From ddc8ac5ced02c24ada6930a040c27f7e7083979f Mon Sep 17 00:00:00 2001
From: Jonny Ervine <jonny@ervine.org>
Date: Thu, 16 Apr 2026 20:47:38 +0800
Subject: [PATCH] Reduce harbor resources

---
 embyserver/.helmignore                        |   22 -
 embyserver/emby.png                           |  Bin 33980 -> 0 bytes
 embyserver/templates/NOTES.txt                |   21 -
 embyserver/templates/_helpers.tpl             |   63 -
 embyserver/templates/configmap.yaml           |   10 -
 embyserver/templates/ingress.yaml             |   81 -
 embyserver/templates/service.yaml             |   15 -
 embyserver/templates/serviceaccount.yaml      |    8 -
 embyserver/templates/statefulset.yaml         |   93 -
 .../templates/tests/test-connection.yaml      |   15 -
 embyserver/values.yaml                        |   85 -
 goldilocks/charts/vpa/values.yaml             |    5 +-
 harbor/values.home.yaml                       |    4 +-
 teleport-cluster-17.4.9/.lint/acme-off.yaml   |    3 +
 teleport-cluster-17.4.9/.lint/acme-on.yaml    |    3 +
 .../.lint/acme-uri-staging.yaml               |    4 +
 teleport-cluster-17.4.9/.lint/affinity.yaml   |   29 +
 .../.lint/annotations.yaml                    |   17 +
 .../.lint/auth-connector-name.yaml            |    3 +
 .../.lint/auth-disable-local.yaml             |    5 +
 .../.lint/auth-disable-passwordless.yaml      |    5 +
 .../.lint/auth-enterprise-license.yaml        |    4 +
 .../.lint/auth-locking-mode.yaml              |    3 +
 .../.lint/auth-passwordless.yaml              |    4 +
 .../.lint/auth-secondfactors-sso.yaml         |    4 +
 .../.lint/auth-secondfactors-webauthn.yaml    |   10 +
 .../.lint/auth-type-legacy.yaml               |    4 +
 teleport-cluster-17.4.9/.lint/auth-type.yaml  |    3 +
 .../.lint/auth-webauthn-legacy.yaml           |   10 +
 .../.lint/auth-webauthn.yaml                  |    8 +
 .../.lint/aws-access-monitoring.yaml          |   13 +
 .../.lint/aws-dynamodb-autoscaling.yaml       |   14 +
 .../.lint/aws-ha-acme.yaml                    |   14 +
 .../.lint/aws-ha-antiaffinity.yaml            |   12 +
 teleport-cluster-17.4.9/.lint/aws-ha-log.yaml |   17 +
 teleport-cluster-17.4.9/.lint/aws-ha.yaml     |   11 +
 teleport-cluster-17.4.9/.lint/aws.yaml        |   11 +
 teleport-cluster-17.4.9/.lint/azure.yaml      |   11 +
 .../.lint/cert-manager.yaml                   |   15 +
 .../.lint/cert-secret.yaml                    |   15 +
 .../.lint/example-minimal-standalone.yaml     |    7 +
 .../.lint/existing-tls-secret-with-ca.yaml    |    4 +
 .../.lint/existing-tls-secret.yaml            |    3 +
 .../.lint/extra-containers.yaml               |   12 +
 teleport-cluster-17.4.9/.lint/extra-env.yaml  |    4 +
 .../.lint/gcp-ha-acme.yaml                    |   14 +
 .../.lint/gcp-ha-antiaffinity.yaml            |   12 +
 teleport-cluster-17.4.9/.lint/gcp-ha-log.yaml |   17 +
 .../.lint/gcp-ha-workload.yaml                |   12 +
 teleport-cluster-17.4.9/.lint/gcp-ha.yaml     |   11 +
 teleport-cluster-17.4.9/.lint/gcp.yaml        |   11 +
 .../.lint/imagepullsecrets.yaml               |    4 +
 .../.lint/ingress-publicaddr.yaml             |    8 +
 teleport-cluster-17.4.9/.lint/ingress.yaml    |    6 +
 .../.lint/initcontainers.yaml                 |    8 +
 .../.lint/kube-cluster-name.yaml              |    2 +
 teleport-cluster-17.4.9/.lint/log-basic.yaml  |    4 +
 teleport-cluster-17.4.9/.lint/log-extra.yaml  |    6 +
 teleport-cluster-17.4.9/.lint/log-legacy.yaml |    2 +
 .../.lint/node-selector.yaml                  |    4 +
 teleport-cluster-17.4.9/.lint/operator.yaml   |    4 +
 teleport-cluster-17.4.9/.lint/pdb.yaml        |   12 +
 .../.lint/persistence-legacy.yaml             |    4 +
 .../.lint/pod-security-context-empty.yaml     |    1 +
 .../.lint/pod-security-context.yaml           |    7 +
 teleport-cluster-17.4.9/.lint/podmonitor.yaml |    6 +
 .../.lint/priority-class-name.yaml            |    4 +
 .../.lint/probe-timeout-seconds.yaml          |    4 +
 .../.lint/proxy-listener-mode-multiplex.yaml  |    2 +
 .../.lint/proxy-listener-mode-separate.yaml   |    2 +
 .../.lint/public-addresses.yaml               |   11 +
 teleport-cluster-17.4.9/.lint/resources.yaml  |   10 +
 .../.lint/security-context-empty.yaml         |    1 +
 .../.lint/security-context.yaml               |    8 +
 .../.lint/separate-mongo-listener.yaml        |    2 +
 .../.lint/separate-postgres-listener.yaml     |    2 +
 .../.lint/service-account.yaml                |    7 +
 teleport-cluster-17.4.9/.lint/service.yaml    |    5 +
 .../.lint/session-recording-off.yaml          |    2 +
 .../.lint/session-recording.yaml              |    2 +
 .../standalone-custom-storage-class.yaml      |    9 +
 .../.lint/standalone-customsize.yaml          |    9 +
 .../.lint/standalone-existingpvc.yaml         |    9 +
 .../.lint/tolerations.yaml                    |   18 +
 .../.lint/version-override.yaml               |    5 +
 teleport-cluster-17.4.9/.lint/volumes.yaml    |    8 +
 teleport-cluster-17.4.9/Chart.yaml            |   13 +
 teleport-cluster-17.4.9/README.md             |   68 +
 .../teleport-operator/.lint/annotations.yaml  |   14 +
 .../teleport-operator/.lint/cloud-join.yaml   |    3 +
 .../teleport-operator/.lint/disabled.yaml     |    1 +
 .../.lint/existing-tls-ca.yaml                |    6 +
 .../teleport-operator/.lint/labels.yaml       |   10 +
 .../.lint/non-kubernetes-joining.yaml         |    3 +
 .../teleport-operator/.lint/resources.yaml    |   13 +
 .../charts/teleport-operator/Chart.yaml       |    8 +
 .../charts/teleport-operator/README.md        |   28 +
 .../resources.teleport.dev_accesslists.yaml   |  269 ++
 .../resources.teleport.dev_botsv1.yaml        |  146 +
 ...sources.teleport.dev_githubconnectors.yaml |  178 +
 .../resources.teleport.dev_loginrules.yaml    |  134 +
 ...resources.teleport.dev_oidcconnectors.yaml |  259 ++
 ...esources.teleport.dev_oktaimportrules.yaml |  172 +
 ...ces.teleport.dev_openssheiceserversv2.yaml |  263 ++
 ...sources.teleport.dev_opensshserversv2.yaml |  262 ++
 ...esources.teleport.dev_provisiontokens.yaml |  568 ++++
 .../resources.teleport.dev_roles.yaml         | 2966 +++++++++++++++++
 .../resources.teleport.dev_rolesv6.yaml       | 1496 +++++++++
 .../resources.teleport.dev_rolesv7.yaml       | 1496 +++++++++
 ...resources.teleport.dev_samlconnectors.yaml |  265 ++
 ...ources.teleport.dev_trustedclustersv2.yaml |  149 +
 .../resources.teleport.dev_users.yaml         |  220 ++
 ...ces.teleport.dev_workloadidentitiesv1.yaml |  273 ++
 .../teleport-operator/templates/_helpers.tpl  |  131 +
 .../teleport-operator/templates/crds.yaml     |   24 +
 .../templates/deployment.yaml                 |  163 +
 .../teleport-operator/templates/role.yaml     |   77 +
 .../templates/rolebinding.yaml                |   17 +
 .../templates/serviceaccount.yaml             |   12 +
 .../teleport-operator/tests/crds_test.yaml    |   44 +
 .../tests/deployment_test.yaml                |  218 ++
 .../teleport-operator/tests/role_test.yaml    |   52 +
 .../tests/rolebinding_test.yaml               |   43 +
 .../tests/serviceaccount_test.yaml            |   63 +
 .../charts/teleport-operator/values.yaml      |  222 ++
 teleport-cluster-17.4.9/templates/NOTES.txt   |   35 +
 .../templates/_helpers.tpl                    |  158 +
 .../templates/auth/_config.aws.tpl            |   60 +
 .../templates/auth/_config.azure.tpl          |   38 +
 .../templates/auth/_config.common.tpl         |   81 +
 .../templates/auth/_config.gcp.tpl            |   16 +
 .../templates/auth/_config.scratch.tpl        |   12 +
 .../templates/auth/_config.standalone.tpl     |    3 +
 .../templates/auth/clusterrole.yaml           |   33 +
 .../templates/auth/clusterrolebinding.yaml    |   40 +
 .../templates/auth/config.yaml                |  175 +
 .../templates/auth/deployment.yaml            |  320 ++
 .../templates/auth/pdb.yaml                   |   21 +
 .../templates/auth/predeploy_config.yaml      |   35 +
 .../templates/auth/predeploy_job.yaml         |  114 +
 .../auth/predeploy_serviceaccount.yaml        |   34 +
 .../templates/auth/pvc.yaml                   |   28 +
 .../auth/service-previous-version.yaml        |   40 +
 .../templates/auth/service.yaml               |   25 +
 .../templates/auth/serviceaccount.yaml        |   26 +
 .../templates/podmonitor.yaml                 |   31 +
 .../templates/proxy/_config.aws.tpl           |    3 +
 .../templates/proxy/_config.azure.tpl         |    3 +
 .../templates/proxy/_config.common.tpl        |   79 +
 .../templates/proxy/_config.gcp.tpl           |    3 +
 .../templates/proxy/_config.scratch.tpl       |   12 +
 .../templates/proxy/_config.standalone.tpl    |    3 +
 .../templates/proxy/certificate.yaml          |   49 +
 .../templates/proxy/config.yaml               |   21 +
 .../templates/proxy/deployment.yaml           |  351 ++
 .../templates/proxy/ingress.yaml              |   63 +
 .../templates/proxy/lb-service.yml            |    0
 .../templates/proxy/pdb.yaml                  |   21 +
 .../templates/proxy/predeploy_config.yaml     |   21 +
 .../templates/proxy/predeploy_job.yaml        |  110 +
 .../proxy/predeploy_serviceaccount.yaml       |   29 +
 .../templates/proxy/service.yaml              |   74 +
 .../templates/proxy/serviceaccount.yaml       |   20 +
 teleport-cluster-17.4.9/templates/psp.yaml    |   68 +
 teleport-cluster-17.4.9/tests/README.md       |   23 +
 .../auth_clusterrole_test.yaml.snap           |   35 +
 .../__snapshot__/auth_config_test.yaml.snap   | 2189 ++++++++++++
 .../auth_deployment_test.yaml.snap            |  582 ++++
 .../tests/__snapshot__/ingress_test.yaml.snap |   55 +
 .../__snapshot__/predeploy_test.yaml.snap     |    6 +
 .../proxy_certificate_test.yaml.snap          |   68 +
 .../__snapshot__/proxy_config_test.yaml.snap  |  574 ++++
 .../proxy_deployment_test.yaml.snap           |  857 +++++
 .../__snapshot__/proxy_service_test.yaml.snap |   68 +
 .../tests/__snapshot__/psp_test.yaml.snap     |   62 +
 .../tests/auth_clusterrole_test.yaml          |   36 +
 .../tests/auth_clusterrolebinding_test.yaml   |   38 +
 .../tests/auth_config_test.yaml               |  736 ++++
 .../tests/auth_deployment_test.yaml           | 1023 ++++++
 .../tests/auth_pdb_test.yaml                  |   43 +
 .../tests/auth_pvc_test.yaml                  |  106 +
 .../tests/auth_serviceaccount_test.yaml       |   74 +
 .../tests/ingress_test.yaml                   |  568 ++++
 .../tests/podmonitor_test.yaml                |   40 +
 .../tests/predeploy_test.yaml                 |  298 ++
 .../tests/proxy_certificate_test.yaml         |  214 ++
 .../tests/proxy_config_test.yaml              |  289 ++
 .../tests/proxy_deployment_test.yaml          | 1142 +++++++
 .../tests/proxy_pdb_test.yaml                 |   43 +
 .../tests/proxy_service_test.yaml             |  401 +++
 .../tests/proxy_serviceaccount_test.yaml      |   64 +
 teleport-cluster-17.4.9/tests/psp_test.yaml   |   35 +
 .../values.home.yaml                          |    0
 teleport-cluster-17.4.9/values.schema.json    | 1010 ++++++
 teleport-cluster-17.4.9/values.yaml           |  868 +++++
 teleport-cluster/Chart.yaml                   |    6 +-
 .../charts/teleport-operator/Chart.yaml       |    4 +-
 .../charts/teleport-operator/README.md        |    4 +-
 .../resources.teleport.dev_accesslists.yaml   |    6 +
 ...rces.teleport.dev_autoupdateconfigsv1.yaml |  176 +
 ...ces.teleport.dev_autoupdateversionsv1.yaml |  141 +
 ...resources.teleport.dev_oidcconnectors.yaml |    4 +
 ...esources.teleport.dev_provisiontokens.yaml |   76 +
 .../resources.teleport.dev_roles.yaml         |   32 +
 .../resources.teleport.dev_rolesv6.yaml       |   16 +
 .../resources.teleport.dev_rolesv7.yaml       |   16 +
 .../resources.teleport.dev_rolesv8.yaml       | 1512 +++++++++
 ...resources.teleport.dev_samlconnectors.yaml |   11 +
 .../teleport-operator/templates/role.yaml     |    4 +
 teleport-cluster/templates/auth/config.yaml   |   16 +
 .../auth_clusterrole_test.yaml.snap           |    6 +-
 .../__snapshot__/auth_config_test.yaml.snap   |    6 +-
 .../auth_deployment_test.yaml.snap            |    8 +-
 .../__snapshot__/proxy_config_test.yaml.snap  |    6 +-
 .../proxy_deployment_test.yaml.snap           |   54 +-
 215 files changed, 26771 insertions(+), 463 deletions(-)
 delete mode 100644 embyserver/.helmignore
 delete mode 100644 embyserver/emby.png
 delete mode 100644 embyserver/templates/NOTES.txt
 delete mode 100644 embyserver/templates/_helpers.tpl
 delete mode 100644 embyserver/templates/configmap.yaml
 delete mode 100644 embyserver/templates/ingress.yaml
 delete mode 100644 embyserver/templates/service.yaml
 delete mode 100644 embyserver/templates/serviceaccount.yaml
 delete mode 100644 embyserver/templates/statefulset.yaml
 delete mode 100644 embyserver/templates/tests/test-connection.yaml
