com + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for app-discovery-minimal.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: true + resources: + - labels: + teleport.dev/kubernetes-cluster: test-kube-cluster + teleport.dev/origin: discovery-kubernetes + auth_service: + enabled: false + db_service: + enabled: false + discovery_service: + discovery_group: test-kube-cluster + enabled: true + kubernetes: + - labels: + '*': '*' + namespaces: + - '*' + types: + - app + jamf_service: + enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE matches snapshot for aws-databases.yaml: 1: | apiVersion: v1 @@ -272,6 +414,10 @@ matches snapshot for aws-databases.yaml: types: - rds enabled: true + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -331,6 +477,10 @@ matches snapshot for azure-databases.yaml: types: - mysql enabled: true + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -368,6 +518,10 @@ matches snapshot for backwards-compatibility.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -406,6 +560,10 @@ matches snapshot for ca-pin.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -452,6 +610,10 @@ matches snapshot for db.yaml: protocol: postgres uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 enabled: true + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -492,6 +654,10 @@ matches snapshot for dynamic-app.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -532,6 +698,10 @@ matches snapshot for dynamic-db.yaml: resources: - labels: '*': '*' + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -569,6 +739,10 @@ matches snapshot for imagepullsecrets.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -607,6 +781,10 @@ matches snapshot for initcontainers.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -634,6 +812,94 @@ matches snapshot for initcontainers.yaml: metadata: name: RELEASE-NAME namespace: NAMESPACE +matches snapshot for jamf-service-existing-secret.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + discovery_service: + enabled: false + jamf_service: + api_endpoint: https://testjamf.jamfcloud.com/api + client_id: teleport-jamf-client-id + client_secret_file: /etc/teleport-jamf-api-credentials/credential + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for jamf-service.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + discovery_service: + enabled: false + jamf_service: + api_endpoint: https://testjamf.jamfcloud.com/api + client_id: teleport-jamf-client-id + client_secret_file: /etc/teleport-jamf-api-credentials/credential + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE matches snapshot for join-params-iam.yaml: 1: | apiVersion: v1 @@ -645,6 +911,10 @@ matches snapshot for join-params-iam.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -683,6 +953,10 @@ matches snapshot for join-params-token.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -721,6 +995,10 @@ matches snapshot for log-basic.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -759,6 +1037,10 @@ matches snapshot for log-extra.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -797,6 +1079,10 @@ matches snapshot for log-legacy.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -835,6 +1121,10 @@ matches snapshot for node-selector.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -873,6 +1163,10 @@ matches snapshot for pdb.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -911,6 +1205,10 @@ matches snapshot for resources.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -949,6 +1247,10 @@ matches snapshot for stateful.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -987,6 +1289,10 @@ matches snapshot for tolerations.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -1025,6 +1331,10 @@ matches snapshot for v10.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -1063,6 +1373,10 @@ matches snapshot for v11.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -1101,6 +1415,10 @@ matches snapshot for volumes.yaml: enabled: false db_service: enabled: false + discovery_service: + enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster diff --git a/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap index 1dd13be..09ea558 100644 --- a/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap +++ b/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap @@ -18,7 +18,7 @@ sets Deployment annotations when specified if action is Upgrade: template: metadata: annotations: - checksum/config: 80088923d2d7ce4344db0f2174d29d7cfb2d599424adfabf6f6818a9434794ca + checksum/config: 310911b3e71e9339802aeca1d182e1acf5153470f507ce4af423a73e6e06eaba kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: @@ -30,7 +30,9 @@ sets Deployment annotations when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -57,10 +59,12 @@ sets Deployment annotations when specified if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -70,6 +74,8 @@ sets Deployment annotations when specified if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -89,7 +95,7 @@ sets Deployment labels when specified if action is Upgrade: template: metadata: annotations: - checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 + checksum/config: 9e9cb2e4d76c492bccf0b1e2be4a5acffc8fe747484eb62e615c5ed8dc8c3fc6 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent @@ -101,7 +107,9 @@ sets Deployment labels when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -128,10 +136,12 @@ sets Deployment labels when specified if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -141,6 +151,8 @@ sets Deployment labels when specified if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -159,7 +171,9 @@ sets Pod annotations when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -186,10 +200,12 @@ sets Pod annotations when specified if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -199,6 +215,8 @@ sets Pod annotations when specified if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -217,7 +235,9 @@ sets Pod labels when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -244,10 +264,12 @@ sets Pod labels when specified if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -257,6 +279,8 @@ sets Pod labels when specified if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -272,18 +296,22 @@ sets by default a container security context if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault 2: | allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault should add emptyDir for data when existingDataVolume is not set if action is Upgrade: 1: | containers: @@ -292,7 +320,9 @@ should add emptyDir for data when existingDataVolume is not set if action is Upg env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -319,10 +349,12 @@ should add emptyDir for data when existingDataVolume is not set if action is Upg allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -332,6 +364,8 @@ should add emptyDir for data when existingDataVolume is not set if action is Upg readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -351,7 +385,9 @@ should add insecureSkipProxyTLSVerify to args when set in values if action is Up env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -378,10 +414,12 @@ should add insecureSkipProxyTLSVerify to args when set in values if action is Up allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -391,6 +429,8 @@ should add insecureSkipProxyTLSVerify to args when set in values if action is Up readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -409,7 +449,9 @@ should correctly configure existingDataVolume when set if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -436,10 +478,12 @@ should correctly configure existingDataVolume when set if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -449,6 +493,8 @@ should correctly configure existingDataVolume when set if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: teleport-kube-agent-data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -465,7 +511,9 @@ should expose diag port if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -492,10 +540,12 @@ should expose diag port if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -505,6 +555,8 @@ should expose diag port if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -535,7 +587,9 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -562,10 +616,12 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -575,6 +631,8 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -605,7 +663,9 @@ should have multiple replicas when replicaCount is set (using highAvailability.r env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -632,10 +692,12 @@ should have multiple replicas when replicaCount is set (using highAvailability.r allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -645,6 +707,8 @@ should have multiple replicas when replicaCount is set (using highAvailability.r readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -663,7 +727,9 @@ should have one replica when replicaCount is not set if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -690,10 +756,12 @@ should have one replica when replicaCount is not set if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -703,6 +771,8 @@ should have one replica when replicaCount is not set if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -721,7 +791,9 @@ should mount extraVolumes and extraVolumeMounts if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -748,10 +820,12 @@ should mount extraVolumes and extraVolumeMounts if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -763,6 +837,8 @@ should mount extraVolumes and extraVolumeMounts if action is Upgrade: name: data - mountPath: /path/to/mount name: my-mount + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -776,7 +852,7 @@ should mount extraVolumes and extraVolumeMounts if action is Upgrade: - name: my-mount secret: secretName: mySecret -should mount tls.existingCASecretName and set environment when set in values if action is Upgrade: +should mount jamfCredentialsSecret if it already exists and when role is jamf and action is Upgrade: 1: | containers: - args: @@ -784,9 +860,9 @@ should mount tls.existingCASecretName and set environment when set in values if env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - - name: SSL_CERT_FILE - value: /etc/teleport-tls-ca/ca.pem - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -813,10 +889,154 @@ should mount tls.existingCASecretName and set environment when set in values if allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret +should mount jamfCredentialsSecret.name when role is jamf and action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials +should mount tls.existingCASecretName and set environment when set in values if action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -829,6 +1049,8 @@ should mount tls.existingCASecretName and set environment when set in values if - mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -850,11 +1072,13 @@ should mount tls.existingCASecretName and set extra environment when set in valu env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -881,10 +1105,12 @@ should mount tls.existingCASecretName and set extra environment when set in valu allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -897,6 +1123,8 @@ should mount tls.existingCASecretName and set extra environment when set in valu - mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -918,7 +1146,9 @@ should provision initContainer correctly when set in values if action is Upgrade env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -952,10 +1182,12 @@ should provision initContainer correctly when set in values if action is Upgrade allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -981,68 +1213,12 @@ should provision initContainer correctly when set in values if action is Upgrade allowPrivilegeEscalation: false capabilities: drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data -should set SecurityContext if action is Upgrade: - 1: | - containers: - - args: - - --diag-addr=0.0.0.0:3000 - env: - - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT - value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1052,6 +1228,8 @@ should set SecurityContext if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1090,7 +1268,9 @@ should set affinity when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1117,10 +1297,12 @@ should set affinity when set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1130,6 +1312,8 @@ should set affinity when set in values if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1148,7 +1332,9 @@ should set default serviceAccountName when not set in values if action is Upgrad env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1175,10 +1361,12 @@ should set default serviceAccountName when not set in values if action is Upgrad allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1188,6 +1376,8 @@ should set default serviceAccountName when not set in values if action is Upgrad readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1217,9 +1407,11 @@ should set environment when extraEnv set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1246,10 +1438,12 @@ should set environment when extraEnv set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1259,6 +1453,8 @@ should set environment when extraEnv set in values if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1277,6 +1473,8 @@ should set image and tag correctly if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 imagePullPolicy: IfNotPresent livenessProbe: @@ -1304,10 +1502,12 @@ should set image and tag correctly if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1317,6 +1517,8 @@ should set image and tag correctly if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1335,7 +1537,9 @@ should set imagePullPolicy when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: Always livenessProbe: failureThreshold: 6 @@ -1362,10 +1566,12 @@ should set imagePullPolicy when set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1375,6 +1581,8 @@ should set imagePullPolicy when set in values if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1393,7 +1601,9 @@ should set nodeSelector if set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1420,10 +1630,12 @@ should set nodeSelector if set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1435,6 +1647,8 @@ should set nodeSelector if set in values if action is Upgrade: name: data nodeSelector: gravitational.io/k8s-role: node + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1453,7 +1667,9 @@ should set not set priorityClassName when not set in values if action is Upgrade env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1480,10 +1696,12 @@ should set not set priorityClassName when not set in values if action is Upgrade allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1493,6 +1711,8 @@ should set not set priorityClassName when not set in values if action is Upgrade readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1523,7 +1743,9 @@ should set preferred affinity when more than one replica is used if action is Up env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1550,10 +1772,12 @@ should set preferred affinity when more than one replica is used if action is Up allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1563,6 +1787,8 @@ should set preferred affinity when more than one replica is used if action is Up readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1581,7 +1807,9 @@ should set priorityClassName when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1608,10 +1836,12 @@ should set priorityClassName when set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1622,6 +1852,8 @@ should set priorityClassName when set in values if action is Upgrade: - mountPath: /var/lib/teleport name: data priorityClassName: teleport-kube-agent + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1640,7 +1872,9 @@ should set probeTimeoutSeconds when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1667,10 +1901,12 @@ should set probeTimeoutSeconds when set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1680,6 +1916,8 @@ should set probeTimeoutSeconds when set in values if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1708,7 +1946,9 @@ should set required affinity when highAvailability.requireAntiAffinity is set if env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1735,10 +1975,12 @@ should set required affinity when highAvailability.requireAntiAffinity is set if allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1748,6 +1990,8 @@ should set required affinity when highAvailability.requireAntiAffinity is set if readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1766,7 +2010,9 @@ should set resources when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1800,10 +2046,12 @@ should set resources when set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1813,6 +2061,8 @@ should set resources when set in values if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: @@ -1831,7 +2081,9 @@ should set serviceAccountName when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1858,10 +2110,12 @@ should set serviceAccountName when set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1871,6 +2125,8 @@ should set serviceAccountName when set in values if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: teleport-kube-agent-sa volumes: - configMap: @@ -1889,7 +2145,9 @@ should set tolerations when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1916,10 +2174,12 @@ should set tolerations when set in values if action is Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1929,6 +2189,8 @@ should set tolerations when set in values if action is Upgrade: readOnly: true - mountPath: /var/lib/teleport name: data + securityContext: + fsGroup: 9807 serviceAccountName: RELEASE-NAME tolerations: - effect: NoExecute diff --git a/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap index cff8b14..eff4aa6 100644 --- a/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap +++ b/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -25,17 +25,19 @@ should create ServiceAccount for post-delete hook by default: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should not create ServiceAccount for post-delete hook if serviceAccount.create is false: @@ -74,7 +76,7 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i name: RELEASE-NAME-delete-hook subjects: - kind: ServiceAccount - name: RELEASE-NAME-delete-hook + name: lint-serviceaccount namespace: NAMESPACE 3: | apiVersion: batch/v1 @@ -104,17 +106,19 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false: @@ -132,17 +136,19 @@ should not create ServiceAccount, Role or RoleBinding for post-delete hook if se fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should set nodeSelector in post-delete hook: @@ -160,46 +166,20 @@ should set nodeSelector in post-delete hook: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault nodeSelector: gravitational.io/k8s-role: node restartPolicy: OnFailure serviceAccountName: RELEASE-NAME-delete-hook -should set securityContext in post-delete hook: - 1: | - containers: - - args: - - kube-state - - delete - command: - - teleport - env: - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: RELEASE_NAME - value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 - imagePullPolicy: IfNotPresent - name: post-delete-job - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - restartPolicy: OnFailure - serviceAccountName: RELEASE-NAME-delete-hook diff --git a/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap index 551299d..04c4a9c 100644 --- a/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap +++ b/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap @@ -19,6 +19,16 @@ generates a secret when authToken is provided: auth-token: | sample-auth-token-dont-use-this type: Opaque +generates a secret when jamfCredentialsSecret.create is true: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-jamf-api-credentials + namespace: NAMESPACE + stringData: + credential: secret-jamf-client-secret + type: Opaque generates a secret when joinParams.tokenName is provided: 1: | apiVersion: v1 diff --git a/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap index ba5becc..f209f08 100644 --- a/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap +++ b/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap @@ -16,7 +16,7 @@ sets Pod annotations when specified: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -43,10 +43,12 @@ sets Pod annotations when specified: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -84,7 +86,7 @@ sets Pod labels when specified: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -111,10 +113,12 @@ sets Pod labels when specified: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -154,7 +158,7 @@ sets StatefulSet labels when specified: template: metadata: annotations: - checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 + checksum/config: 9e9cb2e4d76c492bccf0b1e2be4a5acffc8fe747484eb62e615c5ed8dc8c3fc6 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent @@ -176,7 +180,7 @@ sets StatefulSet labels when specified: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -203,10 +207,12 @@ sets StatefulSet labels when specified: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -241,18 +247,22 @@ sets by default a container security context: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault 2: | allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault should add insecureSkipProxyTLSVerify to args when set in values: 1: | containers: @@ -272,7 +282,7 @@ should add insecureSkipProxyTLSVerify to args when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -299,10 +309,12 @@ should add insecureSkipProxyTLSVerify to args when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -340,7 +352,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and action fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -367,10 +379,12 @@ should add volumeClaimTemplate for data volume when using StatefulSet and action allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -408,7 +422,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre template: metadata: annotations: - checksum/config: 6e010c147e8d81d244e7aafdcee7e652cdb4d5640fb7f14d0e1ebb7832f943a5 + checksum/config: 5784fa709686cf9d0818ad218ab23bb886fa3877e4a84eb1bdeb25acbe8e6b3c labels: app: RELEASE-NAME spec: @@ -428,7 +442,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -455,10 +469,12 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -506,7 +522,7 @@ should add volumeMount for data volume when using StatefulSet: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -533,10 +549,12 @@ should add volumeMount for data volume when using StatefulSet: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -574,7 +592,7 @@ should expose diag port: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -601,10 +619,12 @@ should expose diag port: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -642,7 +662,7 @@ should generate Statefulset when storage is disabled and mode is a Upgrade: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -669,10 +689,12 @@ should generate Statefulset when storage is disabled and mode is a Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -724,7 +746,7 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -751,10 +773,12 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -804,7 +828,7 @@ should have multiple replicas when replicaCount is set (using highAvailability.r fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -831,10 +855,12 @@ should have multiple replicas when replicaCount is set (using highAvailability.r allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -872,7 +898,7 @@ should have one replica when replicaCount is not set: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -899,10 +925,12 @@ should have one replica when replicaCount is not set: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -940,7 +968,7 @@ should install Statefulset when storage is disabled and mode is a Fresh Install: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -967,10 +995,12 @@ should install Statefulset when storage is disabled and mode is a Fresh Install: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1010,7 +1040,7 @@ should mount extraVolumes and extraVolumeMounts: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1037,10 +1067,12 @@ should mount extraVolumes and extraVolumeMounts: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1065,7 +1097,7 @@ should mount extraVolumes and extraVolumeMounts: - name: my-mount secret: secretName: mySecret -should mount tls.existingCASecretName and set environment when set in values: +should mount jamfCredentialsSecret if it already exists and when role is jamf: 1: | containers: - args: @@ -1083,9 +1115,7 @@ should mount tls.existingCASecretName and set environment when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - - name: SSL_CERT_FILE - value: /etc/teleport-tls-ca/ca.pem - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1112,10 +1142,170 @@ should mount tls.existingCASecretName and set environment when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret +should mount jamfCredentialsSecret.name when role is jamf: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials +should mount tls.existingCASecretName and set environment when set in values: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1165,7 +1355,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu value: /etc/teleport-tls-ca/ca.pem - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1192,10 +1382,12 @@ should mount tls.existingCASecretName and set extra environment when set in valu allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1241,7 +1433,7 @@ should not add emptyDir for data when using StatefulSet: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1268,10 +1460,12 @@ should not add emptyDir for data when using StatefulSet: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1309,7 +1503,7 @@ should provision initContainer correctly when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1343,10 +1537,12 @@ should provision initContainer correctly when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1372,78 +1568,12 @@ should provision initContainer correctly when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token -should set SecurityContext: - 1: | - containers: - - args: - - --diag-addr=0.0.0.0:3000 - env: - - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT - value: "true" - - name: TELEPORT_REPLICA_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: RELEASE_NAME - value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1501,7 +1631,7 @@ should set affinity when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1528,10 +1658,12 @@ should set affinity when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1569,7 +1701,7 @@ should set default serviceAccountName when not set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1596,10 +1728,12 @@ should set default serviceAccountName when not set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1650,7 +1784,7 @@ should set environment when extraEnv set in values: value: RELEASE-NAME - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1677,10 +1811,12 @@ should set environment when extraEnv set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1745,10 +1881,12 @@ should set image and tag correctly: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1786,7 +1924,7 @@ should set imagePullPolicy when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: Always livenessProbe: failureThreshold: 6 @@ -1813,10 +1951,12 @@ should set imagePullPolicy when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1854,7 +1994,7 @@ should set nodeSelector if set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1881,10 +2021,12 @@ should set nodeSelector if set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -1936,7 +2078,7 @@ should set preferred affinity when more than one replica is used: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1963,10 +2105,12 @@ should set preferred affinity when more than one replica is used: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -2004,7 +2148,7 @@ should set probeTimeoutSeconds when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2031,10 +2175,12 @@ should set probeTimeoutSeconds when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -2082,7 +2228,7 @@ should set required affinity when highAvailability.requireAntiAffinity is set: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2109,10 +2255,12 @@ should set required affinity when highAvailability.requireAntiAffinity is set: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -2150,7 +2298,7 @@ should set resources when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2184,10 +2332,12 @@ should set resources when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -2225,7 +2375,7 @@ should set serviceAccountName when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2252,10 +2402,12 @@ should set serviceAccountName when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -2293,7 +2445,7 @@ should set storage.requests when set in values and action is an Upgrade: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2320,10 +2472,12 @@ should set storage.requests when set in values and action is an Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -2361,7 +2515,7 @@ should set storage.storageClassName when set in values and action is an Upgrade: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2388,10 +2542,12 @@ should set storage.storageClassName when set in values and action is an Upgrade: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config @@ -2429,7 +2585,7 @@ should set tolerations when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 + image: public.ecr.aws/gravitational/teleport-distroless:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2456,10 +2612,12 @@ should set tolerations when set in values: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/teleport name: config diff --git a/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap b/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap index 5b116c0..33ade4e 100644 --- a/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap +++ b/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap @@ -27,7 +27,7 @@ sets the affinity: - --base-image=public.ecr.aws/gravitational/teleport-distroless - --version-server=https://my-custom-version-server/v1 - --version-channel=custom/preview - image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.8 + image: public.ecr.aws/gravitational/teleport-kube-agent-updater:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -57,10 +57,12 @@ sets the affinity: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault serviceAccountName: RELEASE-NAME-updater sets the tolerations: 1: | @@ -71,7 +73,7 @@ sets the tolerations: - --base-image=public.ecr.aws/gravitational/teleport-distroless - --version-server=https://my-custom-version-server/v1 - --version-channel=custom/preview - image: public.ecr.aws/gravitational/teleport-kube-agent-updater:13.3.8 + image: public.ecr.aws/gravitational/teleport-kube-agent-updater:16.1.7 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -101,10 +103,12 @@ sets the tolerations: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault serviceAccountName: RELEASE-NAME-updater tolerations: - effect: NoExecute diff --git a/teleport-kube-agent/tests/clusterrole_test.yaml b/teleport-kube-agent/tests/clusterrole_test.yaml index c589a7a..17ceb82 100644 --- a/teleport-kube-agent/tests/clusterrole_test.yaml +++ b/teleport-kube-agent/tests/clusterrole_test.yaml @@ -21,3 +21,23 @@ tests: path: metadata.labels.resource value: clusterrole - matchSnapshot: {} + + - it: adds services listing permission if discovery is enabled + set: + roles: kube,discovery + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRole + - matchSnapshot: {} + + - it: does not add services listing permission if discovery is disabled + set: + roles: kube + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterRole + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/config_test.yaml b/teleport-kube-agent/tests/config_test.yaml index 2ee00d9..fcf4606 100644 --- a/teleport-kube-agent/tests/config_test.yaml +++ b/teleport-kube-agent/tests/config_test.yaml @@ -150,6 +150,26 @@ tests: of: ConfigMap - matchSnapshot: {} + - it: matches snapshot for jamf-service.yaml + values: + - ../.lint/jamf-service.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for jamf-service-existing-secret.yaml + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + - it: matches snapshot for join-params-iam.yaml values: - ../.lint/join-params-iam.yaml @@ -289,3 +309,23 @@ tests: - isKind: of: ConfigMap - matchSnapshot: {} + + - it: matches snapshot for app-discovery-minimal.yaml + values: + - ../.lint/app-discovery-minimal.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for app-discovery-full.yaml + values: + - ../.lint/app-discovery-full.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} diff --git a/teleport-kube-agent/tests/deployment_test.yaml b/teleport-kube-agent/tests/deployment_test.yaml index 1c4926c..060dda9 100644 --- a/teleport-kube-agent/tests/deployment_test.yaml +++ b/teleport-kube-agent/tests/deployment_test.yaml @@ -8,7 +8,7 @@ tests: - it: creates a Deployment if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -22,7 +22,7 @@ tests: - it: sets Deployment labels when specified if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -40,7 +40,7 @@ tests: - it: sets Pod labels when specified if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -58,7 +58,7 @@ tests: - it: sets Deployment annotations when specified if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -75,7 +75,7 @@ tests: - it: sets Pod annotations when specified if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -93,7 +93,7 @@ tests: - it: should have one replica when replicaCount is not set if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -108,7 +108,7 @@ tests: - it: should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true replicaCount: 3 @@ -141,7 +141,7 @@ tests: - it: should set affinity when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -157,7 +157,7 @@ tests: values: - ../.lint/backwards-compatibility.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true @@ -181,7 +181,7 @@ tests: values: - ../.lint/backwards-compatibility.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true @@ -202,7 +202,7 @@ tests: - it: should set tolerations when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -216,7 +216,7 @@ tests: - it: should set resources when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -240,38 +240,31 @@ tests: - it: should set SecurityContext if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: - ../.lint/backwards-compatibility.yaml asserts: - equal: - path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation - value: false - - equal: - path: spec.template.spec.containers[0].securityContext.capabilities + path: spec.template.spec.containers[0].securityContext value: - drop: - - all - - equal: - path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem - value: true - - equal: - path: spec.template.spec.containers[0].securityContext.runAsNonRoot - value: true - - equal: - path: spec.template.spec.containers[0].securityContext.runAsUser - value: 9807 - - matchSnapshot: - path: spec.template.spec + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault - it: should set image and tag correctly if action is Upgrade template: deployment.yaml values: - ../.lint/backwards-compatibility.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true @@ -283,10 +276,44 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should have only one container when no `extraContainers` is set in values + template: deployment.yaml + set: + extraContainers: [] + proxyAddr: helm-lint.example.com + kubeClusterName: helm-lint.example.com + unitTestUpgrade: true + asserts: + - isNotNull: + path: spec.template.spec.containers[0] + - isNull: + path: spec.template.spec.containers[1] + + - it: should add one more container when `extraContainers` is set in values + template: deployment.yaml + set: + unitTestUpgrade: true + values: + - ../.lint/extra-containers.yaml + asserts: + - equal: + path: spec.template.spec.containers[1] + value: + name: nscenter + command: + - /bin/bash + - -c + - sleep infinity & wait + image: praqma/network-multitool + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + runAsNonRoot: false + - it: should mount extraVolumes and extraVolumeMounts if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -311,7 +338,7 @@ tests: values: - ../.lint/backwards-compatibility.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true @@ -326,7 +353,7 @@ tests: - it: should set environment when extraEnv set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true @@ -348,7 +375,7 @@ tests: - it: should provision initContainer correctly when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -383,7 +410,7 @@ tests: values: - ../.lint/backwards-compatibility.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true @@ -398,7 +425,7 @@ tests: - it: should expose diag port if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -416,7 +443,7 @@ tests: - it: should set nodeSelector if set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -432,7 +459,7 @@ tests: - it: should add emptyDir for data when existingDataVolume is not set if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -454,7 +481,7 @@ tests: - it: should correctly configure existingDataVolume when set if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -473,10 +500,58 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should mount jamfCredentialsSecret.name when role is jamf and action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/jamf-service.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + + - it: should mount jamfCredentialsSecret if it already exists and when role is jamf and action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + - it: should mount tls.existingCASecretName and set environment when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -505,7 +580,7 @@ tests: - it: should mount tls.existingCASecretName and set extra environment when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -540,7 +615,7 @@ tests: - it: should set priorityClassName when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -555,7 +630,7 @@ tests: - it: should set not set priorityClassName when not set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -569,7 +644,7 @@ tests: - it: should set serviceAccountName when set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -584,7 +659,7 @@ tests: - it: should set default serviceAccountName when not set in values if action is Upgrade template: deployment.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true values: @@ -685,3 +760,24 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext value: null + + - it: should enable maintenance schedule export when updater is enabled if action is Upgrade + template: deployment.yaml + values: + - ../.lint/updater.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + teleportVersionOverride: 13.4.5 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_EXT_UPGRADER + value: kube + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_EXT_UPGRADER_VERSION + value: 13.4.5 diff --git a/teleport-kube-agent/tests/job_test.yaml b/teleport-kube-agent/tests/job_test.yaml index 997dc79..febb020 100644 --- a/teleport-kube-agent/tests/job_test.yaml +++ b/teleport-kube-agent/tests/job_test.yaml @@ -31,24 +31,30 @@ tests: - ../.lint/backwards-compatibility.yaml asserts: - equal: - path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation - value: false - - equal: - path: spec.template.spec.containers[0].securityContext.capabilities + path: spec.template.spec.containers[0].securityContext value: - drop: - - all + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + + - it: should set extraLabels for Job in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 3 + values: + - ../.lint/extra-labels.yaml + asserts: - equal: - path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem - value: true - - equal: - path: spec.template.spec.containers[0].securityContext.runAsNonRoot - value: true - - equal: - path: spec.template.spec.containers[0].securityContext.runAsUser - value: 9807 - - matchSnapshot: - path: spec.template.spec + path: metadata.labels + value: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "job" - it: should set nodeSelector in post-delete hook template: delete_hook.yaml @@ -96,7 +102,20 @@ tests: apiVersion: v1 - equal: path: metadata.name - value: lint-serviceaccount + value: lint-serviceaccount-delete-hook + + - it: should set extraLabels for ServiceAccount in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 0 + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels + value: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "serviceaccount" - it: should create Role for post-delete hook by default template: delete_hook.yaml @@ -107,6 +126,19 @@ tests: kind: Role apiVersion: rbac.authorization.k8s.io/v1 + - it: should set extraLabels for Role in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 1 + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels + value: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "role" + - it: should create RoleBinding for post-delete hook by default template: delete_hook.yaml values: @@ -116,6 +148,19 @@ tests: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 + - it: should set extraLabels for RoleBinding in post-delete hook + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 2 + values: + - ../.lint/extra-labels.yaml + asserts: + - equal: + path: metadata.labels + value: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "rolebinding" + - it: should not create ServiceAccount for post-delete hook if serviceAccount.create is false template: delete_hook.yaml values: diff --git a/teleport-kube-agent/tests/role_test.yaml b/teleport-kube-agent/tests/role_test.yaml index 7a72555..a1c5cf6 100644 --- a/teleport-kube-agent/tests/role_test.yaml +++ b/teleport-kube-agent/tests/role_test.yaml @@ -4,7 +4,7 @@ templates: tests: - it: Create a Role when upgrading release: - isupgrade: true + upgrade: true set: unitTestUpgrade: true asserts: diff --git a/teleport-kube-agent/tests/rolebinding_test.yaml b/teleport-kube-agent/tests/rolebinding_test.yaml index bb13577..4277193 100644 --- a/teleport-kube-agent/tests/rolebinding_test.yaml +++ b/teleport-kube-agent/tests/rolebinding_test.yaml @@ -4,7 +4,7 @@ templates: tests: - it: Create a RoleBinding when upgrading release: - isupgrade: true + upgrade: true set: unitTestUpgrade: true asserts: diff --git a/teleport-kube-agent/tests/secret_test.yaml b/teleport-kube-agent/tests/secret_test.yaml index 086e2e4..ebd61d1 100644 --- a/teleport-kube-agent/tests/secret_test.yaml +++ b/teleport-kube-agent/tests/secret_test.yaml @@ -66,6 +66,18 @@ tests: value: some-other-secret-name - matchSnapshot: {} + - it: generates a secret when jamfCredentialsSecret.create is true + values: + - ../.lint/jamf-service.yaml + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: teleport-jamf-api-credentials + - matchSnapshot: {} + # documentIndex: 0=Secret(joinToken) 1=Secret(jamfSecret) + documentIndex: 1 + - it: does not create a secret when joinTokenSecret.create is false set: authToken: sample-auth-token-dont-use-this @@ -76,6 +88,13 @@ tests: - hasDocuments: count: 0 + - it: does not create a secret when jamfCredentialsSecret.create is false + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - hasDocuments: + count: 1 # only joinToken secret is created + - it: sets Secret labels when specified values: - ../.lint/extra-labels.yaml diff --git a/teleport-kube-agent/tests/statefulset_test.yaml b/teleport-kube-agent/tests/statefulset_test.yaml index b950b97..4423ce8 100644 --- a/teleport-kube-agent/tests/statefulset_test.yaml +++ b/teleport-kube-agent/tests/statefulset_test.yaml @@ -7,8 +7,8 @@ tests: template: statefulset.yaml values: - ../.lint/stateful.yaml - elease: - isupgrade: true + release: + upgrade: true asserts: - isKind: of: StatefulSet @@ -179,30 +179,36 @@ tests: - matchSnapshot: path: spec.template.spec - - it: should set SecurityContext + - it: should set a restricted-friendly SecurityContext by default template: statefulset.yaml values: - ../.lint/stateful.yaml + - ../.lint/initcontainers.yaml asserts: - equal: - path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation - value: false - - equal: - path: spec.template.spec.containers[0].securityContext.capabilities + path: spec.template.spec.containers[0].securityContext value: - drop: - - all + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault - equal: - path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem - value: true - - equal: - path: spec.template.spec.containers[0].securityContext.runAsNonRoot - value: true - - equal: - path: spec.template.spec.containers[0].securityContext.runAsUser - value: 9807 - - matchSnapshot: - path: spec.template.spec + path: spec.template.spec.initContainers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault - it: should set image and tag correctly template: statefulset.yaml @@ -217,6 +223,37 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should have only one container when no `extraContainers` is set in values + template: statefulset.yaml + set: + extraContainers: [] + proxyAddr: helm-lint.example.com + kubeClusterName: helm-lint.example.com + asserts: + - isNotNull: + path: spec.template.spec.containers[0] + - isNull: + path: spec.template.spec.containers[1] + + - it: should add one more container when `extraContainers` is set in values + template: statefulset.yaml + values: + - ../.lint/extra-containers.yaml + asserts: + - equal: + path: spec.template.spec.containers[1] + value: + name: nscenter + command: + - /bin/bash + - -c + - sleep infinity & wait + image: praqma/network-multitool + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + runAsNonRoot: false + - it: should mount extraVolumes and extraVolumeMounts template: statefulset.yaml values: @@ -372,7 +409,7 @@ tests: - it: should not add emptyDir for data when using StatefulSet template: statefulset.yaml release: - isupgrade: true + upgrade: true set: unitTestUpgrade: true values: @@ -404,11 +441,11 @@ tests: values: - ../.lint/stateful.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true release: - isupgrade: true + upgrade: true asserts: - isNotNull: path: spec.volumeClaimTemplates[0].spec @@ -420,7 +457,7 @@ tests: values: - ../.lint/stateful.yaml set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true release: @@ -435,9 +472,9 @@ tests: values: - ../.lint/stateful.yaml release: - isupgrade: true + upgrade: true set: - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true @@ -455,11 +492,11 @@ tests: values: - ../.lint/stateful.yaml release: - isupgrade: true + upgrade: true set: storage: requests: 256Mi - # unit test does not support lookup functions, so to test the behavior we use this undoc value + # unit test does not support lookup functions, so to test the behavior we use this undoc value # https://github.com/helm/helm/issues/8137 unitTestUpgrade: true asserts: @@ -469,6 +506,46 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should mount jamfCredentialsSecret.name when role is jamf + template: statefulset.yaml + values: + - ../.lint/jamf-service.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + + - it: should mount jamfCredentialsSecret if it already exists and when role is jamf + template: statefulset.yaml + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + - it: should mount tls.existingCASecretName and set environment when set in values template: statefulset.yaml values: @@ -525,7 +602,6 @@ tests: - matchSnapshot: path: spec.template.spec - - it: should set serviceAccountName when set in values template: statefulset.yaml values: @@ -594,7 +670,7 @@ tests: values: - ../.lint/stateful.yaml set: - storage: + storage: enabled: false asserts: - contains: @@ -624,12 +700,12 @@ tests: - it: should generate Statefulset when storage is disabled and mode is a Upgrade template: statefulset.yaml release: - isupgrade: true + upgrade: true values: - ../.lint/stateful.yaml set: - unitTestUpgrade: false - storage: + unitTestUpgrade: true + storage: enabled: false asserts: - contains: @@ -682,14 +758,20 @@ tests: - it: should enable maintenance schedule export when updater is enabled template: statefulset.yaml values: - - ../.lint/existing-tls-secret-with-ca.yaml - ../.lint/updater.yaml + set: + teleportVersionOverride: 13.4.5 asserts: - contains: path: spec.template.spec.containers[0].env content: name: TELEPORT_EXT_UPGRADER value: kube + - contains: + path: spec.template.spec.containers[0].env + content: + name: TELEPORT_EXT_UPGRADER_VERSION + value: 13.4.5 - it: should set the installation method environment variable template: statefulset.yaml diff --git a/teleport-kube-agent/tests/updater_deployment_test.yaml b/teleport-kube-agent/tests/updater_deployment_test.yaml index 1ec3429..111039f 100644 --- a/teleport-kube-agent/tests/updater_deployment_test.yaml +++ b/teleport-kube-agent/tests/updater_deployment_test.yaml @@ -57,6 +57,16 @@ tests: - contains: path: spec.template.spec.containers[0].args content: "--agent-namespace=my-namespace" + - it: defaults the updater version server to the proxy address + set: + proxyAddr: proxy.teleport.example.com:443 + roles: "custom" + updater: + enabled: true + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--version-server=https://proxy.teleport.example.com:443/v1/webapi/automaticupgrades/channel" - it: sets the updater version server values: - ../.lint/updater.yaml @@ -225,3 +235,55 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: distinct-updater-sa + + - it: sets extraArgs when set + values: + - ../.lint/updater.yaml + set: + updater: + extraArgs: + - "--foo=bar" + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--foo=bar" + + - it: sets the pull credentials when specified + values: + - ../.lint/updater.yaml + set: + updater: + pullCredentials: "amazon" + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--pull-credentials=amazon" + + - it: sets extraVolumes when specified + values: + - ../.lint/updater-secret-docker.yaml + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: docker-config + projected: + sources: + - secret: + name: my-pull-secret + items: + - key: .dockerconfigjson + path: config.json + + - it: sets extraVolumeMounts when specified + values: + - ../.lint/updater-secret-docker.yaml + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: docker-config + mountPath: "/mnt/docker" + readOnly: true diff --git a/teleport-kube-agent/tests/updater_rolebinding_test.yaml b/teleport-kube-agent/tests/updater_rolebinding_test.yaml index 2b04f74..25fe76c 100644 --- a/teleport-kube-agent/tests/updater_rolebinding_test.yaml +++ b/teleport-kube-agent/tests/updater_rolebinding_test.yaml @@ -1,4 +1,4 @@ -suite: Updater Role +suite: Updater RoleBinding templates: - updater/rolebinding.yaml tests: diff --git a/teleport-kube-agent/values.schema.json b/teleport-kube-agent/values.schema.json index cd0b57b..e189523 100644 --- a/teleport-kube-agent/values.schema.json +++ b/teleport-kube-agent/values.schema.json @@ -15,6 +15,7 @@ "teleportVersionOverride", "insecureSkipProxyTLSVerify", "teleportConfig", + "updater", "existingDataVolume", "podSecurityPolicy", "labels", @@ -29,6 +30,7 @@ "log", "affinity", "annotations", + "extraContainers", "extraVolumes", "extraVolumeMounts", "imagePullPolicy", @@ -264,6 +266,56 @@ } } }, + "updater": { + "$id": "#/properties/updater", + "type": "object", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "$id": "#/properties/updater/properties/enabled", + "type": "boolean", + "default": false + }, + "versionServer": { + "$id": "#/properties/updater/properties/versionServer", + "type": "string", + "default": "https://updates.releases.teleport.dev/v1/" + }, + "releaseChannel": { + "$id": "#/properties/updater/properties/releaseChannel", + "type": "string", + "default": "stable/cloud" + }, + "image": { + "$id": "#/properties/updater/properties/image", + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-kube-agent-updater" + }, + "serviceAccount": { + "$id": "#/properties/updater/properties/serviceAccount", + "type": "object", + "properties": { + "name": { + "$id": "#/properties/updater/properties/serviceAccount/properties/name", + "type": "string", + "default": "" + } + } + }, + "pullCredentials": { + "$id": "#/properties/updater/properties/pullCredentials", + "type": "string", + "default": "" + }, + "extraArgs": { + "$id": "#/properties/updater/properties/extraArgs", + "type": "array", + "default": [] + } + } + }, "existingDataVolume": { "$id": "#/properties/existingDataVolume", "type": "string", @@ -392,6 +444,18 @@ } } }, + "initSecurityContext": { + "$id": "#/properties/initSecurityContext", + "type": "object" + }, + "securityContext": { + "$id": "#/properties/podSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "$id": "#/properties/securityContext", + "type": "object" + }, "priorityClassName": { "$id": "#/properties/priorityClassName", "type": "string", @@ -494,6 +558,11 @@ "type": "object", "default": {} }, + "job": { + "$id": "#/properties/extraLabels/properties/job", + "type": "object", + "default": {} + }, "pod": { "$id": "#/properties/extraLabels/properties/pod", "type": "object", @@ -598,6 +667,11 @@ "type": "array", "default": [] }, + "extraContainers": { + "$id": "#/properties/extraContainers", + "type": "array", + "default": [] + }, "extraVolumes": { "$id": "#/properties/extraVolumes", "type": "array", @@ -642,6 +716,67 @@ "$id": "#/properties/probeTimeoutSeconds", "type": "integer", "default": 1 + }, + "kubernetesDiscovery": { + "$id": "#/properties/kubernetesDiscovery", + "type": "array", + "default": [], + "properties": { + "types": { + "$id": "#/properties/kubernetesDiscovery/types", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "namespaces": { + "$id": "#/properties/kubernetesDiscovery/namespaces", + "type": "array", + "items": { + "type": "string" + }, + "default": [] + }, + "labels": { + "$id": "#/properties/kubernetesDiscovery/labels", + "type": "object" + }, + "additionalProperties": false + } + }, + "jamfCredentialsSecret": { + "$id": "#/properties/jamfCredentialsSecret", + "type": "object", + "required": ["create", "name"], + "properties": { + "create": { + "$id": "#/properties/jamfCredentialsSecret/create", + "type": "boolean", + "default": true + }, + "name": { + "$id": "#/properties/jamfCredentialsSecret/name", + "type": "string", + "default": "teleport-jamf-api-credentials" + }, + "additionalProperties": false + } + }, + "jamfApiEndpoint": { + "$id": "#/properties/jamfApiEndpoint", + "type": "string", + "default": "" + }, + "jamfClientId": { + "$id": "#/properties/jamfClientId", + "type": "string", + "default": "" + }, + "jamfClientSecret": { + "$id": "#/properties/jamfSecret", + "type": "string", + "default": "" } } } diff --git a/teleport-kube-agent/values.ubuntu.yaml b/teleport-kube-agent/values.ubuntu.yaml new file mode 100644 index 0000000..1c1600f --- /dev/null +++ b/teleport-kube-agent/values.ubuntu.yaml @@ -0,0 +1,6 @@ +roles: kube +authToken: b06935def1eca6756beb1d95762503b9 +proxyAddr: teleport.ervine.cloud:443 +kubeClusterName: ubuntu-test +labels: + teleport.internal/resource-id: 917d31e7-6000-4484-aff0-7316122c1ed2 diff --git a/teleport-kube-agent/values.yaml b/teleport-kube-agent/values.yaml index 6c29c85..94923a3 100644 --- a/teleport-kube-agent/values.yaml +++ b/teleport-kube-agent/values.yaml @@ -2,321 +2,1080 @@ # Values that must always be provided by the user. ################################################################ -# Join token for the cluster. `joinParams` can also pass the join token, -# but supports more join methods and takes precedence if set. -authToken: "" - -# Address of the teleport proxy with port (usually :3080). -proxyAddr: "" -# Comma-separated list of roles to enable (any of: kube,db,app) +# roles(string) -- is a comma-separated list of services which will be enabled +# when running the `teleport-kube-agent` chart. +# +# | Services | Value for `roles` | Mandatory additional settings for this role | +# |------------------------------|-------------------|---------------------------------------------| +# | Teleport Kubernetes service | `kube` | [`kubeClusterName`](#kubeclustername) | +# | Teleport Application service | `app` | [`apps`](#apps) or [`appResources`](#appresources) | +# | Teleport Database service | `db` | [`databases`](#databases) or [`databaseResources`](#databaseresources) | +# | Teleport Discovery service | `discovery` | [`kubeClusterName`](#kubeclustername) | +# | Teleport Jamf service | `jamf` | [`jamfApiEndpoint`](#jamfapiendpoint), [`jamfClientId`](#jamfclientid) | +# +# For example: +# ```yaml +# roles: kube,app,discovery +# ``` roles: "kube" -################################################################ -# Values that must be provided if IAM or EC2 joining is enabled. -################################################################ +# proxyAddr(string) -- provides the public-facing Teleport Proxy Service endpoint +# which should