 delete mode 100644 embyserver/values.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/acme-off.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/acme-on.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/acme-uri-staging.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/affinity.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/annotations.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-connector-name.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-disable-local.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-disable-passwordless.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-enterprise-license.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-locking-mode.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-passwordless.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-secondfactors-sso.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-secondfactors-webauthn.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-type-legacy.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-type.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-webauthn-legacy.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/auth-webauthn.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/aws-access-monitoring.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/aws-dynamodb-autoscaling.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/aws-ha-acme.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/aws-ha-antiaffinity.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/aws-ha-log.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/aws-ha.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/aws.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/azure.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/cert-manager.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/cert-secret.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/example-minimal-standalone.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/existing-tls-secret-with-ca.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/existing-tls-secret.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/extra-containers.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/extra-env.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/gcp-ha-acme.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/gcp-ha-antiaffinity.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/gcp-ha-log.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/gcp-ha-workload.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/gcp-ha.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/gcp.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/imagepullsecrets.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/ingress-publicaddr.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/ingress.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/initcontainers.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/kube-cluster-name.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/log-basic.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/log-extra.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/log-legacy.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/node-selector.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/operator.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/pdb.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/persistence-legacy.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/pod-security-context-empty.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/pod-security-context.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/podmonitor.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/priority-class-name.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/probe-timeout-seconds.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/proxy-listener-mode-multiplex.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/proxy-listener-mode-separate.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/public-addresses.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/resources.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/security-context-empty.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/security-context.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/separate-mongo-listener.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/separate-postgres-listener.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/service-account.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/service.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/session-recording-off.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/session-recording.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/standalone-custom-storage-class.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/standalone-customsize.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/standalone-existingpvc.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/tolerations.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/version-override.yaml
 create mode 100644 teleport-cluster-17.4.9/.lint/volumes.yaml
 create mode 100644 teleport-cluster-17.4.9/Chart.yaml
 create mode 100644 teleport-cluster-17.4.9/README.md
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/.lint/annotations.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/.lint/cloud-join.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/.lint/disabled.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/.lint/existing-tls-ca.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/.lint/labels.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/.lint/non-kubernetes-joining.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/.lint/resources.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/Chart.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/README.md
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_trustedclustersv2.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/templates/_helpers.tpl
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/templates/crds.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/templates/deployment.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/templates/role.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/templates/rolebinding.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/templates/serviceaccount.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/tests/crds_test.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/tests/deployment_test.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/tests/role_test.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/tests/rolebinding_test.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/tests/serviceaccount_test.yaml
 create mode 100644 teleport-cluster-17.4.9/charts/teleport-operator/values.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/NOTES.txt
 create mode 100644 teleport-cluster-17.4.9/templates/_helpers.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/auth/_config.aws.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/auth/_config.azure.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/auth/_config.common.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/auth/_config.gcp.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/auth/_config.scratch.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/auth/_config.standalone.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/auth/clusterrole.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/clusterrolebinding.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/config.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/deployment.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/pdb.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/predeploy_config.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/predeploy_job.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/predeploy_serviceaccount.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/pvc.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/service-previous-version.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/service.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/auth/serviceaccount.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/podmonitor.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/_config.aws.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/_config.azure.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/_config.common.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/_config.gcp.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/_config.scratch.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/_config.standalone.tpl
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/certificate.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/config.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/deployment.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/ingress.yaml
 rename {teleport-cluster => teleport-cluster-17.4.9}/templates/proxy/lb-service.yml (100%)
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/pdb.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/predeploy_config.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/predeploy_job.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/predeploy_serviceaccount.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/service.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/proxy/serviceaccount.yaml
 create mode 100644 teleport-cluster-17.4.9/templates/psp.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/README.md
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/auth_clusterrole_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/auth_config_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/auth_deployment_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/ingress_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/predeploy_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/proxy_certificate_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/proxy_config_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/proxy_deployment_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/proxy_service_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/__snapshot__/psp_test.yaml.snap
 create mode 100644 teleport-cluster-17.4.9/tests/auth_clusterrole_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/auth_clusterrolebinding_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/auth_config_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/auth_deployment_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/auth_pdb_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/auth_pvc_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/auth_serviceaccount_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/ingress_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/podmonitor_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/predeploy_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/proxy_certificate_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/proxy_config_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/proxy_deployment_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/proxy_pdb_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/proxy_service_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/proxy_serviceaccount_test.yaml
 create mode 100644 teleport-cluster-17.4.9/tests/psp_test.yaml
 rename {teleport-cluster => teleport-cluster-17.4.9}/values.home.yaml (100%)
 create mode 100644 teleport-cluster-17.4.9/values.schema.json
 create mode 100644 teleport-cluster-17.4.9/values.yaml
 create mode 100644 teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateconfigsv1.yaml
 create mode 100644 teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateversionsv1.yaml
 create mode 100644 teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv8.yaml

diff --git a/embyserver/.helmignore b/embyserver/.helmignore
deleted file mode 100644
index 50af031..0000000
--- a/embyserver/.helmignore
+++ /dev/null
@@ -1,22 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/embyserver/emby.png b/embyserver/emby.png
deleted file mode 100644
index 6720f33df9ec974c0374ef44c7fbb8c0fbaf0143..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 33980
zcmZs?RZv|`v^BbL4+IGg!6CRq&;)mPcMI+g!9BPKhv30og1ZL|?(S}P@tt!X{;K-~
zRIzuh?w)h>kh#L-WyMes@elz3K#>p^Rs;Y@@K;Cx9v1v@<u>yG{(v_7BJ%|RDhD`W
z!uP?yah*ieos?`%om>qZOn@)OwuUAjC9Dn1OcYHFjNR=AO?UwyP*y_ti?Z9|(K4Ku
z%Jwqc*(>+%N$S?vQQIwLMB6QzHdnX`qOqk4T5sD#v!3hUhLiHTy1$<f>OV<+f$5@z
z9vEA`Y`y&l9B9GOZc*NQKXPaFgl^q5ZQcuP@(Kj+x`U7Dw=UvzmwtUXH|>499P$AI
zp1of8Vt-?x?J6xTH#BCvq5UGp_nUXaB}K97SLESrZ(xmTXFN+To>J!FSb%y2fS;=w
z=Z{c@f|p?7mPr$c*7be3zK|Q+tiiw5ljn*OZ2>yRHR>$?#<oAtRgkd)4ow8*uxK9M
z9ieS@CQa+PVNvWYm1$!x?h;N9zor_yDmuLE_RZL%-<ctuZnl|I16<POs>FY@j3$)<
zlA|~{(Vj8sGGhC)vChye65_ByYy0>v>KLM?<_#I^xI(ljXrLbo1`wo1j4&*IDV&tZ
zYb=!hyBj}KPxwi|zK50cqRG3*j;?eVdHj=hnqy|u3>Op%EYL3*ND06*?+9~qTB`=F
z=blG#!<}SQSS<aS=MvI?Iz@ew`iVn%mf0^C%|X>06O%gfTe`8d-#gn%>K5Ca7wAL=
zI`y4Zb;1l5{`IBlsL3RA@!;|l@yy)63Lq<-+R)-6U6~}7O6sbmV1|MJF9-oJ;pm*Z
z$!zqT^`Q@M=HagNpLJY+*beiu5g_9n7-i>7;42!A#t9RJ1~362Ac#akTB;H+nd!@N
zLXHkAd#+jD;_$#8ClU}maCq_lbazns8}+bGf_o6SB0>~IpaaGe0ASPjH5t;_E5E97
z7FF5ZUQc7q1{kkP`?o*u$?h9NiulO`>Ng94d=T-%4h&QEt1I7@&8+(9zXN`_fS-Kb
z-jLxY%;sT<t1f%&b@RZWWlZzss|87?eD-wF+05^<*oH_qJquOxJbMTL-1C99$9&;o
z;xY+5dYeyYZ5*;2HIjiM-Y?KANj}7kbV#8Iv67dei4>@~h*ubs6Tq3{Z)kuCZG=WK
zjlF@=Mb*nX`1Eh_!&sdmk{LhSg}{p+g8_Hv?iGyG<DTUub!GSAbF@hcl-1J8*E}e|
z6kJ{$<=3H6e(%7l^~m7r3QseO7S7jSmjVbW?RdGa4MB!tBGJQoagLQ>g_wy%;zXeW
z)ZnLvs+Xk5#;GmK7CpPwNuriUsbzI{U*i{mU;;u0#r_g>vDe}QDCfve82|GDS@xjl
zU;A?GgJh|N1cM#@wAyf(m;_~x&o{K*M8s7DWK)zSn-Pp-9n0E=8NpPL0Q5W*VE0M5
zaA;wlwM2S1iNpAYpM$;C8^emvp_F*lwnH@q=B&x<&y!zc)g*=+@n9=MR^4-YH0oJC
zpbvt^L%i@%)#Vs1`%Kn~eA{W?KB5(p)n?=~%kk@_ir{MUN~UT!9p`L<Zrm$&kOEQv
zZ{!dvIPe63t7IwSiqOo|38viRlgY2ir}&*=oH3(9i1DN@Tjf~3NK%st8-oyF^#N2`
zZpdQJoRQ#RSq>@tGHVzu7hb@9_VvkLaS4e=c^CPF>+K?J^CvFD3XKAp$;$v05cFlD
z7!qOKRX)I$`!>RNR<wUmuVaiN`}hcVWdM^G*ydABSPK_}Vk%rV_V?KGcyX~Ncu%=p
z0(d*C;F6ky@GIXG4ZRwxzsglLAwJAgt^g7QiKKc~DQ$_m%0qKkB(=d?vD+C|xRp^F
ze05U_J04`FJ2kjpW8kH{A~Mr&9rt`L0}r#Lz5U3-Teb&>*Zu88*VJ+2duolh=kFv8
zu+0L?Q;8;@>lV8QP|NQ_){dHgQ+4j6P$HyBMUpxABv<{@4tInEf{~6O04`i71(wN-
z`^4slCT#5Ec9*oSDR=4Eb|_USCTYC{yNJY%{$6QJ+Fs^aRjr!xzwMc~=R~|!Kneul
zr&nXHQg!}M;aY{Kl4#t+d&`)OWcB{_^=s#%WzlbPnZ<#0vDV5+;RGfCyczCHNMR;T
zP_INDrtpmlR&@8nL?7NIv{M_1=7%eYL^tN%`55K+u>92bBY8Rxq6D~PV~Z8jm`f>5
zbrp4jcN1wIqS>h^rd-!dA*kKHF*Su5T9Wp=5$fiUo)K%$-EjQ;_O^2$<wGPIxy@Af
ztjstPPg@;I=1+6u@%DN2->T-P&WCVZTy|AFN}0R8@bUi7Jlc;>x&k-Q05XX>B)~;f
z=ldxtElW$U>NZKCr)JB*IH2S5b?_S?G$xB(oSR^ur>fRo8m+RuCIR<`UtYz?!ch%T
z(s+aHro;Sc*-pnw7k?^z_qGq<6}pi7L%S4f2YaL38&aeqr_Uh)oX=pl+trdPZT-7S
zO$@%I#j9y1PQ_cfA++L)JK(&MokStRKe~w@KF)2lpTuzgnV=ieP~@$&E9S=h))o40
zXi{9Je_%|4oA0C8>E~qC=5MMv#+dR8pMBdA_gVs}4IGQBO0F)t%&<h=d2<6H<N*K~
zHJP7{)W%ZUTciIq65T_1l_`Vwa*+>n?<vp9hUi>Vy`-Li5%F#Bgw%xT#OmgvBnZf?
zhGx9DMXVNbZ(`l#S9X1KSt0&V8w8UGwO4%fwZBn`4Mm5=nfVO|tR<(QZ{?<5e!7+_
z<k+rT;V5UEn!{8q_9?1`<szVHU6nn@Fr<ti&zPLtUtDTyGZV@tz1W0-dV|-T^`nRg
zl!zjB<<n+|>iNI;4q)ABz^mV=(~$DCW?w8$aVAoVK<d)HRe11MY_Zy>$%CHrl0MS@
znmq1~^i9-Pf(Ph>k1PF13SB!xR+6uV1An7L@&IH8@HFq3m8t`G=zfKz8>%Of_;{97
zc(*C1+!T>`l&*%&h<{CB8m_|R?o!^aa%X&fStzf5)+6-7h=THi1oZ8~n1+RGcGV8>
zb~qD{noZM2rr4=Tz2VCKThp9ml~Ep*r1A!rRD^THbG8vSxYb{YlK|jd%ULt}Ws?fZ
z-?xsq^V%|;*?WqqM*Dr*5YM5I$#PIX6r&tFgjtISc7)#ql>)}|dHX@Wg0>OSvt!xJ
z5}!GlH(dDYE~-}=6RC6Lkam6RnXb|Mx34Em0?$7}I+1zWOhs&TTs>*s$EUg7sBJIA
z!Z-3I#^eKdO~l5WD;)jWv*&Nfq7ZOLt+4flD}P(h$69K3beod}GUVYxPSvAU2R!V^
ztKPKNb2SKWy+G>qy@LVfYCDUKkYrzup@sEt*G6*SUG|573Rw@uHCc3g^c&8k!?5{J
zvjLtSa2ISi{09DRlNM;a=Q+3;a{X(6p#47!@-O0GR`!*WnG&yOmO3AVPRtXbDZ54O
z6<_stpq5NQl0%WADH(5@)DEXM@RJXq0C03k<G26SY9u}&iO!n2@-vZ@S+ibtpSR;Y
zXSHhhf#6^k!U{HfH;ZP>-|4^SI&)O!gun;@WN2oDntY&RV4uyLRj;{SOl5iWDP)|&
z?ti?I!<ultKB<l?9*|e4&)tJ5Q22@V3+1foZ6nq&HD7ka?}`h9r^et!ng3kjN&97@
zx7t}|$6&&`E05BX=_1G>;roleT@VwmSLdXf9@l$4Rn>*aqiHmn!#nG^`#gTE5W2~n
zjocGIDj7#ws1GF_alr$E#S0c>s>R*h%3UZ@IY=5U8@Fw9FDxlHQ5So7r;hUR2;uD9
z*cvN0(5NVMD_2}B-O=?_c3AZ1uD3bKe=E}7)m8oW^t|<urbAm4uI*CoxW4xUSBsXd
z?;<Gdp>Ff{+QgP-<U;s=wmLqPO!M5_d5X*3DCaPUnY2Ty2hR0=lR{t(L;(SN|FKnN
zcbR>R2i|2aHpI^25OA+Oq-oI8_$oiyq!n{yKKHYcylq$T6q_G-JBWSD7LC9&sBqBY
zP4<30QXTYXw|*7e1hN5ui+^1-)qLy;QRn%4Vcc@5sd(Em*9s@56+p>_B-rLjhsnud
znyXA3_Ifw;>b3jLwSH}0-%knZGKZ;_uDy7`>n1d~WZ65m-9|KMOduZ#BKQdII6q8@
zDyF^dK*=P51*IJF?P&HS*oA#t8z?Qv9qoy3Z@5y6q!^xXz$fJIn3F>u4rQ}18K@pc
zI_1E^EzDK{9>9LnKf@sPE*kw6$;;QmFnvGbr1J<X{P3<?1IQW{<G;<JHb~C8etfE^
zM<G1TaRxv%eBy1A92w&&((W*}G}<0ZWaV1%+~fCkdI~5-+<Tnz<dRgUl6g3*9vA)m
zIpfhyZ%qQmFaDhrz|^SYrDt)JF%uj<yVM6y_2`a^Ao?88ie`7+C~l$H6WLt8VQu}r
z5QzG3EpT|OLMRQ<=(A5Xm|3!lORlA8`#fy$QV?Gg?1VksJPdTkP<9jv@R28o!7Cvk
zMkDkpQz55AUs=fIv5mEBv7U6wm0AW8z8}`}Y0KPI@u@LI!avJ=`Gc$0?(K3`o-@D%
z1#~yLav4d4<=FTLjs8?&Er@mj*S@fu_RF;ajiQWLp}qRfq(I`QpqL910KyH9t}3r?
zDwD>l`r`8$jzJf3n2!*F+#eoj5C9I+MO$%Vado5qEBx*-wEdQEe^YwS!y{PP^kh&D
zpJk6J5D@(gn2^?-?*qDhjQrclPj5A7M+^G)&2juNLihl*2V`c4$uf5`(xg$#p;gam
zWD`$X4Q?`<YkUTF!R*`92=sb|r@IshQe3lYVyC0uM^!dE&y6Bz04u=cl-ZFxaQ8Tf
z!p>8fG2%|JwbnIpk2?I-kHjh>s%yI2q12YnSIj{5qa+SU@{mX6ybvZY#7g4(2GS7u
z7-O&=2@SvIpZ@-UbB?6PRiI%|p{;UZCe-c&sR^@or;h-9jpxSM*TUc=E8z%u;ZT{Y
z5;a^O;aYK>#|{$aFJe@O5>-jF;^jCsS>@{v1<4**kHL`Tx<jLB0$=q6I&zG6OK=rC
zf_(O#AVdW9Q07~fzE<Vs^+~a9%*Uv`>}r{XI1+;x5KXkBNODEjR>yTwb`d<pHy4Bb
zb#plqGE?BmmGGl5LId|hZs4o(brp+dYP9Mb#stLjM()M6SjJhUL^$@IO8;nCLfc2`
z7&_g4%nihtVJ=AiuwwCvLt3O1ARwfJ5Ht^!POO?XQ%xWL^lP~G*+kRrkuw7;w*4%<
z25=&m<g$^za_i`4M9_||ujE+~JA9)JUo)i{40nGjnf?-JYj=1ZWlc=d$v}y1x10GN
zCjBA2gei*7V#rt9Afca?AOPYWSS|1t$-MGJtULt<J%4!m;j?zS5PWg2yU#HpZ6ZQ2
zO+}6d{$kl$#<K;PV}jHHExapNy`;lJd5XG%M(X<BxXwCcNRD9kX}ys!9NpA8bzLJ!
z%CSNyfvJ<R8xt29*)dL=&B&$TCD$GWl$mKc7E50Q@*fPYQ2V(N?6@QwM`;M~c~iGj
z;9V;p^>=qpUbFuz`JA=Lg5C#;nnNp>@-zl}m$=Mn5XEE-DJHNfz75PJN2_aGgm(oR
z1%S+_v$JL6{2)-G`AuCK;jHw3oJ4&HLZdjkVMUDRE!hdK-gR1dPc}&nvJ3r>IOrm^
zS0z;l7&9`s23AEPSKpL9adAn#b5>0uS{aDXdF2WXg)~lbM`*$FID<NZ@KX{ZCc_@(
zFaN5?*-~tGi}Ihc{8R2Tu?m(u{F*nf#tpc3)zI8;a7Rn!^!4=qS!9wpVBb!hj_E0w
zYqM2USnigDmCcFBsz!_v%Nme${$Q7f4lFWfwXy-L{Y_P>yot(=_O3Tki7fi?;Z7Hy
z>Rf}OYlE)vd0qMP(ak_ZFh5*T^ljZgas&n5mqT{rCIQ*6DN6ZlRyNK@Wp|5CtB2E9
znR;RG_mQADk<Nq??40V{6Xw>hefn8O{Ohc3L1bhF)lh^e)%H$?u7xFUURBxQ&jo|!
z)&D-D2Qz`H(3O|lhebEqB*(>(f>mY6_U`Rsz)h-Ph~{nkRpBs>V&wkwOFm=ZJjj)!