be used to join the cluster. This is the same URL used to access +# the web UI of your Teleport cluster. The port used is usually either 3080 or 443. +# +# Here are a few examples: +# +# | Deployment method | Example `proxy_service.public_addr` | +# |-------------------------------|-------------------------------------| +# | On-prem Teleport cluster | `teleport.example.com:3080` | +# | Teleport Cloud cluster | `example.teleport.sh:443` | +# | `teleport-cluster` Helm chart | `teleport.example.com:443` | +proxyAddr: "" -# Specify how to join the Teleport cluster +# enterprise(bool) -- controls if the `teleport-kube-agent` chart should deploy +# the OSS version or the enterprise version of the container image. +# This must be set to `true` when connecting to Teleport Cloud or self-hosted +# Teleport Enterprise clusters to allow the agent to leverage enterprise features. +enterprise: false + +# authToken(string) -- provides a Teleport join token which will be used to join +# the Teleport instance to a Teleport cluster. `authToken` only supports the `token` +# join method. +# +# For other methods such as `kubernetes`, `iam` or `gcp`, the value +# [`joinParams`](#joinParams) should be used as it supports more methods to +# join the Teleport cluster. `joinParams` takes precedence if both `authToken` +# and `joinParams` are set. +# +# A token must be specified for the agent to join the Teleport cluster, either +# via `authToken`, [`joinParams`](#joinparams), or +# [an existing Kubernetes Secret](#joinTokenSecret). +# +# The token used must at least grant the required system roles. For example, if +# the chart [`roles`](#roles) is `kube,app`, the token should allow the system +# roles `App` and `Kube`. +authToken: "" + +# joinParams -- controls how the Teleport agent joins the Teleport cluster. +# These sub-values must be configured for the agent to connect to a cluster. +# +# This value serves the same purpose as [`authToken`](#authToken) but supports +# all join methods. When set, it takes precedence over `authToken`. +# Its usage should be preferred. joinParams: - # Supported join methods are "token", "ec2", "iam". - # method "token", is equivalent to using authToken to join a cluster + # joinParams.method(string) -- controls which join method will be used by the + # instance to join the Teleport cluster. + # + # See [the join method reference](../../join-methods.mdx) for the list of possible + # values, the implications of each join method, and guides to set up each method. + # + # Common join-methods for the `teleport-kube-agent` are: + # - `token`: the most basic one, with regular ephemeral secret tokens + # - `kubernetes`: either the `in-cluster` variant (if the agent runs in the + # same Kubernetes cluster as the `teleport-cluster` chart) or the `JWKS` + # variant (works in every Kubernetes cluster, regardless of the Teleport Auth + # Service location). method: "token" - # Leave empty only when method is "token" and the secret - # "teleport-kube-agent-join-token" has been created before and - # contains a valid join token. + # joinParams.tokenName(string) -- controls which token is used by the agent to + # join the Teleport cluster. + # + # When `joinParams.method` is [a delegated join method](../../join-methods.mdx#delegated-join-methods), + # the value is not sensitive. + # + # When `joinParams.method` is `token` (by default), `joinParams.tokenName` + # contains the secret token itself. In this case, the value is sensitive and + # is automatically stored in a Kubernetes Secret instead of being directly + # included in the agent's configuration. + # + # If method is `token`, `joinParams.tokenName` can be empty if the token + # is provided through an existing Kubernetes Secret, see + # [`joinTokenSecret`](#joinTokenSecret) for more details and instructions. tokenName: "" ################################################################ # Values that must be provided if Kubernetes access is enabled. ################################################################ -# Name for this kubernetes cluster to be used by teleport users. +# kubeClusterName(string) -- sets the name used for the Kubernetes cluster proxied by +# the Teleport agent. This name will be shown to Teleport users connecting to +# the cluster. +# +# This setting is required if the chart `roles` contains `kube`. kubeClusterName: "" ################################################################ # Values that must be provided if Application access is enabled. ################################################################ -# At least one of 'apps', 'appResources' must be provided -# when application access is enabled. See the README for more details. - -# Details of at least one app to be proxied. Example: +# apps(list) -- is a static list of applications that should be proxied by +# the agent. See [the Teleport Application access documentation](../../../enroll-resources/application-access/introduction.mdx) +# for more details. +# +# Proxied applications can be defined statically (through this value) or dynamically +# (through the [`appResources`](#appResources) value). +# One of `apps` and `appResources` is required if the chart `roles` contains `app`. +# +# You can specify multiple apps by adding elements to the list. +# For example: +# +# ```yaml # apps: -# - name: grafana -# uri: http://localhost:3000 +# - name: grafana +# uri: http://localhost:3000 +# labels: +# purpose: monitoring +# - name: jenkins +# uri: http://jenkins:8080 +# labels: +# purpose: ci +# ``` +# +# +# You can see a list of all the supported values that can be used in a Teleport +# Application Service configuration in the [Application Service Configuration +# Reference](../../../enroll-resources/application-access/reference.mdx#configuration). +# apps: [] -# Dynamic application configuration mode. Example: +# appResources(list) -- is a set of labels the agent will monitor. Any application +# matching those labels will be proxied by the agent. See [the Teleport +# Application access documentation](../../../enroll-resources/application-access/introduction.mdx) +# for more details. +# +# Proxied applications can be defined statically (through [`apps`](#apps)) or +# dynamically (through this value). +# One of `apps` and `appResources` is required if the chart `roles` contains `app`. +# +# You can specify multiple selectors by including additional list elements. +# For example: +# ```yaml # appResources: -# - labels: -# "*": "*" +# - labels: +# "env": "prod" +# - labels: +# "env": "test" +# ``` +# +# +# Once `appResources` is set, you can dynamically register application with +# `tsh` by following [the Dynamic App Registration guide](../../../enroll-resources/application-access/guides/dynamic-registration.mdx). +# appResources: [] +# clusterDomain(string) -- sets the domain name used by the Kubernetes cluster. This value is used to build the +# FQDN application URIs. For example, if the cluster domain is `anything.local`, the agent will proxy the application +# `myapp` running in the `default` namespace at `http://myapp.default.svc.anything.local`. You must manually set this value +# to match your cluster domain if it is different from the default value `cluster.local`. +clusterDomain: "cluster.local" + ################################################################ # Values that must be provided if Database access is enabled. ################################################################ -# At least one of 'databases', 'awsDatabases', 'azureDatabases', or 'databaseResources' must be provided -# when database access is enabled. See the README for more details. +# At least one of the `databases`, `awsDatabases`, `azureDatabases`, or +# `databaseResources` values must be set when database access is enabled. -# Database auto-discovery mode (AWS) -# Details of at least one awsDatabase discovery pattern to be discovered -# and proxied. Example: +# awsDatabases(list) -- configures AWS database auto-discovery. +# +# +# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport). +# After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions: +# +# ```yaml +# annotations: +# serviceAccount: +# eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role +# ``` +# +# +# You can specify multiple database filters by adding elements to the list. +# +# - `types` is a list containing the types of AWS databases that should be discovered. +# - `regions` is a list of AWS regions which should be scanned for databases. +# - `tags` can be used to set AWS tags that must be matched for databases to be discovered. +# +# For example: +# ```yaml +# roles: db # awsDatabases: -# - types: ["rds"] -# regions: ["us-east-1"] -# tags: -# "environment": "production" +# - types: ["rds"] +# regions: ["us-east-1", "us-west-2"] +# tags: +# "environment": "production" +# - types: ["rds"] +# regions: ["us-east-1"] +# tags: +# "environment": "dev" +# - types: ["rds"] +# regions: ["eu-west-1"] +# tags: +# "*": "*" +# annotations: +# serviceAccount: +# eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role +# ``` awsDatabases: [] -# Database auto-discovery mode (Azure) -# Details of at least one azureDatabase discovery pattern to be discovered -# and proxied. Example: +# azureDatabases(list) -- configures Azure database auto-discovery. +# +# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport). +# +# After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods. +# The easiest way is to use an Azure client secret. +# +# First, create in the chart installation namespace a Kubernetes `Secret` containing the azure client secret: +# ```code +# $ kubectl create secret generic teleport-azure-client-secret --from-literal=client_secret= +# secret/teleport-azure-client-secret created +# ``` +# +# Then, use the [`extraEnv`](#extraenv) value to set the pods environment variables: +# +# ```yaml +# extraEnv: +# - name: AZURE_CLIENT_SECRET +# valueFrom: +# secretKeyRef: +# name: teleport-azure-client-secret +# key: client_secret +# optional: false +# - name: AZURE_TENANT_ID +# value: "11111111-2222-3333-4444-555555555555" +# - name: AZURE_CLIENT_ID +# value: "11111111-2222-3333-4444-555555555555" +# ``` +# +# +# You can specify multiple database filters by adding elements to the list. +# +# Required fields for each filter: +# - `types` is a list containing the types of Azure databases that should be discovered. +# - `tags` can be used to set Azure resource tags that must be matched for databases to be discovered. +# +# Optional fields for each filter: +# - `regions` is a list of Azure regions which should be scanned for databases. +# - `subscriptions` can be used to discover databases within matching Azure subscriptions. +# - `resource_groups` can be used to discover databases within matching Azure resource groups. +# +# The default for each of these optional settings is `*`, which will auto-discover in all +# subscriptions, regions, or resource groups accessible by the Teleport service +# principal in Azure. +# +# For example: +# ```yaml +# roles: db # azureDatabases: -# - types: ["mysql", "postgres"] -# tags: -# "environment": "production" -# regions: ["eastus", "centralus"] -# subscriptions: ["subID1", "subID2"] -# resource_groups: ["group1", "group2"] -# Note that regions, subscriptions, and resource_groups are optional, and by default -# the pattern for these selectors is ["*"] which will match all regions, subscriptions, or resource groups. +# - types: ["mysql", "postgres"] +# tags: +# "*": "*" +# - types: ["mysql"] +# tags: +# "env": ["dev", "staging"] +# "origin": "alice" +# regions: ["eastus", "centralus"] +# subscriptions: ["subID1", "subID2"] +# resource_groups: ["group1", "group2"] +# extraEnv: +# - name: AZURE_CLIENT_SECRET +# valueFrom: +# secretKeyRef: +# name: teleport-azure-client-secret +# key: client_secret +# optional: false +# - name: AZURE_TENANT_ID +# value: "11111111-2222-3333-4444-555555555555" +# - name: AZURE_CLIENT_ID +# value: "11111111-2222-3333-4444-555555555555" +# ``` azureDatabases: [] -# Manual database configuration mode -# Details of at least one database to be proxied. Example: +# databases(list) -- is a static list of databases that should be proxied by +# the agent. See [the Teleport Database access documentation](../../../enroll-resources/database-access/database-access.mdx) +# for more details. +# +# Proxied applications can be defined statically (through this value) or dynamically +# (through the [`databaseResources`](#databaseResources) value). +# +# You can specify multiple databases by adding additional list elements. +# +# `values.yaml` example: +# +# ```yaml # databases: -# - name: aurora -# uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432" -# protocol: "postgres" -# static_labels: -# env: "prod" +# - name: aurora-postgres +# uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 +# protocol: postgres +# aws: +# region: us-east-1 +# static_labels: +# env: staging +# - name: mysql +# uri: mysql-instance-1.xxx.us-east-1.rds.amazonaws.com:3306 +# protocol: mysql +# aws: +# region: us-east-1 +# static_labels: +# env: staging +# ``` +# +# +# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../enroll-resources/database-access/reference/configuration.mdx). +# +# +# +# Database CAs can be trusted on a per-database basis. +# You must create a secret containing the database CA certificate in the same namespace as Teleport using a command like: +# +# ```code +# $ kubectl create secret generic my-postgres-ca --from-file=ca.pem=/path/to/database-ca.pem +# ``` +# +# Then, deploy the Helm chart with the following values: +# +# ```yaml +# databases: +# - name: my-postgres +# uri: postgres.example.com:5432 +# protocol: postgres +# tls: +# ca_cert_file: "/etc/teleport-tls-db/my-postgres/ca.pem" +# extraVolumes: +# - name: my-postgres-ca +# secret: +# secretName: my-postgres-ca +# extraVolumeMounts: +# - name: my-postgres-ca +# mountPath: /etc/teleport-tls-db/my-postgres +# readOnly: true +# ``` +# databases: [] -# Dynamic database configuration mode. Example: +# databaseResources(list) -- is a set of labels the agent will monitor. +# Any database matching those labels will be proxied by the agent. See [the Teleport +# Database access +# documentation](../../../enroll-resources/database-access/database-access.mdx) +# for more details. +# +# Proxied databases can be defined statically (through [`databases`](#databases)) or +# dynamically (through this value). +# +# You can specify multiple selectors by including additional list elements. +# For example: +# ```yaml # databaseResources: -# - labels: -# "*": "*" +# - labels: +# "env": "prod" +# "engine": "postgres" +# - labels: +# "env": "test" +# "engine": "mysql" +# ``` +# +# +# Once `databaseResources` is set, you can dynamically register database with +# `tsh` by following [this guide](../../../enroll-resources/database-access/guides/dynamic-registration.mdx). +# databaseResources: [] +################################################################ +# Values that must be provided for Kubernetes Discovery +################################################################ + +# kubernetesDiscovery(list) -- controls the Discovery Service configuration +# if it's enabled. +# +# The Discovery Service is enabled when the agent `roles` contains "discovery". +# The Discovery service automatically detects Kubernetes Services and configures +# the agent to provide access to them. See [the Kubernetes App Discovery +# documentation](../../../enroll-resources/auto-discovery/kubernetes-applications/architecture.mdx) +# for more details. +# +# +# The Discovery mechanism ignores Kubernetes services running in the `kube-system` and +# `kube-public` namespaces. +# +# The default value will try to discover all apps running in Kubernetes. +# The discovery can be restricted through this value. For example: +# +# ```yaml +# kubernetesDiscovery: +# - types: ["app"] +# namespaces: [ "toronto", "porto" ] +# labels: +# env: staging +# - types: ["app"] +# namespaces: [ "seattle", "oakland" ] +# labels: +# env: testing +# ``` +kubernetesDiscovery: + - types: ["app"] + namespaces: ["*"] + labels: + "*": "*" + +################################################################ +# Values that must be provided if Jamf service is enabled. +################################################################ + +# jamfApiEndpoint(string) -- sets the Jamf Pro API endpoint used for Jamf service. +# Example: "https://yourtenant.jamfcloud.com/api". +# +# This setting is required if the chart `roles` contains `jamf`. +jamfApiEndpoint: "" + +# jamfClientId(string) -- sets the Jamf Pro API Client ID used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf`. +jamfClientId: "" + +# jamfClientSecret(string) -- sets the Jamf Pro API client secret used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf` and `jamfCredentialsSecret.create` is set to `true`. +# If you provide your own Kubernetes Secret, this setting can remain unset. +jamfClientSecret: "" + +# jamfCredentialsSecret -- manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password). +jamfCredentialsSecret: + # jamfCredentialsSecret.create(bool) -- controls whether the chart creates the + # Kubernetes `Secret` containing the Jamf Pro API Client Secret. + # If false, you must create a Kubernetes Secret with the configured name in + # the Helm release namespace. + create: true + # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret + # containing the Jamf Pro API Client Secret used by the chart. + # + # If `jamfCredentialsSecret.create` is `false`, the chart will not attempt to create the secret itself. + # Instead, it will read the value from an existing Kubernetes Secret. `jamfCredentialsSecret.name` + # configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext + # Jamf Pro API Client Secret stored in your Teleport chart values. + # + # To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command: + # + # ```code + # $ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential= + # ``` + # + # + # The key used for the Jamf Pro API Client Secret inside the secret must be `credential`, as in the command above. + # + # + # For example: + # + # ```yaml + # jamfCredentialsSecret: + # create: false + # name: my-jamf-secret + # ``` + name: teleport-jamf-api-credentials + ################################################################ # Values that you may need to change. ################################################################ -# Version of teleport image, if different from chart version in Chart.yaml. -# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. -# This chart is designed to run a specific teleport version (see Chart.yaml). -# You will face compatibility issues trying to run a different Teleport version with it. +# teleportVersionOverride(string) -- controls the Teleport Kubernetes Operator +# image version deployed by the chart. # -# If you want to run Teleport version X, you should use `helm --version X` instead. +# Normally, the version of the Teleport Kubernetes Operator matches the +# version of the chart. If you install chart version 15.0.0, you'll use +# Teleport version 15.0.0. Upgrading the agent is done by upgrading the chart. +# +# +# `teleportVersionOverride` is intended for development and MUST NOT be +# used to control the Teleport version in a typical deployment. This +# chart is designed to run a specific Teleport version. You will face +# compatibility issues trying to run a different Teleport version with it. +# +# If you want to run Teleport version `X.Y.Z`, you should use +# `helm install --version X.Y.Z` instead. +# teleportVersionOverride: "" -# Optional CA pins of the auth server. This enables a more secure way of -# adding new nodes to a cluster. See "Adding Nodes to the Cluster" -# (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster). +# caPin(list) -- is a list of CA pins the agent must validate when joining +# the Teleport cluster to ensure it is connecting to the correct Auth Service. +# +# This is only used when joining the Auth Service directly. When joining through +# a Proxy Service, authenticity is guaranteed by the x509 certificate used for +# the TLS connection. +# # Each list element can be the pin itself (recommended), or a path to a file -# containing the pin. For the latter it is your responsibility to mount -# the file, using extraVolumes. +# containing the pin. For the latter, it is your responsibility to mount +# the file, using [`extraVolumes`](#extraVolumes). caPin: [] -# When set to true, the agent will skip the verification of proxy TLS -# certificate. +# insecureSkipProxyTLSVerify(bool) -- disables TLS verification of the TLS +# certificate presented by the Proxy Service. +# +# This can be used for joining a Teleport instance to a Teleport cluster +# which does not have valid TLS certificates for testing. +# +# +# Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport +# cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads. +# +# One option might be to use Teleport's built-in [ACME support](../teleport-cluster.mdx#acme) or enable [cert-manager support](../teleport-cluster.mdx#highavailabilitycertmanager). +# insecureSkipProxyTLSVerify: false -# Set enterprise to true to use enterprise image. -enterprise: false - -# teleportConfig contains additional teleport configuration -# The configuration will be merged with the chart-generated configuration -# and will take precedence in case of conflict +# teleportConfig(object) -- contains YAML teleport configuration to pass to the +# Teleport pods. The configuration will be merged with the chart-generated +# configuration and will take precedence in case of conflict. +# +# See the [Teleport Configuration Reference](../../config.mdx) for the list of supported fields. +# +# ```yaml +# teleportConfig: +# app_service: +# debug_app: true +# discovery_service: +# enabled: true +# azure: +# - types: ["aks"] +# tags: +# "*":"*" +# ``` teleportConfig: {} -# Settings for mounting your own TLS material in the agent pod. +# tls -- contains settings for mounting your own TLS material in the agent pod. # The agent does not expose a TLS server, so this is only used to trust CAs. tls: - # Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. - # This is useful to trust private CAs. - # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. - # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem` - # The filename inside the secret is important - it _must_ be ca.pem + # tls.existingCASecretName(string) -- sets the `SSL_CERT_FILE` environment + # variable to load a trusted CA or bundle in PEM format into Teleport pods. + # The injected CA will be used to validate TLS communications, with the Proxy + # Service, with upstream applications or databases. + # + # + # The recommended way to trust a database CA is to do it per-database instead + # of adding the CA to the global Teleport trust store. It allows to trust + # multiple CAs while limiting the trust scope to their specific databases. + # See [the `databases` section](#databases). + # + # + # You must create a secret containing the CA certs in the same namespace as Teleport using a command like: + # + # ```code + # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem + # ``` + # + # + # The key containing the root CA in the secret must be `ca.pem`. + # existingCASecretName: "" +# updater -- controls whether the Kube Agent Updater should be deployed alongside +# the `teleport-kube-agent`. The updater fetches the target version, validates the +# image signature, and updates the teleport deployment. The `enterprise` value should +# have been set to `true`. +# +# All Kubernetes-specific fields such as `tolerations`, `affinity`, `nodeSelector`, +# ... default to the agent values. However, they can be overridden from the +# `updater` object. For example: +# +# ```yaml +# # the agent pod requests 1cpu and 2 GiB of memory. It also has a memory limit. +# resources: +# requests: +# cpu: "1" +# memory: "2Gi" +# limits: +# memory: "2Gi" +# +# # the updater pod requests 0.5 cpu and 512MiB of memory. The memory limit has also been unset. +# updater: +# resources: +# requests: +# cpu: "0.5" +# memory: "512Mi" +# limits: ~ +# ``` +# +# Other updater-specific values that can be defined in `updater` are described +# below. updater: + # updater.enabled(bool) -- Enables the Kube Agent Updater and deploys it alongside the Teleport Agent. + # You can enable this when: + # + # - using Teleport Cloud and your tenant is enrolled into automatic updates. + # (You can check this through the web UI, choose `Add Kubernetes` and + # `Enroll New Resource of type Kubernetes`, and check if the value is turned + # on.) + # - using self-hosted Teleport and you maintain your own version server. + # + # You must not enable this when: + # + # - you are a Teleport Cloud customer not enrolled in automatic updates. + # - you are a self-hosted Teleport user and have not set up your Teleport cluster to + # support automatic updates. enabled: false - # `updater.versionServer` is the URL of the version server the agent fetches - # the target version from. The complete version endpoint is built by - # concatenating `versionServer` and `releaseChannel`. - versionServer: "https://updates.releases.teleport.dev/v1/" - # Release channel the agent subscribes to. + + # updater.versionServer(string) -- is the URL of the version server the agent + # fetches the target version from. The complete version endpoint is built by + # concatenating [`versionServer`](#updaterversionserver) and [`releaseChannel` + # ](#updaterreleasechannel). + # This field supports gotemplate. + # + # You must set this if the updater is enabled, and you are not a Teleport Cloud user. + # + # You must not change the default values if you are a Teleport Cloud user. + versionServer: "https://{{ .Values.proxyAddr }}/v1/webapi/automaticupgrades/channel" + + # updater.releaseChannel(string) -- is the release channel the updater + # subscribes to. + # + # The complete version endpoint is built by concatenating + # [`versionServer`](#updaterversionserver) and [`releaseChannel`](#updaterreleasechannel). + # You must not change the default value if you are a Teleport Cloud user unless + # instructed by Teleport support. + # + # You can change this value if the updater is enabled, you are not a Teleport + # Cloud user, and manage your own version server. releaseChannel: "stable/cloud" + + # updater.image(string) -- sets the container image used for Teleport updater + # pods run when `updater.enabled` is true. + # + # You can override this to use your own Teleport Kube Agent Updater image rather + # than a Teleport-published image. image: public.ecr.aws/gravitational/teleport-kube-agent-updater + + # updater.serviceAccount -- serviceAccount: - # service account name defaults to "-updater" + # updater.serviceAccount.name(string) -- is the updater Kubernetes Service + # Account name. When unset, it defaults to `-updater` name: "" -# If set, will use an existing volume mounted via extraVolumes -# as the Teleport data directory. -# If anything is set under the "storage" key, this will be ignored. + # updater.pullCredentials(string) -- configures how the updater attempts to + # get the image pull credentials used to validate the image signature. + # + # This is not required when pulling images from official public Teleport + # registries (chart's default). + # + # Supported values are `amazon`, `google`, `docker` and `none`. + pullCredentials: "" + + # updater.extraArgs(list) -- contains additional arguments to pass to the updater + # binary. + extraArgs: [] + + # updater.extraVolumes(list) -- contains extra volumes to mount into the Updater pods. + # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + # for more details. + # + # For example: + # ```yaml + # updater: + # extraVolumes: + # - name: myvolume + # secret: + # secretName: testSecret + # ``` + extraVolumes: [] + + # updater.extraVolumeMounts(list) -- contains extra volumes mounts for the updater. + # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + # for more details. + # + # For example: + # ```yaml + # updater: + # extraVolumesMounts: + # - name: myvolume + # mountPath: /path/on/host + # ``` + extraVolumeMounts: [] + +# existingDataVolume(string) -- is the name of an existing Kubernetes Persistent +# Volume that should be mounted at `/var/lib/teleport`. +# +# This is only useful if you had a previous agent running with persistence enabled +# and want for a new agent to reuse the volume. existingDataVolume: "" -# If true, create & use Pod Security Policy resources -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. -# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ +# podSecurityPolicy -- podSecurityPolicy: + # podSecurityPolicy.enabled(bool) -- controls if the chart should deploy a Kubernetes + # PodSecurityPolicy. + # + # By default, Teleport charts used to install a [`podSecurityPolicy`](https://github.com/gravitational/teleport/blob/branch/(=teleport.major_version=)/examples/chart/teleport-cluster/templates/psp.yaml). + # + # PodSecurityPolicy resources (PSP) have been removed in Kubernetes 1.25 + # and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on + # Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs. + # The steps are documented in the + # [PSP removal guide](../../../deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp.mdx). + # + # This value will be removed in a future chart version. enabled: true -# Labels is a map of key values pairs about this cluster +# labels(object) -- is the map of key-value pairs that will be applied on the +# Teleport resource representing the Kubernetes cluster. These labels can then +# be used with Teleport's RBAC policies to define access rules for the cluster. +# This is only used when the [`roles`](#roles) contains `kube`. +# +# +# These are Teleport-specific RBAC labels, not Kubernetes labels. +# +# +# +# For historical/backwards compatibility reasons, these labels will only be applied to the Kubernetes cluster being joined via the +# Teleport Kubernetes service. +# +# To set labels for applications, add a `labels` element to the [`apps`](#apps) section. +# To set labels for databases, add a `static_labels` element to the [`databases`](#databases) section. +# +# For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../../management/admin/labels.mdx). +# +# +# For example: +# +# ```yaml +# labels: +# environment: production +# region: us-east +# ``` labels: {} -# Settings for high availability. +# highAvailability -- contains settings controlling the availability of the +# Teleport agent deployed by the chart. +# +# The availability can be increased by: +# - running more replicas with `replicaCount` +# - requiring that the Pods are not scheduled on the same Kubernetes Node with `requireAntiAffinity` +# - by asking Kubernetes not to delete all pods at the same time with `podDisruptionBudget`. +# +# Even with highAvailability settings Restarting/rolling-out pods can still cause +# disruption for established long-lived sessions, like `kubectl exec` or +# database shells. highAvailability: - # Set to >1 for a high availability mode where multiple Teleport agent pods will be deployed. + # highAvailability.replicaCount(int) -- is the number of agent replicas deployed by the Chart. + # + # Set to a number higher than `1` for a high availability mode where multiple Teleport pods will be deployed. + # + # + # As a rough guide, we recommend configuring one replica per distinct + # availability zone where your cluster has worker nodes. + # + # 2 replicas/availability zones will be fine for smaller workloads. 3-5 + # replicas/availability zones will be more appropriate for bigger + # clusters with more traffic. + # + # + # When adding new replicas to an existing agent, you must ensure the provided token + # (via [`authToken`](#authToken), [`joinParams`](#joinParams), or [`joinTokenSecret`](#joinTokenSecret)) + # is still valid. Each replica has its own identity and needs to join the Teleport + # cluster on its first startup. replicaCount: 1 - # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the - # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. - # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. - # This setting only has any effect when replicaCount is greater than 1. + + # highAvailability.requireAntiAffinity(bool) -- configures Kubernetes `requiredDuringSchedulingIgnoredDuringExecution` + # to require that multiple Teleport pods must not be scheduled on the same physical host. + # + # + # This can result in Teleport pods failing to be scheduled in very small + # clusters or during node downtime, so should be used with caution. + # + # + # Setting `highAvailability.requireAntiAffinity` to `false` (the default) + # uses `preferredDuringSchedulingIgnoredDuringExecution` to make node + # anti-affinity a soft requirement. + # + # + # This setting only has any effect when `highAvailability.replicaCount` is greater than `1`. + # requireAntiAffinity: false - # If enabled will create a Pod Disruption Budget - # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + + # highAvailability.podDisruptionBudget -- controls how the chart creates and + # configures a Kubernetes PodDisruptionBudget to ensure Kubernetes does not + # delete all agent replicas at the same time. podDisruptionBudget: + # highAvailability.podDisruptionBudget.enabled(bool) -- makes the chart create + # a Kubernetes PodDisruptionBudget for the agent pods. enabled: false + + # highAvailability.podDisruptionBudget.minAvailable(int) -- is the minimum + # available pod specified on the PodDisruptionBudget. minAvailable: 1 -# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) +# podMonitor -- controls the PodMonitor CR (from monitoring.coreos.com/v1) # This CRD is managed by the prometheus-operator and allows workload to # get monitored. To use this value, you need to run a `prometheus-operator` # in the cluster for this value to take effect. # See https://prometheus-operator.dev/docs/prologue/introduction/ podMonitor: - # Whether the chart should deploy a PodMonitor. - # Disabled by default as it requires the PodMonitor CRD to be installed. + # podMonitor.enabled(bool) -- controls if the chart deploys a PodMonitor. + # This is disabled by default as it requires the PodMonitor CRD to be installed. enabled: false - # additionalLabels to put on the PodMonitor. + + # podMonitor.additionalLabels(object) -- adds labels on the PodMonitor. # This is used to be selected by a specific prometheus instance. + # + # For example: + # ```yaml + # podMonitor: + # additionalLabels: + # prometheus: default + # ``` additionalLabels: {} - # interval is the interval between two metrics scrapes. Defaults to 30s + + # podMonitor.interval(string) -- is the interval between two metrics scrapes. interval: 30s ################################################################ # Values that must be provided if using persistent storage for Teleport. -# -# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`. -# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV -# to survive restarts and rotations while using short-lived joining tokens. -# -# Fields: -# enabled: Set to true to enable the use of Persistent volumes. -# storageClassName: The name of the kubernetes storage class to use when creating volumes. See https://kubernetes.io/docs/concepts/storage/storage-classes/ -# requests: The size of the volume to request from the persistent storage system ################################################################ + +# storage -- controls how the agent stores data in a Kubernetes Persistent Volume. +# +# Since Teleport 12, the agent does not need PV storage to keep its identity across +# restarts: it stores it in a Kubernetes Secret. This means the `teleport-kubernetes-agent` +# can use one-time and short-lived join tokens, it will retain its identity and +# secrets even after a restart. +# +# The main benefit of enabling storage is to persist not-yet-uploaded session +# recordings after Pod termination, when the Teleport session recording mode is +# not synchronous. storage: + # storage.enabled(bool) -- enables the creation of a Kubernetes persistent + # volume to hold Teleport instance state. enabled: false + + # storage.storageClassName(string) -- controls which Kubernetes StorageClass + # the chart uses when creating Persistent Volume Claims. A StorageClass with + # the provided name must exist on the Kubernetes cluster. storageClassName: "" + + # storage.requests(string) -- is the size of the persistent volume to create. requests: 128Mi -# Settings for configuring an cluster admin role binding. +# adminClusterRoleBinding -- optionally creates a cluster admin role binding. # This is useful for granting cluster admin permissions to a Kubernetes Group -# other than the default "system:masters" group. -# GKE Autopilot clusters forbid using the "system:masters" group for impersonation +# other than the default `system:masters` group. +# +# GKE Autopilot clusters forbid using the `system:masters` group for impersonation # and require a custom group to be used instead. adminClusterRoleBinding: + # adminClusterRoleBinding.create(bool) -- controls if the chart should create + # an additional admin cluster role binding. create: false + # adminClusterRoleBinding.name(string) -- is the name of the created admin + # cluster role binding. name: "cluster-admin" ################################################################ # Values that you shouldn't need to change. ################################################################ -# Container image for the cluster. +# image(string) -- sets the container image used for Teleport OSS agent pods +# created by the chart. +# +# You can override this to use your own Teleport image rather than a Teleport-published image. +# +# +# When using the Teleport Kube Agent Updater, you must ensure the image is +# available before the updater version target gets updated and Kubernetes tries +# to pull the image. +# +# For this reason, it is strongly discouraged to set a custom image when +# using automatic updates. Teleport Cloud uses automatic updates by default. +# +# # Since version 13, hardened distroless images are used by default. # You can use the deprecated debian-based images by setting the value to # `public.ecr.aws/gravitational/teleport`. Those images will be -# removed with teleport 14. +# removed with teleport 15. +# +# This setting only takes effect when [`enterprise`](#enterprise) is `false`. +# When running an enterprise version, you must use +# [`enterpriseImage`](#enterpriseImage) instead. image: public.ecr.aws/gravitational/teleport-distroless -# Enterprise version of the image + +# enterpriseImage(string) -- sets the container image used for Teleport Enterprise +# agent pods created by the chart. +# +# You can override this to use your own Teleport image rather than a +# Teleport-published image. +# +# +# When using the Teleport Kube Agent Updater you must ensure the image is +# available before the updater version target gets updated and Kubernetes tries +# to pull the image. +# +# For this reason, it is strongly discouraged to set a custom image when +# using automatic updates. Teleport Cloud uses automatic updates by default. +# +# # Since version 13, hardened distroless images are used by default. # You can use the deprecated debian-based images by setting the value to # `public.ecr.aws/gravitational/teleport-ent`. Those images will be -# removed with teleport 14. +# removed with teleport 15. +# +# This setting only takes effect when [`enterprise`](#enterprise) is `true`. +# When running an enterprise version, you must use [`image`](#image) instead. enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless -# Optional array of imagePullSecrets, to use when pulling from a private registry + +# imagePullSecrets(list) -- is a list of secrets containing authorization tokens +# which can be optionally used to access a private Docker registry. +# +# See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details. imagePullSecrets: [] -# - name: myRegistryKeySecretName + # Number of replicas for the agent deployment. -# DEPRECATED Use highAvailability:replicaCount instead +# DEPRECATED Use highAvailability.replicaCount instead # replicaCount: 1 -# (optional) Override the name of the ClusterRole used by the agent's service account. + +# clusterRoleName(string) -- can be optionally used to override the name of the +# Kubernetes `ClusterRole` used by the agent's `ServiceAccount`. +# +# +# Most users will not need to change this. +# clusterRoleName: "" -# (optional) Override the name of the ClusterRoleBinding used by the agent's service account. + +# clusterRoleBindingName(string) -- can be optionally used to override the name +# of the Kubernetes `ClusterRoleBinding` used by the agent's `ServiceAccount`. +# +# +# Most users will not need to change this. +# clusterRoleBindingName: "" -# (optional) Override the name of the Role used by the agent's service account for Secret access. + +# roleName(string) -- provides a custom name for the `Role` resource that the +# `teleport-kube-agent` chart creates for the Teleport pod. By default, the `Role` +# has the name of the Helm release. +# +# You should set this value if there is a `Role` resource in the namespace of your +# `teleport-kube-agent` resources with the same name as your `teleport-kube-agent` +# release. roleName: "" -# (optional) Override the name of the RoleBinding used by the agent's service account. + +# roleBindingName(string) -- provides a custom name for the `RoleBinding` resource that the +# `teleport-kube-agent` chart creates for the Teleport pod. By default, the +# `RoleBinding` has the name of the Helm release. +# +# You should set this value if there is a `RoleBinding` resource in the namespace +# of your `teleport-kube-agent` resources with the same name as your +# `teleport-kube-agent` release. roleBindingName: "" -# (optional) Override the name of the service account used by the agent. -# DEPRECATED Use serviceAccount:name instead + +# serviceAccountName(string) -- is deprecated and will be removed in a future +# version. Use [`serviceAccount.name`](#serviceaccountname-1) instead. serviceAccountName: "" -# (optional) Kubernetes service account to create/use. + +# serviceAccount -- controls the Kubernetes ServiceAccounts deployed and used by +# the chart. serviceAccount: - # Specifies whether a ServiceAccount should be created + # serviceAccount.create(bool) -- controls whether Helm Chart creates the + # Kubernetes `ServiceAccount` resources for the agent and optionally for the + # updater. + # When off, you are responsible for creating the appropriate ServiceAccount + # resources. create: true - # The name of the ServiceAccount to use. - # If not set and serviceAccount.create is true, the name is generated using the release name. - # If create is false, the name will be used to reference an existing service account. + # serviceAccount.name(string) -- sets the name