z-%%ACDkJ3Cls*X(=8XuKzHuFloQe1B&&43RFC~!O-$Dl+`hACwZAbI)`cFS1O3n6Q
z>t*=1H1%+S_dz$p4bVA=5ecHA$>)YzlA7D|;`hh+;1WpqknG4M-M(ExuZXc!4x3rO
z7H&e-z5~mA&0NBS^rrT5I1;6ZQ}wjPAb6@7Ken9-zQnJcv5lu3<a+8#5B=YZzAJRm
zfz1j7bWS#H`B%^5o}+BTof3`0@vC@~_x&P<#fteW<Uc0hu|-d|0uSoNY!UDnIx7)k
z42n;JC&Th6WKs_pDXq$ulzq@)nthP7_3cKXL9B)oeTn23OV;{LzKbV}&@CS#XTjxD
zDBNVelY#iW5f;@1cLE-wCN~+Ww}IU(@HOH0oLqfC^jg)Q$k4w{%{t{eTAuA+58t$+
z&(YBXdUsqZ3VTb%TcLwh9xP5`M=i;vrlxK0ypJ!*`aerRRefsuWZ<PPRCWC(6ix2d
zY(BvrLkdC3b$tW!m<C2w<`VhK$HQ;}L?JK%rq=(HiG%Oo>by|Q$+!H5=|aft(P)u4
zc!&*%o!h5a8INxoQI5TAiQL{%%)kJIkigTJoE8}rcHB`rIN0UDI&SxA?wX1g*TZRM
z2fCq=fMH$Q-k69~YSnO~vhsRUtx|7%@cBSwZ+&_>Fr0SJJ1BK6OY8Jl1~uZ|lYu%W
z<g6-B5QW8*=!)XGtuO)<ct7zABj!q-R!ZX0SdQ$j;?SOJ<cD4bt>-gJro1oCP29Pl
z4L{}la6px(qCeqVn}@KbCQ>MA(N}hm;yyUc(po7!=UN8VAab_`fJlTdZIhc48*Ah(
zYXIYS{w5Gz#QE2zs+cj8KYUr@teb9*xmm}B#suuX%^0BDjHO~dET+nA^Hio$-tZuR
zW#d))RyHkk{-hr*%h;sT&L*+4Vw~%FZtuNYso3}@Dd<v3>*5OgYMRdDk-U68ucdB@
zJA6Yunvb?FH=>XP{JFL7Oq^YlM90UifBo~k#M!{TU}AB4@%!v&FtD&ss*=EBGh>~2
zT571GL2|hkclp<8&JiiXIqSvdfwM?vJm&et)#;ShOkTMJa-1L=@LMfpL1QngkS#I5
zt1%{yQft)2^2T@xy@Ejl#ilfqq<XsgzZBO}uz|cgiIul`+scYhp5pEplSEloi)hPR
zRG3E!GoJD*@q3f$1wz7$0yk3wh`Z5&CuQUCjCB4Q#n+ah=CTtp)4&Gr{u{#62zFmT
z;&I5kWgmwo9ZUg!7sWNIPnF$E)9uBVc@XY`?(DFCn`*|ziRg9XnyyowsPYPJ6bK|T
z2@^KGDEm3jW9oRGF5S{gcPSR{EZ}~A0S&^Z1obXvBnE2snNizc7ELxuUG*___OQ~A
zP*30fW9_v+nr75hJlxl7LUIG;mX&dbnK3ib`gH3&d`!Q1TCdEuOk0=z^onFVTR$ON
z|G@x<AsVEmYF4D`cDOKXn<n!fmZFL-`WQUcGqPkpUQ!!PCn1eTZzF1){Rjk7zr6J-
z;&Al#x{b<pn#F3Rn}`~#TBpa&-6V@wReY=akAuC`zBe%l0&)lLv~@jKUkI14|7j#B
z=l9gWQUiX}q)B-ubJ3Cn^wuNFzU&%S%O2EI*o>%td8r6!Ht#W$V6K|pySqo!RD|<l
zDRd=XB8LlPIO;0w)C=_7&6!AM>W~`bos55=_Rkv5u-;JDjL%B0X;G~|$_-Lxp@)=P
zISVFPu``qW5n(!3IzgW~`(w^yN!oddp&B;kR-}ZuQ(+DW$qT$)qVX|2!i-fmc5rIG
zaj`vJK>L+1cak2q9UAB8G$dm7Ggfn7GpXfxOc}qFjH>jdcl-1D?mLc1VInH5THYVK
zS=FsJEq8PsZC2wEwa14Hya6c?e(QVxtHo!InjO;S|3--G`C-sO(|ML*#uDnvyIb$4
zOU9F~=fB473DYk>>`vDxbySWnp4){7vBxqQ-D-I{2l}3pF>7c*ZCkhSkdeI#^69)z
z5KN_45xlXf1u?8itQZxlC^dGhr7WWE`(*;(yIsKU3G$ltbXy}x!KR|M{-`(}k3yT5
zJ)`BkVl~lf^;g7snaufle?#i{uGxayt=WD-pDX@elGq2u8*!AMTp*wkq{LCwy4|NV
zN;DT<{brwjAoa!qdxA@%u5NCdVx?cnxT%Wt@hNh6l%lVg>giT>gspfi%hN_zVQvF@
zt{)fOjOx%-x&K<NNds%}2u?U`CFas$*m@WfJHwqLQF?NH5MTE<oPOi~8Umthbmnvm
z-q*;f1xT^&096a@oqfU?$Z8eq$XBKemkkB>=6i_`tNxH82o+LCeH)CsFNS%vx~yMK
zByBYdGl=nQlD#|4C=2GwiV1glqDiLIRcugkj-6{dZP~SW)kV6u|Hfnr=<hY1H5-CP
z!Zmw~s*FCQtq*pd=q~C+OpsssU)e=r=b>Lqp9B;|J}E`tGlt2`P4F=?jKn;A)36+_
zLFoFU?Jea@b<=M0y#+&~+QDOJ@lxH=WyrP8>Cv$$mKm=fHV^P45h=qY^)8JUvzKwd
zim6hxjX?$%^c;gKiV!bOn8%h}N!>iIZp`&Sz5d?ODUP=CL8o}X?Sb0I2=>r9O!g-B
zU)L(tQ(M(jbH>JA4BkSiT9yz@e68C~Fh3mxG92jLnJ$i${F<IRm|7l}n|3Y3eq}n2
znG_Iwm4$-eg}xiyy@6AL=949k&AKJhUVRy>d~v0~h&pgI&4|_Be-v7*=bUOKr@$`V
z4{33_TXXOmnd~d9@*Q`Ms?clhW=?L1-8IpC)#dpqI0AI)7tDw^HkrjRab*5gpR|Ac
z<}6o(WAy?QwZo%bf$+#4YZQTZL8O4QZBN%9`s%4pX-e~nL)&XG@p5`7v(A0gHJ=CP
zIEPKvSAdUKpb3|v$&CVweKjtfS9I~CO>67vyuNIpRscvUvuEsFEw28J^o4tK#%#L>
zw}Qon)A;%0L}GKZc0L=eq1dwSeZ^<l%tt+6>H_u9E4~)>+i{aHLR-quDN6VoRK{@m
zgkIbQ9}g}+H}7t<Qh!GAgnawnTn?6*-yX(O;)OI?FXzw&HE-4l*%Y?EKFA_>x|Hf@
zdQsdt(}za{gb~!nIS28RUn<BAj;qZVQ)pan!&@V_68QPoZ^M?CH*j2pbiWMsiJliE
zX9`hFqfzie8=!W|W2VyW7LNX!U@Wm2IPuaKRev<y3EA{!et^T7|6i{qVxvz?Zi|no
zV5wX4^FqRLIIEeg6d?%kb=SpgaCrz7qge;IJd}-8f>P*asM}mwL+8@1-xg#^B<EMo
z(ZP5vH&6j|jy8npYV_@k4HRUAu2-x~5i@=C@)@IVVc;`AWuHo&GSH^hB&tkl^>v&_
zZ^d~k{j-f8w)P<#9Xg0{>VvvGyIcDSg*y1l?(l#>;=Zf-x_PP9>-pbqap|%sZ%k|t
znjeK<j_G|C?M6`=-q7b$;%V0`MoV75AH7IQCyI){Rh^?=tB?%uQSNQxLS}?8iR5y(
zGi%W|J)NEUS<Mt3n5&`W0YUM}-Z1lpIwSOcNyae{&Ox)Y?8A2fyDR}g^KodmX98v$
zIFZk@sR`}xQbQ2RAqCxdLGjM(otTxisz{~fvi|i`y1!8XxLk3jzCjU3*-~cu%$1b!
z4mP#9mqcy#OE|wj@=#ZV1KY+kTNDxl%LUWe6lD~Bn}ttpx4V>bvvWh^0#-y6rXgg!
z$e^aJb!4RF&}OS^H=P?QCQZ&f(&n0df>_J{0KtzQ`<s)*_OUHBm7BiKX*17J!WK-Z
zK-HpeCrnFJE{jKHOXt8Rpt^+}jj(-Q3n}=T2<c<E$@@A;$K0kS$0^|U&Ll=TPY0Ij
z2o1k1P<)jesbsSd*J^sfS9-dxGI`BS57@J1P?d3bgiwgv3*dDXxu`ZBPK|uV-Ilug
zD`58qN!hDG_$F`OR@wnJTar3)D#mP+!uL&Yh_#s!h`WGPXdeMFn5EZ*bYA9G*=Dyv
z0+!xiAeJG5-yC84iG{JOq;k>w+Kpst4lKcYs7{(0P_k`aB{bcJ&1B@;TJDcw?;_#H
zO>$5J*#hGKj}_zwT0twfsy*lJU{+=Vh-LIML>F8)iBx5A*sCqOF<?mxC!Brs=K}&n
zj7uU@nQJ~BT$MdY_p?qr9qT#1orFIF1SkqkqFpGv?>(YDzjap=R=BrDwT7biAp;qh
z4v8t5o-V05>m$M80i|Xo9<C0mW%p2m@Ou&Hsz2gq{ul+si%A@a$f%9v!UrJ!*RWyD
zckNRtO}Hpn<qc8q-y!cy!3pi60y({d<}~Hce`mS|<Up}+#9}84${#L<{~tpL3CNMe
z$q?7p*}yUN_W82dfD$Lgz>lraMGeL|AO$VTVxRT;GayynYdg+f>s^8A^6%!)9x?EB
zeBCIZmjP*;z>Ad1TG6e1<KOfLc~kDUvhJL0i@*s6jZqG|bTz%U-2+@jF`fW%JphMJ
z#P5flxtUW!$MsEFt)eG=`BVIFD#5TLP`;mO{bvpJ&i`i(-N?(sgOIvOK|`^)BE`tw
zt|sTo>&{V-R5I}ie6(G1<3LBLv_gugc%8Tk9Uk_wTb{Zf?}EW79hPkU1W4V?=KA?c
zDo}YQSnf6W#%)lBA;8adY(+9fFt%J=@xE+x_tlSsJ_ith=eU;vTzLG_zx8gSQM$Um
z5J8g5>lv{#oOlK)FR`1pPkYhQ$;~hUzi9a56NJ7vCd7+=!f*d-*MC__sdcWn%XfF$
zQ(_w*zJN@=XA$+rLsj=-w{qU`=QsA4dh=F#a|{57r2x2p(#|*?E<>MwL>ZB}{VB$s
z$8MhNACTuKB(cPw{(4&J<v#J_RNt)daRKMmqAwt8k1sOPi@Yxq3{Wh=<f9*gA=R66
zP9?R~N$Ygq*jMy{wA>x3AJzyK`2MreWAi1MWBEDJd#aRg!yIYcj#o^#770MU;06Sm
zaM<15n6YeH=&9Uu>vfxr7YJBHK_dVLAUJ=3TB2*<vwMXLrq%mBNSf)O=c@k{a|;I`
zyLkORtaAK3WbV$wO|^b#;xvbZG?3s&Z2)>L#)s#3tG-qN$IVNp8mAfe9iDkqu2x><
zVh84c-yi9D9O{et9{Z8t*4#$MbYa>`?ifU>pd1rf!XpTHlN*Mgx}Hae&&^wpcewlH
zELT52tUO2k+{L{hL4yZi@1_0hBC_qKEP^+;zuh(#n(+JsIsEuNy7x204K%2-zrVCP
zO#2rJwCp<WjHp>lH)g6Q^;dNQO!I_c=%#GSwb!#p39;YW_Tox+e!Tmymf>vqroXir
zTt5@<tMX3g$vXe?f~%qe6CGr+Y<TgLJ1xmCTSZd)71(3>^K=;)AY1(IvBdYZ<g2y%
zSk!;=QdslA*kWYrgeW4oDh(h)066~w0g~cUA%gxgTIzv+nvB*ZU;;xn!9opuynAPl
z)@FCwH#?Vp`fRGV5@DUT@s4uh*0B{|<n1g&Vo-LpKMXCus>>d1g=+RTA?+x6ApF-l
z?_<iJ>Ypb&Rv)Vz_DkQ1TAAUlM*`pAq5b~of$~0k2{aB|jSG^mW+qEoc7CixV*Xcj
zkG{)>Z95N-0!p)d%N4Zs7Omy;7+{zd{39@J?T)E@=FW$H`R4AcWTkwbiag+#y_+5K
z^3v5jCidcU+E5N7cM|<`rDClGQtlUO5cr55Hlh+Nj}Z2)ua{4)8_^~gy}R`Jam60B
z$RLg!4W_qScv~Ox9e$?O+m9=7xkMHtIQ;^Sm}FCavpb1Ezft^C(c&0KB{nn2$mPq>
zTM+bqIL9Bn?<O1@Z1&rC2Os(2JDw;)xVjj&j{{}=0j9f%x10svDmx<+wZO#m=vRT(
z>n+=qn1S4z4d}q_^#o_@ZPl{V_t>5rBv+p%_Dn5_^Y)-NtrIHut=bvBGOAVg-Jf?J
zc*b-7RfVGSf8j!O`}Mo_aWATfgMcl6`F8mV*)X^564^TI(3_luk?aeY2qPb$clKI>
zTS{}(aq*8`LaJe5=klgVm~nEk;Xe-iaj!}RUrTS%?N)8fqEcO0K~;eE1_>Vu0)VX{
z7DK>huN;#gs<in*XSLTNg7zP$6?%Elui2jUJbi8O*>+qGPhbdJ4d#IGBVoq)=%mF#
zBI&luI_Pe1Wwn2jJf1yZOtA<H1HhLp6TL3I&g)yX8Z?!<kISkCJhOn7^d0zYAMBB9
zNGh4^tpm*O6L;k&6YSnj0e;QvgT{=%*(KHq6bmt}PyhjIaI25&nnMl^@bzRFv@Qum
z70uvGoZElIGk>X*b|3pUP169o3!M$%?8udbCZ-I@#Fr5NytYwK<6l}1kUg3|C&!|J
zO8$ICD92@q`*9{55OBv4VG{XmH%z}!%<jeKx?kr=tzAi))cq60>u#m4{CT9|B<$t=
zTaZYfugi8CZS6u4)A7S4_P$1kZ;s`?^Q2u^KHj=*2{kxN0%w}Kb~^LNIF-Ujh-ask
z8Gni(xX)wQVcOxZp~dr(<uG{rTqru1eVPOZU^wkWAnYQIe1G!#Fq&8xQEQ}&n${<`
zyV%ukuXPMsYDwXxa!=%s<fMX)Xig+5%Ayv+rCQHFo=K>6>;0@ac0FS?KCR|^Dtrho
z_dzaSJD+*$(DK43%ejR`k)-OR=6yE{7>dR-PS|N4<T@3EPqB{Wpjr!ON&KB@txVP=
zB>cnjWh6YzL^yC8!q49sjAXW|6?6}~x!VVm=WKSz&K5jx+k~}dbKvh_QpO2LrF(-V
z*g2Cr#w0Yt+D0em?z<7ZvY|z>o=~mT^T?ao96x7fI?~u9i}8*VYrYfQMMe80;ujP9
zBWhAf_cAkeKZx+!Y4ml3BopE7o(ir=NDYe;xo(<+`|KUv?^EYP3$GrWqv*}BEN@S%
zqv^v_Agny4JM2>3#51t#YUB$DhMvWSO4xa4=vulp{8SZid1s<ZCV6M3kD&iUDh1Qk
zVDV|I`Ape5uArA_FA#qE<yo92PQHRc;I1trQ6XPj0<KkY@!t)E^Fq1=g=%c55>ZLH
zLKp-xG-n=qZlDOlhTLU_35`@bqxJyT&&gJCy|%D7-iho_C98fpKCObqxy?s6DLzm=
z7i{sWRQB%&ZfkojMq4j)?fpmMyETO$OWsUpwrxEup>!}f@Suahot2E}x)M7q*Ie7K
z;qE`)<a>EpYiovjZ_oSreG&j${>x!{q~vh;Crazs;PSEPu7DrnmN52ihM3eaanAgn
z$(EV%*11N2D<aS-hy`X^Omo;2t%vIgM>F(wwGTAlK#TwE7YHWvf)R;U^4qSmZNma_
z+9%f2e&tI+bhroiAaPj{O%!^`fug?LZOqca!ptPo>PDWy@yFi+fW99n*doWt!nfy4
zu*JORJ9T~gn-T=RL?rz|?_4V}=N3g*!r*4~{xU@DjJs|MI*&HjNF-C8i3MnI6^a)g
z$C$-zaovmsr;7qbL}olRJ&5S*>ZX25x{zEND1!uW3(7a;+H(UYQm*qmvBwfG6q>hV
zzgNI(NB_rKe#Vq~HZki)Nt{`r5(7QGs`O*XZv^JN?{l20oP77!e{1v1Fzm}R{^?qs
zL52OXk?~XFbRz`?qlulK&E%|><3d&4^=gRThNE8fI_|-Kb^JIFU6BGaBe!@@WcX*t
zo|3qbCmR8G!ge7-_`qhTf<Ok^=0JuDw;xk^*m1qnQZ90E=RTaEUk;(a+eLHSi9~bH
ztT#K=R+%BOW6W&|d^9c?k!|I&*1dp1Y@-{RJON2@Kq&bc@4ksg_>cENVam#7hI>j#
za`>oTg3&*3#c4U=O6=bCBSK}6@}tL(ER#jY+74Wj2XWeHRw*92Z`>QWgCyM#txtkG
zv3Q<|!OGy_lXb3U#HKeKqd^J1QUQYY^dRQ1b<*wkwdK8EdFXfs4r}5Q;z8L2Zw3ck
zRd)BoN@eII9D6Y=@vKjo@OU}8rPmyafSzB!-J|w*d9PT9$N}YiVm)u8dn@#Ebz100
z{ZU_Y>g4zA`O1^It%>>ZxR9A0kv$o|xhG=!Ah<+C{6b>m0}%4M=o?J`&)E}tbN0G-
z13thAhDxRov@~8#buGCw%C%zWb>&bi;R~rH>&Vf5IxWl?D4wxgl2TRUiN=EE3et{@
zi}P5Kq+#}!7jxxv<)HY0oPGq*K?Hsznc}qexnPlL{R~EfNJ4Q5CNv81!eRcWi5cM=
zCM=65=+lKzr}AQ_np5IzJ@!L_%ziyz{9Z_f5r#95H`Mpjc-3UTE$=i_knT?VdjD+q
zG8$ln%Ld>JsPazTRu5Vus!!x`uyV<)UYNGF&GVq<+^^~)sJ{|WL*8I$xN&o5w1l0v
zgc=o4Ljn)}zX{gRas&Bfhiu)M`Z?WutB-S8TW`j67$@s1L$3M+M_7Z=9IFf*u4T3>
zs|}MJYsscu)jvS``?NDSGW<;x5FWJmB@gS7_Q@j56c7}^hUi*`P@NTYUpg5Y7!Z(`
zn-gFQx!NIV1Fg7^!sO%9=5%GlZNXSo=<69cUMr|_UHEZETtmv?``_oGn_KVDhnSS7
zD^{$H?GdWFiH=Z#Ju!ZP;l37uH#MLo*T7qCM=ge6gzyoXTsr*G`{8>+@NYKj?{&Si
zt^=sBuia@}b`*mtorzywW@@MvEj~u*$>P6j70ayG$&dRbK0*Uu)eTT3ryob4%VPRw
z?0%A~uzq=7D0}7}jkwyLh(H&GVEPfoh+T~0-ki2k_#{Sd$*cipKLU9pKd@WVbh_|o
zMbZ~RLmh_uU)OHzqx=z*DGVSR4AK}Bdwyc9lSZ<Bf%_Qe(E}v!u_W89yk}4PE#l7&
zChJN@fJhY6XfbFtO01kxxuTMKug_74haNaG<Vw*J6=vK~Y;EE?cr=IYwgu9V`NeBM
zgJ49b!OdrK`r`P19@^y~4qtvWN*{73fIxK0BjB!}zeT)$V1F(0u)#{;b3BUY=KZTj
zatKM=QsKQyvFb$2vh0K9Ythz$N7RfWR2Y|i_Q%dRFyQLM5G$Lb3{NZ@&M~*|ZZ1`m
zdP3!YK(@Y9Lj}2>X<2BZh)SxNSw^gbhMPy@V7Ry**X*49nq-m`q#9PxerPUMY^`TU
zJV$+H0g)NipvZ*~6%u4;SQ5}x^@l|aKfdpUZ;rj$X5n2w@5&AND@(a&ku|kfQYTH9
z1b0(Y4^z8?%3zITO_#CNpEQAt6fc^|jX=8QkG>QIfkpAEAHE<;xY>OGAcO#_6T5`p
z5o(GGm*oqCM%&IC!BS@6nB$IczylNkOeYN{&*y`Ti^N{kJ6>?m1I&pB(W#Uswnb?7
zN`@Yb$#;+s9O~lf?e3o|I){;M9sT0J47?NPIa9R!GP7IfG(K#m=#*y2^!f@SJWU)6
zZ4R@u?nMyjH}|dV2<9_p{Nr?3t20hWhs2JR%r8{t7F(SUn?3c-T5MURiV~I~m6bsz
zBY#Kg1i$9y26alD+S0-($<;g2xIZ=A^OH)~Eqb<fAqWz9Y4JB9tt(a+;5htuWyOAu
z7gY{M=Mx=qi3SN7Z0S>c{<(r5L|5z43C{)xEtkGVR;H6@pbtX<{p;ZJ=NE*y$BL@k
zFc@{}y9LH=9bG!4)A<RVcA@ocehcW)(RG8GU4=8DgK|=w?FI^ru9T>Rq@5Io%u8t7
z(yKuuK{fTgTes)rJyeGN`!y3|W3#Se{X^@8VlrOmk#MabK8TWbrGFq*7u-l_r07lF
zs{CMcE(8Wz32wNPFbbNQ3bhH6xn`5P!?M+lOM?;f27VYDl-v~8FSO-7cQ*9P=T{mD
zEOGeKF~m~9Gr5IkSM}Aj(m^dk8m3k$q0$Rew(SLVm|ZVgI&T)K37+NcpoR6}Qf<fW
zq5jeD6eSor%$_6AK)7Ubh~q&G-^{nVB)q3_KHAvJcpk@D;ccux&I0MtW=Q$heD<9~
zE5w%{-VOh#H$ferL#~96-N=y7$4`pYKh^w<+$8?xLqE~Q<MK?hNDwI)%@RbToAMD2
zEj`Lde~TkA3!!f7`MYg-yzu^4g%IyAs7qg}RJ469XYYlG$WQ}9LRqI5w76XE+z6Hr
z6DDLtg->^sapI%{7?Fgqen#|=cY<o4w&0vj?PE#w)KsfVwkjRk=swR7^C0@gQ@g7g
zD*dU>P{{~PR9L-#50E_eVb_pKs)+AjrC@4mIN_QcNLhHwv0g(Pg|y8R19oMQS@*3m
zyP&FTEIAzdIcpNA7Ie|wi{2^mz#El?=BWGdeJeQh>dZ|l0xTCMaZyI$Dn$;v?H@{^
zgsLe6GAx=kud6fb<|K*gB5~kWo>5h?ftHFbb>*}aUB9AoqI>?*hQ`aYqt+>3W5u&I
zCLkowG{vdMSpr^S{XK~9HQr?%qcRO7;7fg<^Rdk?z2z}i>R0pssw&IjDrRRsjm;A|
z$I)3i3;6%ZvfE8IiHSm|?3GRa)l-$F^ZHlSGu;UF6iL)Icx(VmZZ0gWgl)9EwfV{(
z9GmjDM9maH_6Y9$oz3BjTVCQ3`U#zpJb6{f#g+3ON>2d*2&_p2jhAeTek)t6g5z&1
z$%otLIX5^8Kn4Kbkh`v_$&%gV9_v|9e+ltmVEGI(7zqe7DrP1}QdpW>-6*2QTcdkQ
zF4n63vTjl9FJ%GPKqe++WW?S@XlJi`ERkFM3#ZMm`{xD-Yi=c!%(O9doHFBFtj_Lk
zmMMQ0zk>mCnxP3xcod#Y6(woSKk-#bg4(J}{OV?pN5hbSM;(Pb$fqYdK#0F6#>>B*
z#728W7#!`o+WMfk#7X!H-V-=tV(79q;Dk(BbHx$NdX{zLIB~E)IfGp<_Jpnw<nqI|
zgJoUakCgbhVJp-zXO>?+5I#BJsF&e_MNT90B!-DW+#RZ#7ys<vV}7m)PsrcUc99!>
zqFGw)t!G3X{c?XS-(`6+MG6nq)#e&wEh{@Rs`QQ(aP&h|H+~+Z?RmFZ|HV&_9y&wk
zZEQYXw7kMg4XZ%9AGz~m94~DZiM8&O$Pl$j#`8xo^S@h%%zLIbQ9kpuXiXbYWIncc
zyiz&jscqRbnv!HAe~-|Qh(v|B@e$dN__E2HJkG&T$J9+!L1=}3m9K5PJ>YP0^(zEg
zm#{-@AIMS@9ew(u4%8FT!PrLlT#~StYP@Jxkc5ClVG{4X5T6f>^HRf)elrT1qRy%=
zK;S1d+6{DL;DQl0g=};>(OvAK)vb%G&B@ESATQC#!t)JAAEMREU(Tdgl`=FM@U}fu
ziuG^kb|1vBaPNJUcOOCwmnX+Kw{dy_1eS`gbiimFoTy+cxvK6mGkIVA%YR-x0CJ6!
zTsEST-e#mF){Wn-5sH5r@X0|#!x&{1nZOFVRwiN(a=EraC8DM4c~=AW-kFkryKtkB
zAh=~^P3}FV1`><tm;ed6h2>M+70jUXBDqZ3-1;Fc=u*Jl_4-HA$V2B_V(ir>Oz(I7
z`<xbg0~aUd<kVRoqOB{H9euMI4dEwbi?cqjZy>s$Y)Cz<m*JdPEG}@b%nyA8an~fO
z5Lz3otz!bh!{hd68VxPGQsU040eGo*+ETy7+yu^bHM{M%%o1ic=cR}`;<-eHrO(U_
z{0y|gS@^TxA3aMm(F=P<L6tB#S!G~*YBStWWQa{~3it#!&9JpS^j#!F%Dp??bIQ4d
z<C0D5bT*i6a<U#JWBXJPOHNAB)T-L0iPtG-236)+mOuU%OHD`V!8J&i$nld8J)++$
zl}PB7PKGlK)i(oE5LE5HXIYUO^kUM+PAfZp*3qr~Ubyv7G{Y3#`SZ=@6W}N02Bt3K
zjzc&m+P!}ZUcvWyh!<8nFr)y1HE?8~PFnBB6lUyuBCCZEFv^V|BsUl|rX~-Frj~p!