of the `ServiceAccount` resource + # used by the chart. By default, the `ServiceAccount` has the name of the + # Helm release. name: "" -# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. +# rbac -- rbac: - # Specifies whether a ClusterRole and ClusterRoleBinding should be created. - # Set to false if your cluster level resources are managed separately. + # rbac.create(bool) -- controls if the chart should create RBAC Kubernetes resources. + # + # - When `true`, the chart creates both `ClusterRole` and `ClusterRoleBinding` + # resources for the agent, and `Role`/`RoleBinding` for the updater if enabled. + # - When `false`, the chart does not create the `Role` and `RoleBinding` resources. + # The user is responsible for deploying and maintaining them separately. + # + # This value can be set to `false` when deploying in constrained environments + # where the user deploying the operator is not allowed to edit RBAC resources. create: true # Name of the Secret to store the teleport join token. # DEPRECATED Use joinTokenSecret.name instead secretName: "" -# Manages the join token secret creation and its name. +# joinTokenSecret -- manages the join token secret creation and its name. +# See the [`joinParams`](#joinParams) section for more details. joinTokenSecret: - # create controls whether the Helm chart should create and manage the join token - # secret. - # If false, the chart assumes that the secret with the configured name already exists at the - # installation namespace. + # joinTokenSecret.create(bool) -- controls whether the chart creates the + # Kubernetes `Secret` containing the Teleport join token. + # If false, you must create a Kubernetes Secret with the configured name in + # the Helm release namespace. create: true - # Name of the Secret to store the teleport join token. + # joinTokenSecret.name(string) -- is the name of the Kubernetes Secret + # containing the Teleport join token used by the chart. + # + # If `joinTokenSecret.create` is `false`, the chart will not attempt to create the secret itself. + # Instead, it will read the value from an existing secret. `joinTokenSecret.name` + # configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext + # join token stored in your Teleport chart values. + # + # To create your own join token secret, you can use a command like this: + # + # ```code + # $ kubectl --namespace teleport create secret generic my-token-secret --from-literal=auth-token= + # ``` + # + # + # The key used for the auth token inside the secret must be `auth-token`, as in the command above. + # + # + # For example: + # + # ```yaml + # joinTokenSecret: + # create: false + # name: my-token-secret + # + # joinParams: + # method: "token" + # tokenName: "" + # ``` name: teleport-kube-agent-join-token -# Teleport logging configuration +# log -- controls the agent logging. log: - # Log level for the Teleport process. - # Available log levels are: DEBUG, INFO, WARNING, ERROR. - # The default is INFO, which is recommended in production. - # DEBUG is useful during first-time setup or to see more detailed logs for debugging. + # log.level(string) -- is the log level for the Teleport process. + # Available log levels are: `DEBUG`, `INFO`, `WARNING`, `ERROR`. + # + # The default is `INFO`, which is recommended in production. + # `DEBUG` is useful during first-time setup or to see more detailed logs for debugging. level: INFO - # Log output - # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' - # Other supported values: 'stdout', 'stderr' and 'syslog' + # log.output(string) -- sets the output destination for the Teleport process. + # This can be set to any of the built-in values: `stdout`, `stderr` or `syslog` + # to use that destination. + # + # The value can also be set to a file path (such as `/var/log/teleport.log`) + # to write logs to a file. Bear in mind that a few service startup messages + # will still go to `stderr` for resilience. output: stderr - # Log format configuration - # Possible output values are 'json' and 'text' (default). + # log.format(string) -- sets the log output format for the Teleport process. + # Possible values are `text` (default) or `json`. format: text - # Possible extra_fields values include: timestamp, component, caller, and level. - # All extra fields are included by default. + # log.extraFields(list) -- sets the fields used in logging for the Teleport process. + # + # See the [Teleport config file reference](../../config.mdx) for + # more details on possible values for `extra_fields`. extraFields: ["timestamp", "level", "component", "caller"] ################################## # Extra Kubernetes configuration # ################################## -# Affinity for pod assignment -# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +# affinity(object) -- sets the affinities for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) +# for more details. affinity: {} -# Pod's DNS Configuration -# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config -# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs. -dnsConfig: {} +# dnsConfig(object) -- contains custom Pod DNS Configuration for the agent pods. +# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and +# only use FQDNs to refer to applications and databases. +# +# See [the Kubernetes pod DNS documentation +# ](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) +# for more information. +# +# For example: +# ```yaml # nameservers: # - 1.2.3.4 # searches: @@ -325,128 +1084,232 @@ dnsConfig: {} # options: # - name: ndots # value: "2" +# ``` +dnsConfig: {} -# Pod's DNS Policy -# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +# dnsPolicy(string) -- sets the Pod's DNS Policy +# +# See [the Kubernetes pod DNS documentation +# ](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) +# for more information. dnsPolicy: "" -# nodeSelector to apply for pod assignment -# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +# nodeSelector(object) -- sets the node selector for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +# for more details. nodeSelector: {} -# Kubernetes labels to apply -# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +# extraLabels -- contains additional Kubernetes labels to apply on the resources +# created by the chart. +# See [the Kubernetes label documentation +# ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +# for more information. extraLabels: - # Labels for the Cluster Role + # extraLabels.clusterRole(object) -- are labels to set on the ClusterRole. clusterRole: {} - # Labels for the Cluster Role Binding + # extraLabels.clusterRoleBinding(object) -- are labels to set on the ClusterRoleBinding. clusterRoleBinding: {} - # Labels for the Role + # extraLabels.role(object) -- are labels to set on the Role. role: {} - # Labels for the Role Binding + # extraLabels.roleBinding(object) -- are labels to set on the RoleBinding. roleBinding: {} - # Labels for the ConfigMap + # extraLabels.config(object) -- are labels to set on the ConfigMap. config: {} - # Labels for the Deployment/StatefulSet + # extraLabels.deployment(object) -- are labels to set on the Deployment or StatefulSet. deployment: {} - # Labels for each Pod in the Deployment/StatefulSet + # extraLabels.job(object) -- are labels to set on the post-delete Job created by the chart. + job: {} + # extraLabels.pod(object) -- are labels to set on the Pods created by the + # Deployment or StatefulSet. pod: {} - # Labels for the Pod Disruption Budget (ignored when disabled) + # extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget. podDisruptionBudget: {} - # Labels for the Pod Security Policy (ignored when disabled) + # extraLabels.podSecurityPolicy(object) -- are labels to set on the podSecurityPolicy. podSecurityPolicy: {} - # Labels for the Secret (ignored when disabled) + # extraLabels.secret(object) -- are labels to set on the Secret. secret: {} - # Labels for the ServiceAccount object + # extraLabels.serviceAccount(object) -- are labels to set on the ServiceAccount. serviceAccount: {} -# Kubernetes annotations to apply -# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +# annotations -- contains annotations to apply to the different Kubernetes +# objects created by the chart. See [the Kubernetes annotation +# documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) +# for more details. annotations: - # Annotations for the ConfigMap + # annotations.config(object) -- contains the Kubernetes annotations + # put on the `ConfigMap` resource created by the chart. config: {} - # Annotations for the Deployment + # annotations.deployment(object) -- contains the Kubernetes annotations + # put on the `Deployment` or `StatefulSet` resource created by the chart. deployment: {} - # Annotations for each Pod in the Deployment + # annotations.pod(object) -- contains the Kubernetes annotations + # put on the `Pod` resources created by the chart. pod: {} - # Annotations for the Secret (has no effect when `joinTokenSecret.create` is false) + # annotations.secret(object) -- contains the Kubernetes annotations + # put on the `Secret` resource created by the chart. + # This has no effect when `joinTokenSecret.create` is `false`. secret: {} - # Annotations for the ServiceAccount object + # annotations.serviceAccount(object) -- contains the Kubernetes annotations + # put on the `ServiceAccount` resource created by the chart. serviceAccount: {} -# Extra arguments to pass to 'teleport start' for the main Teleport pod +# extraArgs(list) -- contains extra arguments to pass to `teleport start` for +# the main Teleport pod extraArgs: [] -# Extra environment to be configured on the Teleport pod +# extraEnv(list) -- contains extra environment variables to set in the main +# Teleport pod. +# +# For example: +# ```yaml +# extraEnv: +# - name: HTTPS_PROXY +# value: "http://username:password@my.proxy.host:3128" +# ``` extraEnv: [] -# Extra volumes to mount into the Teleport pods -# https://kubernetes.io/docs/concepts/storage/volumes/ -extraVolumes: [] +# extraContainers(list) -- contains extra containers to add in the main Teleport +# pod. +# +# For example: +# ```yaml +# extraContainers: +# - name: debug-sidecar +# command: +# - busybox +# - sh +# - -c +# - "echo waiting && sleep infinity" +# image: busybox:latest +# imagePullPolicy: IfNotPresent +# securityContext: +# privileged: true +# runAsNonRoot: false +# ``` +extraContainers: [] + +# extraVolumes(list) -- contains extra volumes to mount into the Teleport pods. +# See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) +# for more details. +# +# For example: +# ```yaml +# extraVolumes: # - name: myvolume # secret: # secretName: testSecret +# ``` +extraVolumes: [] -# Extra volume mounts corresponding to the volumes mounted above -extraVolumeMounts: [] +# extraVolumeMounts(list) -- contains extra volumes mounts for the main Teleport container. +# See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) +# for more details. +# +# For example: +# ```yaml +# extraVolumesMounts: # - name: myvolume # mountPath: /path/on/host +# ``` +extraVolumeMounts: [] -# Pod Host aliases (see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) +# hostAliases -- sets Host aliases in the Teleport Pod. +# See [the Kubernetes hosts file documentation](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) +# for more details. +# +# For example: +# ```yaml +# hostAliases: +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" +# ``` hostAliases: [] -# - ip: "127.0.0.1" -# hostnames: -# - "foo.local" -# - "bar.local" -# - ip: "10.1.2.3" -# hostnames: -# - "foo.remote" -# - "bar.remote" -# Allow the imagePullPolicy to be overridden +# imagePullPolicy(string) -- sets the pull policy for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images) +# for more details. imagePullPolicy: IfNotPresent -# A list of initContainers to run before each Teleport pod starts -# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ -initContainers: [] +# initContainers(list) -- sets the Teleport Pod's init-containers. +# See [the Kubernetes init-container documentation](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) +# for more details. +# +# For example: +# ```yaml +# initContainers: # - name: "teleport-init" # image: "alpine" # args: ["echo test"] +# ``` +initContainers: [] -# Resources to request for each pod in the deployment -# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +# resources(object) -- sets the resource requests/limits for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) +# for more details. resources: {} -# requests: -# cpu: "1" -# memory: "2Gi" -# Security context to add to the initContainer +# initSecurityContext(object) -- sets the init container security context for any +# pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +# for more details. +# +# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +# +# To unset the security context, set it to `null` or `~`. initSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault -# Security context to add to other containers +# securityContext(object) -- sets the container security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +# for more details. +# +# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +# +# To unset the security context, set it to `null` or `~`. securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault -# Priority class name to add to the deployment +# podSecurityContext(object) -- sets the pod security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +# for more details. +# +# To unset the security context, set it to `null` or `~`. +podSecurityContext: + fsGroup: 9807 + +# priorityClassName(string) -- sets the priority class used by any pods created by the chart. +# The user is responsible for creating the `PriorityClass` resource before deploying the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) +# for more details. priorityClassName: "" -# Tolerations for pod assignment -# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +# tolerations(list) -- sets the tolerations for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +# for more details. tolerations: [] -# Timeouts for the readiness and liveness probes +# probeTimeoutSeconds(int) -- sets the timeout for the readiness and liveness probes # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ probeTimeoutSeconds: 1