zG%AVhz3@Qd%=Io#u?&8NBXr&XXYB9AIyecOHZVz)zI$<+wfu>%vHe+(8hEHdL?`vW
zB()q$!sh=oDD0FE8tU;3987C5QIgq2(+<tUhuNb#_+dsS#?G!VJiZ2^06vU?`Ya%p
z8%U2S!0b{YOdtJxb--A}^EvbJVRK%8qzy(`O^o4JYvC0_)|?zsDO{#NCr$QFC>|0+
zp_Uk*I7S?H?6MWo2Z*mnV1j^i669yMBduOdX|#0^j+!XyuIT&p(?Ac%ACdhw#Lw9#
zfyclK&l>ZV`?3e35|;~0Rrxop<nJLimzh(H4mPE+9eiE1U6Nn`)m1B;C$zpgq9}r6
znR<GD7-LK8o{dnu&C}ouVYdr{U;J-GrDA)@9gSkzZpGSWvW5qPH3++*)O<viUfKNC
z&Rf{x=vfJz#nX5N&r`|^&qZ-c#ZBWcI4(5+XcH&LZ1nX@-!yv@oGu;Ntj^z)Ao^k8
zx`%3{77sABKRi??2NJE;qxL^S20{w0r4g%%Vi*nWCAtuMPkP}K?zu%gb$!^^_l~}$
zK`#0)Dw9R(jSm0$5h=OP*KNU!OsDN6I=+fZUwy2+S1wdT8Juq>>If0bXB32=g5^&&
zJ>+VxUW3HTa{5rWc%x{`<T4*c0fCbg<X74+a)6^U^=pZC70GLqpC({^eKvZK75#v9
zOuSr0gmyEC{R5bI1QyywQ)?Pz<07yYx395i{%~ft*gl`JT$YfP<2-Lg#dk572Zf5p
zd$K9B5HqaVofUmLHtElk9gg#K5YV>Q!*el1Z67a_1a}!5>K3bZP?_L+KFK(lE-o0O
zdR4CFU!{gpVAB+L&q_1I1odQ)%fp9G$}`ncLA(<|-~s1QY3!$=o|F5GuAN-0k6+MP
zfsQ}Q`C00YO85BwUj=Oh_Bzu9IzN&TVAL|1Q0i!1qeaQ-$*y0hUtH=sy)Z?V0H4t*
zzA>;y)9EQ(eW&}17Y4bemOlc@9k7DIp;jcOfqfBSjB8O%T_@&In#N?|^&*9smWY44
z_=X_{Zs5vv_!UKI&_!2xH~yX}AH!n;0%Z1*|2Asx2kQ(57o94X-{vAnK9YhsWD##6
zstrLe{ZrIYiSc8Qu+*b9{nnLcKm+ndGz8Aje=kgkhN5#M?Y{6IA{tGidO}9K*pB>I
zhWe-&$`<@Dv?RB=6|TSlUHAbK`AcD^mPhcUAkil2#XVu|O(&KAZPWK=g2#dGmUq4H
zj8uVOeH3u~YktuZ8@8EM*g;_{**bbTiEnn4zv1+k;Zg7r4_WmLSKCAI1vX?N`stBq
zK4YgmWu!5~&;wsN(LKD3R4G|f;*V~!5$HR3B_F0*BnZTJcGnB*FyMsP3+q`Pj#`Z8
z-Pl`CwUUG8O0J+tJ~$1I3BD*`26Rq5qakZ6%1Q=zviBv(oW~_zMU6@j*ZGKQ-SP?H
z#Rle+(pP0<xDny5GS$L2)Lin0DKif>9&KC58Ous`Fr01rqLxB_WE#Tmj}HH=6MFU6
zBv?%AM$;a|UnUHa4+?=*32{)X_*<qAqC0uVvdnci6;xSPa5O#Z=HxgISik4?$qedf
zO*A)B0_-0NeD!XFe{F9*pN3*;Ga0&xV*{kPMd&A&j2*dq60$?F1-;=GzJ3PMdpkwx
zN*1~9Fl|#3S6Roth2C&W1EaU}Nbpv_=BeR@3SrT7hrF^GYeV<j_)evl&;N`y)~VTK
z5Zo>JcXr$_7zKok5P>|X!BAyCuj{;>C>@(B5JK<=x!ou{Su=|(#Heg#fsGor#y_1c
zp(7^bFTCRzw(B$%A340cy7TyBag950D0s<D0Yy_PoeU06`&ex%b`S&uy#;_XqoGcD
zF&dTWz!YXohMm3a<eZqBcB%B6*Z3}SytwecJ)l2>>X)McedmTg++(QYA?($QMd51w
zuzGs>8HDCz5*5G>UDo0gv-HSko@+_#ILd#`s2~|Q8@^J+l8H{2tmwSetfF-LDacrv
z{oIB>cw$3_ONHbW4DSfrwM8w99PnqqU!e<pKd11njlXJqv%&S-!IPUfCIAZ0l<=#~
zx1nnhoO5FCC1PNWQyglpZ2l7-apTJV*#u9zZT@m5@%!Q8u-zanFsesGz5xL%0*!(|
z2ZLP~k3s70Y)Z~bo9~2Uh4>#ltJ^KmBNy3}{mp$c(<dg&iwG?G&MGC?3T6YtX5Lp+
zC)4!+@+o@Kh&d4kTgGUtU=k(xMtU1XF<K0<iV80+!qOpbmLEisufB0+lpMwxv6_|P
z3Y3U204W$iyIFAM;uNG(iWE)dCR91esuGG&Z<tp)V=wUWZS6kKD<cP_{l@IHLpB?T
z8lW#5ZTh2Zm_qvGB~K3#x<wiVYKVB(FFTed312}%3UFxzF2PcXQiqb7q7S!#RxQRj
z^}e4qJ~v;z{t?q~=!87e9pzh`3>9D^))J3i)FX$jd!n1(U?x8bq=ciyTY}TOneo+c
zeJ$wAO}ow3?7Y>@Ms?|c7>_r&>k7VM_zndspcNeqmuF2xm7}$F&eyYP%;L=`*^KF>
zwb1vjxOG#`cM-^ZfxU+J@sxHd2f5Vkdk&grbyJUzvr|b)ArgNs$T2LSpwJB9AZ+jh
z|A?rwB%Aj{vPlo2ghOUCPH`6S(}|=TFPWVl-hp~kP(TR|_8E759}`Q~I6-XsLqQhD
zy!+zcx@fn4SVhUJKiz?D|5)Gya&M^=)39dRiyhU5skC(8?L&TS+{r2`{bV`dDW40@
zRszV#GHZB6oNyJrSDKuYMJ+FqaPMjrV*20n@`f65^}G`jM<Vj3Hyv2nnQz$4Y9U^J
z^14JJc@B^I#5r2l+<v5CkTm+{D5C;UHsMKoB}WoYqBj?7gpe*VK~KEV#6c58_cew|
zJ(A4jO;+7QJ994o-V+#y9Bj&@X1duwJSB*LR`TJ=Ioj#&`3s~U1Qm+cI|&iR5*924
zx52-)!`omJc?(<J^2*_b#ch$I*k>U3BMO;cJ^QySrQ9^sFY4&6)Z5q(Q$6b4HhJCr
zpaXECV|yYa)3WS6hKR{ny2wE03*?BCp-;j)QeeTg&kaXnQczl651Gr|;#D`_{E#Gw
zZi8T2+w#D5wmn>)eVQYbJMr=ye|@=I4N`{al;AF?5)?4)N$i!YBK-h%BiaSzGk+AT
z$rR3X;#H+h?rqv@NIjujl$Uo=Ir^~v91C)f`DYvt8KTk#t4pL&R2y%T$K%)6m_TI+
zG}ccCBe}t?R?jv92-vc#kbZx@&daOhk$f7{5kC#Y-D|%tl^6<>pizy7mV&fHM2PJ~
z4^kf($&stLudcYhgz|lD62NAG5gaP(>8qWNV^rQVQRuP|0VNUui!YLmC@)^eM&g1_
zBckYlE_Qn2lMb3Hj5s`W*jAxN6x6WUuZRl46b&OHqk5+&i+A(4v^w~$m9ReFPzNFX
z;vGII6&rk=<+f0>!eBQ5xtHG`S!`-ZQ}Pi+AI9B;{2eZb__&*^Z{+DMWH>w{)rxGG
z89fF9Fhx0DhKwdD)%67@;~tV^to$D{sVQWiE;*l2%pp4MBEeZrPw#u$)^WM|=eKXo
zG4VLUNkeOF-*cIYz^^Pk*3m=9rbcvIiRkl>pU=6Gd3JSnX(|OTZNAGg?%OGij+ZQC
zbBG^I+%EPjFd8zg$y5U9&wxHS>+#Twhue!iGx<3p@nzwGko~khJ)cg_p^C%pC(vn+
z`tr;>NSeRp>|rrVv6|8GoSSK@G;RCp3Z)8=%fwX5=>1SE4O62+BJ%~Q5_q{Dp@u5;
z{?HZ4PZpcDiHceI_X5d&`;D?(SO_upGY(gv7TkKuXWw<VRq-IZ($)4+@QtwPi?(BK
zt(NCsy23@R02-~ZrgwWg<!NpiPXcAZ+r%1E8KQru3RdAe?V{NJ-H$3(*_&oqwd2*9
z8T>q98q9_v>%ZW=i^RKPohz-)E=zfcRv(6<*UEiZGLL?}JSzEM{sx(5@k4NRGB-1o
z1LzZD1HqLw(_^_jqWt1!Ca<x|==4qA6`ktvsgQOFkc?Qdkp(EI*3Ish5u==hsaR*k
z%XCvT^sH}aWSW`j@}Aa^qRaaw<p$1gT^jy<99%`$nVY7r7YsWO!PTF3#{FTPn7Hqo
z;v}=^{WNw<AD;pz{?JA`IJh(iK0aaB`}nM7fzxxYi9f3$KN=_=olaxtvjrAdV0<t3
zK`wlT0HC{G{Ek8iBvHL=e~2hlkBBX0<gO7ywbk27(ElaIqc`vc<bPkDE*QKoe12^`
z)bq^ZU+E}XMFL{K<}>f?TS=x}5Wg>_=+cCF`!=6-s3t{h!p4I=A^ge5C1)^D%%szm
zJNv*GZSbClHxh=-n;U$^eQcJV(b|*RZrOp<SFfWZE_X<#hPHy{IbwA@z6B0!T0qPw
z@cUleNNO$9qoIRGrt#%f9MkZy{(+Ml$RsJ~BxXo8J?G|V8(yvFys7fmjyS*O+k!El
z2znh?*Wb;rAX0WJ#6k1ZQjp@Rq|%Bjc%WQAcwJ>Z>rJH1Hi%QApHOs$?El_>L=}5D
zsafb~wbrp7?k}(O$keqG|L}JIim0UhKgKWMx0#DBQA}y6eD>(lkj}sSxR~?y3U`yN
z=<<?hgSDr3e>~6X;^p1ogQuLw8x94%NsfzyDKp&Yf!Xi>UsYcn7S$KEJAk0ll2X!L
ziiG5VbW2MJNOy<CFd)(rLrQm-QqrS<(%s$C-NP{4!|(g<^W4k-oY`lewbx$jUGI9A
z02Fw_<|f4A>U}BaOYD8Oeb$&i6lk3x-}Q`VE_dqvTHsKxy?cIm!}?Id%~kffp632`
zNk~Y2lirP(1cT7W2?CG{dV`_C&XVVJLgyAk$}o-CD?-`|>Fk#WyrT-Ab$)G4L-nUm
zXNTnxp(<!`|38ZR3xWcHx^2tDY&ucAHg`+pJGWKNK)p|aT@wr71$saFHFAhdf+_7T
z&d&eXi5S#7LS40|+`WJ^G6A1jr9hBur`sYkJ)n}sIR8ie8bDYJG-sy1svRCxZt)Wu
zXKmwxG;Cq+?)#^EL^iG*Lg`sSnfHXO4k+BONI!3b24}#lCd{K6&Y*}ry-XK0!msDt
z0A|#lyUz?Hpbuy*Cg@GkGm{ml1U%LY=+J{q7oQ*gGgKIeQ0P+noO!<r#^?;SUN>L9
zv%O7kIXoIRaqGa8T-#^_Z*cY55U%-$yf*<_Vgy@082j#~8`{J=($2Q>m<3baeKQ?1
zJf6_@KuN=&0PP=rJ$uJvThrAyANHX5t&_{}voF|z1-4K7$JEtJ$60JN9V)$4ZZJU9
z!Rl8~x%3uzp<qh7gyUVfLzSAQ@+8xyHhA}Z^oHPWDf{!)jkhxZAfJvk_<6O}ZtZBD
z*vFQG2-#%}q_e8ZRtRRj`=j{|6##1lAvx%O6pD|mdcV0E(Mr$GxvvXQ@J)?LG{fsn
zf`v_8kM0nVci<9mnukaScnQIq??xrjz9Y2n4%azA0|0dzQ0{nf<%6uq?~E7%qCqxC
z?`Lhz);N&1JFFTX5jNulkBv_z4#!lXjVp4#2)m2sJ+HQwE8gN$Jz96PH~<P`KO0C~
zt~Jx81Q3OW%Dnr>plh9Zbeem3T6T_ei=bv$x3YK@{@RyO+D^0J<(D3B#->LPH^6O|
z{bvT?#rvY=e!sW%Ak#J0u8iz<x+Z!CaWQ~!E&FiNoM$HLlLWn-au(G>C1&riJm(rT
zzcGC+_>BPpx(M~&ZY{U9d3QHVdyBR29f+&rcbUH_LziTFs4qPe06Od>SaidC+^!v<
zfJgyvM+AhX%4_%J_4&XQ`F1AFaGY8Zjt4@Ck7Erwv6FvB>-42v>$#|?=!eGuld_W6
z8Sa_$qF;j)q@nZA#}dlbxOjAtFux`RggD2Xf*t|N-j!`xG8x~DjD=*&);??9g%O+u
ztt!r}(Z_%9>XkX)nKUt)JMBeHW1XHLtsV?hoZAN`!#OJ4V$^l}K$1Il7i<cj+J{6<
zHMFWc-oI7sa${QGVEV^2vm&%0dfy3a_p6-3`&sRb?SZQHqcK)~@F3rkWRugaEHYA?
z#l!>#OdTJBw_o>LI7XtCk8SO@<P6NsclyP7HDWh8$9m0UzFq<*wUw3q`L4*NM}0VE
z$#Jmy;FDc9*b7XFO>kh115)egjSdMt0g}ZwI%F;06=0&sFDX|E<Mzb|PFcqDD6%`h
zJ@JCX62$=}_BD9`c6Q&-osR0CzFizQJhBgfbbrV_9SL9q1x&!ZqoX9MO%;bo1Ag*0
zS_Nr<LBG@;e|U}L?^WkJ#R|N8(x||U2e2EqtlxM1lX!v;T+E8~V=H^B<MwcaF+?`T
z{gc9O?*h>AdxR5M<r~?2oU8AyY@dQ`#RJX?Tmuf33EM5fdpoyNDK=VLLK|l-3iMs)
zZf;)@tE`!D4o$^HQQ!G?KfAMNKUCY1rSYd9U(C?xqT+TueV&n0;AlBb6w0wZM1mvT
zG>rx{f_6KLD$pY$K}6fzr7R%@&e*5^GG(`BzN0st^c@t!X7%5Ez4aR&j!o~sY40VP
z$k;OlG*gZ#J-r2OBu9VkgL}zofBG)#YMkZqsJ$pW=VIQOC3H)%S229!M;HoMB;Y!g
zA&_xd2#PvvIB-7neW^{m4g-von4N@0xJgv3%kLAw(}X?<Ax&J|fsd~s&ao<&p?Nlw
zBBDs0KO!LOlm>&!IfMGCW<45DJwjP}$&PsO4tzRvhH((R#gQv#lQK`!{zCh0)jfna
zrvYlOPw$;Fo$xP+K$kb0D*MX19fWA(sFs|!vx@s;NiWn5BRoWI@@b?k<3T$(pV;3W
zJ7eb4#d`&YzUP$}KH30}B<?NH48~sVq35)f)iyHayZ!Tlzqs{S8<Ft=(St!F>YEKD
znzHij0$6YQJoj0hM-(H<m^6DY?q31f?_mGxr-JIm##z4V0Cj1rI`Bp{PT){lRbLuu
z(N=xwF8ywA8oN@a8Hjx4qySwKPIoY5hgUPP>poJJM(R;_f<swCqd+N(jyDqhOF!Vc
zngP~s7uq@~(ekRlCdaDH)__awuo?%XlgDxDt}i#qxa!?;PAl#<s%2D5Fw6xy#~Bm3
z7fBDHzO>!I;~!z`I`2@7K^9KZ73xa)(2}(|&M!BL=)OP*U4f|K6@dg#1I&{JqAyM=
zQ|=GeybJXM<3zt~f<WQQA*-%KqX?BU2i}~2Ig)5lEv6#9hysag6A0X+?TC=(#sJx|
z`tuC6@n#I!^h<791D?PMYQGS<61*J{*i)&UjOf$IXN_)F7nRH>@WAq2gQ9`VG6+#+
z`(^o&F=l1QM5ICvj43}e;wRY)k{OH0)nc6DNOtBOUpbc>YTR2c%OJ8c(O1AOXjLsP
zYP05F4XS9o`?p0mm3-n8v7Uek%Rh@Lf5=s<2?-aZ6dKQME=<f*V@@)X$M7_NHjcx}
z%=g@?qq_Le)P4}_%zvGwU;f861UbzAYb+#b7^_8kP!Dw%Prj(Sl(m7Q@(3h}%dyKp
zj$HE&C$}V7ljc_tVn7NnxkGs6kS=_{H!u+Hoy4W_;XJze%Q!f1cHwuEjVakfYA57e
zJ4EdB+x<kEynXN`AGQbP0|V4dE+)HV>_>JVrO><lV)~j*#rzSu&we8(or>P5v9$Y_
zG)<1i-n|`>TU0ga4X08|H08^&YZj=u;hmp}yyaPCiW>K(8yB5N69qP!Zx`tYfCWxq
ze}Ow>dGUECj|PwvA0mY`dmvvl>+;pUoadc|X%QV_l+Lg5r8i7fmd=yXz}nl4K{8Le
z{y~jS<9>~gJ@t-mk^kFM_l6P!G%6RlV|hbIig+|<HLEP^`C5^4IxcxMj%Vy<-5o~_
z#-+(iG#t6qmsDRnm_0cd6XvY!S_aLvvmB(N*ZY1_R?G`ooL^&==vwyxfn=i1^n@HM
zzR9UUscvrGZ7|TXASpt=8NZ=nWq`;^<z!r)(%KJs9!91d9VFs_pnf^OTPvOD8B<2T
zEN5Odv&c#Z;Tuumf*|%kAp|<!IvVc3)c-hQcDcV8W5<Khpn#gYttV>jM8PDgU%$TD
zD-8l&4|S3Hbvchtr}?N3)1fe`3{|Q&^_9x!?wGyo(I$u;3CIQ+orc_ASixf{7px4l
zYCm(#o!SI?nKrJgGs)#jtMFztC=^tyN%5r5+s&Ejf1I;Zjrw_{;mQIPKFZI#6$T64
z=RIaYl41ga9QK$_dC?ak6Eny3C#~6XtTFdi=b<sQLnY{RW{J2-JY^Y9i?)V@vCDaD
zD)&KYc>i`P!W`SzN|l$eJwn3IT;Jn^0*#Z153g$n-Fs$qR5Q8cr6eS=Q^nl8!6E@~
zh+%+;2qkvYdy!MGr90K8A>OqMKk;>RK=njFI-UD$)4-?WTJ*0(q2eUlgJ}&3?%>z7
zCKGYk^U~L5=ks-^kUW`VrzaY>567Jyx#>*3Ky@=hR2K!;t@e-zaXkCAn|Ym#XeiS*
zwm`~2`6nsMclb1r^&UeK16dB*2MMDLVS+8z;-9H$Z$hW0stS>Rx%nku$4y{k*w!<;
zLU@5Ld<Byv70L<0Zw>Fkm9vCE?=i#}l<|(gc>hOSdZsT>c>^E7ssO3AH_~BgXEq;u
z>s-RBS=CH!8$T|b<aa+m>71pyQQo`5ZhJd7e;IlwIo^yqcFdkc55zfMa@ph;6+;{~
zp8tqiCVSh;FB%BApEs7b;xe0;s@h9+Aqy2@=>CD)ZUXEUN*+j;O9YA-)~*Il7s}s;
z{p}pgKA~TVMPK1p(CC;<{hP`W>;^QgG2Z7;<fuOJ!g6(d2|^wX#~!Er7?+!*VNTq8
zRyy}1<PDUR**0u6B3&N1=w=JVpY62NJNYa+-A1C$+c<sKX*bbZ%K@)rLXl)7ba?p+
zZb4Eb6V#nf25L8ax6(tkTl6+tVP3_sbfV!K(WGL5WgXMF|2V*Z;D%Wi9N)k9E@`t0
z_6c%L*z812VMQ(>yZa?7{Uv5-?3&klY1=kzPagyy+Q)z3Q&sZ##ftf}5sjx;(D;fK
zU0pNpgREiN?>Iandzzs`hCah0F@n%3+WA~PoIsbYWxFM-Oj;+$ds%44anZy~kQ&fq
z9GJ)}S2tQ0Q{lu}|47WjRX_Zh&lsCWfusuWx$f4zXF+vwi-pE!Ki;gWzJK^pO3M^!
z+Z}Yp{=~2^MH^nMrWsA+a~CekU%IOeJnh`1$_4Ip<pC>YjGdyIjvKTr(pKeQW+R5T
z_W<>*jJqr_@(*?Fd42O>5qGkVr>G;&t$PC7kYY;|L&|*w2{RW@(~9@{5f1pNT`L?7
zF>TGu8`*_JFG5`fYS1T$uUsY8>=oeW_(+}k?Vo%%L0jm~jp7O>bhB?x_@Cp6_fM!c
z8HiQ8vI-LA8A7cm=DxEh@vtn;*$>8ZhN9wP2=BO9YsPUTUp(>Db?!9IJN7Xlu~YK*
zK{4&=_X^`brg%p<wi-dlKQZ@<96fO?l$wyp<rqIqjSkR>YM-k3%rR+_cQR~{Hm@w%
zXl+()tdyt&Gw?+w_&i{XHsX9zBV~5dsBP-{<K2?nPCTuVj$ai{pu)3}7vEEODn98X
zl~4;PMG^_JJ+6^pdWzna5MxR{D|WGAkyO{<MXJ-_Pa3f^$w3q`iYqQL89PMlo5J5&
z5iW!9-BU5FP>$B0O0`Ln-~y?!T^DT74-F5tZRFz6%A<h@O}u8?3oJ=%*%dS2zWww_
zkng0`S<YhndNo4_B;%GOMzmx2vmEMt9R&pWBr@$@`J0SG{Q@Sajo2mprq5lz&zNxu
z%M18W{c3r9^XMGjhxoDW&#_%3G+%PW_iq5tF}ma}peo2UC0CYT67hm+IrTefkYLuS
zB$9xLvd67U7cGX~ZIhOQ8$HiW@JjhSOFESuEF1~R13_Kr-q+==^^tvZQ6&?duqGe!
z6C<rp=ioPD2=bS^VeSjJS{qLHJj&i}ulk$WmKY)C4WPI$3l8?KzBjLxDj7U`3Zkkv
zJvy;=FrpDzTd?1+9}yOc83h_Z)Hn!wY+77tl7yVXGq$Gt@VZK{AdA3J;v7qZtFSYg
zl*4~`C0Kquz&g{eQz9V;v65IO-e;aHqsBK_1J3rlnx~ypqUg;mXMne_#1~PvwbZ{p
z(<x#wHnsg8fcq+ZCq#n!<~0XP%?|I@Vyn=>V`}?RwpW@U7l|QRef`Jt@8RFhw)>Hr
zK?Czx9?5JAr}VH`V$il<`*BWytgMJI2KU6;QC^JXV|EG_x7=9jS8XGD|HVM>XnfNA
zf49a)qUJs|+EUSOKx|T<vx69@lPbQqesnfpYm7sL-s60D^Uht_%`bw!hl$z*|5q4}
zq{;RZ_yyMo{4$$a`S}X{2@0D+5>GznviSBxAOV&(8O5Ja*g_5#IZh>cwjA`2GW>WC
zQuxf1N1<+M_$|bLd#JZBo5NAdLaZ3}ELI#1wB@GF+(v_$g<cVL=^0hmS(E7yBb%5*
zA;XB9?`jP`Z>na5h&#v+imZ#7CtsM?DRBY2$mN^=efDB&HZ0r6&{g#gu&gE??4J1V
z)F77_1--%pd-su{-O`C?9$Mkny*V!kBX(rF2_VKfkqqpG3MQD+@=Jq$Q?6Y%6b8)3
z*nw)+f&FtXJrq?Zr}x)ve$Q(68h$(aaO^(?ZGS)=PpkFomhDv0hb_z3XHIs7OO3Ie
zGg$+0*_-XNAu!QSIjde~d9A<V#U9>cn)I8v71{nSWi&e1G->|(&bEd`O!^y7y^~WC
zFSoZp*@Kd7J7}ezJVSevPT7WE(_FcMi(U7-F?6@Nk4@)wATI2iF-Fx<2;24zd;D&(
zT08^fgOygYWs;@*ofyB07#Zl9*l3-6P37;|w<}A2B-1ZnJEcVMg(!?sm@iO1aVg3!
z)>Nscs{#Be{lW=vF<P3`Dy;pp9Mf0UuJgCrAKSCgo@jGbXW7mgXUE71umAgsRxZKg
z@S)CK?eZJ+U~NKV>?CuB<cUit`fBy?9P+&SGezS1jC4eq1wXco^$!kN1WTzxE^K@h
zN-8$yLb!#z{f+y}mHQ&V=`0jOO(*Z&>3oYcIj)G?Ud~j$LA5_&mTaKb1P!Xso4Ro9
zlBnzitF%fW-Qsf?Zds!9;!2nXSVnP+_ruXV@y=d}zIB>DygQ2mWoaZZ>x>OjY>6&D
z|9NSckW$;xMVr8p>mEP1r9!9>GYbk#7<uLaTQp}imsHE1tfDvHb5febWyll@dhWvq
zY+wl^W*7T}+bRF2Jr(__!oP#b6gEky_n?g9-zG6LM)&cUv_5ZrDvu6CDb~VSNwZV~
zkLYRk=0AcZ%Q+?J+c;kFRZv<1H;{}UrX-WzYi&L_@~(LiPkEH?t_`#zEVXcL8(^Pf
zd6~<)oOoAYjymW)q)cUXlObe$9_W1b1>W$JSf5faZnQ}piT{kf$0xS?oMYrfT00UD
zgPPLJVN`g?)wX+Vm+1fW<Xa;A(CBRWZf@$!F9r8PLphw<*gbydY_OL)-uQwOlmJyf
zI=iRS9rXut9L~H2)G3mx-18A1_t>Rgf023ku2(3M9b`+TlkFVT6^H|r__47Ap<7PR
z*bg?Vxe$e7-e;aQoC2x|oAkVSUvf>{-KBPqe~#%n<?#+u_53rERxH!z>+xjLB0x2t
zJr0)xLZ*<f$b+Dwx#)kGtJMS#4Th+eI_pzP(QH*5iJP+1X2kSS9F7!r?|I`ZLIe#v
zYCo!oW6t10BIMD|SFn8P+^D#Bk+~JFnd!!GNvu4gJ@v}2lfGN-VPQvGo*~!VsZHFi
zya(GR#w)xym2ilpHLQc1Hj)8^2sw1IhL>8sn)IXW**PjAgTFrgr^{Z)lv4U~l3;ZC
zDm(n#^AqHTmK;3!slb+#e8shm7a$mpSm1^$ZynewAf(<wIwz5s7>Nl9qJ4N$e}VSA
za6?rwjm&;UfyywOC?Cf98%lQBgtu6hW7E<c0H+bB4ugNf(lvF^u#&S<)KPhafeoaF
zN5w-1_GOqK;3C2BUSfe8e9V6PIR_?tDZV~u8cr~V-A*!2wIO!yldjOR>jmo;j;-q>
zp>%p4EP6{{q)@IkR-Sa``T>aQJjTiPRO)~iAOE>M=x^N}Y&$#L)^B9*x2J|Ttr#Hl
zR64^Y4DR*DkbU|bP591nl`@4fnj`f&g_$pXgTgqfOolYXq&4x(YbhbdXbb=0Nw3F8
zsaG1DL?-gy^<f|0y@tZvhAV^TVoD4B&|mU>{sz$x3qzUAdTIJtlTP0HTO4sQ${okc
zeWVl4|6@;OR&@q`u`_S{qxGNTtzOI^I_LE$(4;qH6qQ=&qjfb|%w@GXZOq)05S(z%
zqm0g~1@uLlMRrcVCHomt5kTQs{XzP&>a&7MwHizTcjx6M!4G*k7z|!M<oL>|p@JW(
zD?}ds8GXfJ`kRav?NEal*zkPW8@@(4d_Hfvx<or(K!{PjprGQcuwk3v!|7P@L4kc$
zEgRNr`)&2{GQ#~6xAcHne~LE5VOAqMsA!w&ZoMI6GMl7sXgN7q{GW;FdryX)YcC^`
zM;euk$odY7yek}Q4YhUa0zH;Ew#a4NY>?TH?@0`hgh?j7-kt518v+3f(WzXWmlz{0
z8J?Pn$5O?DI&8O_)iY0n-JED9d{y?62)Z~yd6Cj|Wi~uH@t0;CCyz=C4?w*kJY(gW
zKtld%2?!A~pg?H#zGYObIKWw&g%T6<moTNKz%l<;G)8ilB{lR;-GW29n<)uCNH_S%
zR1kzfZc>~A88pmI9QWXLb#CZXCX5~0wjjypgAIJ!B1It$K1#Xfjc%*H8h=V2P|-sp
zVul~BM6&r=YXX`7hV7sF2BE`5Vscav+sAFu#no!ZOX|KdM0nz9)*><(cYQm(G~nws
z{omfs%xF2O8vr4pdT~=N8Jq*!rg8`;pXQaA+O<thx|>K}Q*S0)gsqjCiJks#WCabC
z{xgl!)g35kFlDXBY-a0utf(Za!&i13t{4<UYi6uoP#uFj2zbcqXw%)&ys<NS@+{wh
z&NCGfkNY4)U!ECFa>GqoaaCHG>)Rxctm7kG9ABREQOR2z)M>hot0BhP6Oa|@L^_HV
z?^put^}xo#gtr9>%RI_ICxHZ7|1RZn(&iZnX!Q5I9RJ>*>Vf7$bWz(pBuBkDUnjy-
zM(py@FMZa^6~9J8&qs6HwQ3YJ75#ZtQ#y$y6iN}@q5;%9!JnQ*oZ~^iVu^fKV;`Gt
z>;;M`Bp?l&A@^>|mMk^EO*OC0HBTSC!$!kqP<lR8b9vmq^EwQMPf;w3ji#}}t|88Z
z6zRNZBQz-(FLPrb(<{$mbf)nuJ#jfBdpKm<8;95@`l-TdQ=+f0c!%9m+|r$CXEbtv
ztTO{|kZY9ZOo^|#Vq(KPp>rI_h$T6iSj3bxiHi{QRU%L+rcMAR**A7x`kGfvMIhw3
ziEO3f4o0W*6`%;N<2N^v-o2^tT~o(YN>WwZE#v!QAp+nC#eb*|kE0i@%C5p}!Ymm9
z1&jw+sErTi>vgq`Fb)T&O=KyUj88RBdbaF`pUa{VGQI(io_E&{)=A<bcT*zEH}NzR
zzf)>-xYQJQq5|pSVz0(`(<bZ2n}e|I9>>RPjK92l<8T~&?TKWJ$2qMkoBZ2UR5_(@
zleitW=ybm`?tPlsPf%nT>vN<mmCF#l{T2<x`iG(llq@{Ab7y{};j_2uvIYJ|0%L^m
zRh&sL0QcE$QUM<u`_<iN_~en}`xxEdxRMTb-j5n9@MgLBgh^4Wxg!L`mrD|j+&~lk
zvB{*nObDJ|X<b{Q9VEc+hzl3~<81*9ct0#~_}S3%OBMAGQ-=+Gr1eL01pH1!KCi-)
zrO*gl47j)kvzw~}evJ{jA0!nhoT`pB?Gb-U1={{s>{U?!vSe5~!#XDA&LZIbqKITr
za*UlwLCy~F?$ZUS+?Jo?jV_#`Y@<ArZfcu_ZAeK#C+l}$+8PP47TNWBaG$-{_+cE3
zty9|xOnagLmVt?MKyI=6)#h~5)gsCgd%{*tJFlU)2_RRKM?Dd|hDH}KASCmz!@>@{
zuJ!c_D8Ci5omGd+gY8p&tn;RojBn`TpUHXO!Dh#mvXj+{1Al4A=P<fus1pjCbvQGp
z;{H^43ugO_3FF7$@A47u^I^RYDl*z~dN91}jXFeA^d7+*9d`fO>cb}=Ub0<HNmVvA
zXR&>xkT_ny8Kl4c*CbH0T0N!7VKb1o@Q;xxQjEETNTFEedP*B?j6-<Tc0Ubk$E&9r
zbl<z88zaY*Y~6EMVZV#UnA)(+IF8EZvxDq0S>}w>$yH%@NJV~PO7fD@kp18g?%+fP
z8RgDrobue*olz@o)>vImp#dU)6~gm`t1l!w<yJlO`?cu}@5ur2Gfc^QzV(xQuW2gV
z-*AcY<|@?SJcU^VBez_D>&y*j2d!6hMzTSs+?+OoFM`i<V{FM{v1c8FUTkXwE{D>T
zEYvK|X(fnS0<d+N?*!O^0W8l~zC`!O)IXZDra{buLpT?eozxF_tP2=FHwwPVk`uvY
z-=q}Lgol1PezM%@tI+$hz;t4DSu1ZP7&Uo?!>|)((>qN>h!4-aV(o_g8^+ZAr2!@Z
z-Mvc~<*hJoFIEIIych5>bLo)m<i?o8!3$uC0Ju@SuR(lf9i23OdQwcYGSw;_+yNub
z?06h@ymlNlPC}KH_cfNx2225_Xty5Ma}ic;agM!Y)=9PSnLRzc%PS9Ru{joFIq_9m
zO4+x=mJ-|NxwKlgmKL0w__{~`z%urLW&-h;NuRTU;Ww{O=Tx@^czhhAVfMjjbnPB>
zu>GG<B!%h+FV597JV1V6%Z}hwe=p{Zb!Da}*G(_?hh8u)^YI|ikVfb9$VVVrSJ%jG
z)Dn+(%r6_27WyIQZF$$@eY7`PgGF@QO7rIGFUYmkkWYD)nc0=zpaGx(A;B9tW%du2
zPbn+U<nEpCs~nCc=&XgT4p_8;s49agKyiXyYWIc>o02ZN5o^=8`b}8}sT`dYuAp$o
zvC85AAC6vWGz56BWjea`zIeFj9=U;6@LEA5#fA=0J^0~a7vz4jG#mD}{ioqOI|WV;
zb72r@E$}%H#&a`EgXWH=m2TpIf6!1=l5lFG0lzA4C(*CjiK&&X1_xxB@WKuG-C_Gm
z$kWHpR13b^!GO+s_#Kg?$W{SE=5Ve!@6C+NNw<OiMftc+-TpX@wh56WPA(`=ms6SI
z=%7;BfT$osFEWy8*dlX2>sLQX_thg1sLP3hZZqe3^I#+`d%E)z)T&MhqX#eM>l@zE
zDr!G;Gu&j5Z+~4F!Q{cA0;dA<OiJVLN|7We9A_*mkS;+1eRyQDNT{01=Sp^XWO=Fa
z1>m(o?cA@$;R5FU75lG_90_b6M~bx5tV)3hg&xI^#~STH-9|ULheyAvddGdF6BGwl
z7;Y7nJ^$Scde+fKn^OA|I92Cb*;&qa%`sS@aGkL%&`x9RZ^x;uVhOL#o9Po?zG3A0
zPks~!jRC8mDS@Q(p4$`t+j<PLJEG*46T4Yb#8fYk1q6Pg6K!Xe+_H`Pu$k#Ce!C*-
z7WVboTjl0<rm)#yvJPC3f|Z14#m90VwZphAd?jZ}%#fFW%&e=%qc0Y7$E;~F0d@gL
z*7?pfm;7zVuP%Ys_rPk*){5`8e@2t*JZtd@AQ!LIJKh@)i@K@<J1I*+2RoD6lwBa#
zGdX9xb?0}y;I&<OP7R4PdyoDmCG9KP$H_JEm@W;eLDlI;yw6M8m<!ux2u+EeJ{aEF
zIyFlKQHwo4@i{6T{ik?AT@$KoL(l>BS>@(EJ|MHYam0YQo^^<Fdq&%QVf9B{J6g-a
z=pE;WA3*>vKsbK}dTXH`$Ty;>HxK^CCU#xbs*yQRTYF&gE^IuOERtv2714*B#!h=3
zJ1ESDh`xK+plf#Yu45NDMXA)F0EgR+GS}(ytUPFdFGlZoN<hNG*P|Y*iF=PgbbJaD
zpK{)nT$LCF08b!SZLF6C_?|W_Jp?B1qn0t`+lxN%+*Pnlq6^7yB1x0@yf5Sf3--zq
zyakPi99fF1tgIf>ObS6%55M_-%UqMav|R2^TD3bG)sm$v*a9s+cb;v?wu>?x6#+E)
zU&);R&Yw+&w5Q7UwOs!AO7^fltY;w2L>KJd8M?cL(<#qjTI8SQ9n@BpOh52doDEMt
ze(YacbT450Xk5z7y&UpT*SdS9cI~dh@kl!_Y{R!Q$ODTDL*^+LnoN{#OE!RDjFgT=
zFncc&H=Dk@tPD1A7XWUdIy_L9!&ddP<_H~Tjo%|%{quq}`cj6MiTOZ0_X}!QzQuO8
z2$?Fdq<3A@$>SRpP~7umIxhJ2ObQe(JhoF5==E}*&PZ3sfd5S}*}w<Yzvhj^bV@mT
z5pv@w|3)Y4{(;twZu}?R#lt}1$oUHeQ#tDITx&9w_4pY<1%vqu5g;f#Zj;d{xWK_S
z7#A9p;NQ(WkUEfz*L?H}uuP5n6VewoY+ZCaU0xi*_ka54#1^T2??bpJMtA@87TIu)
z(1{47-XWU>Zqq!aXCmiW!dP%AUs{^lXDzX+7iMXpe_}+FJoiKy<fbFjg0#~;ynPPH
zGtb^~3RV`EEvVJu11+1RRaQY`DAy6Q_kUf5P#IMt!o_T#c_717c(s6?S<*y4&x;cY
zaU|re=BR43;ejB#D9d=S@+|X+ePQp9dlR}T1@(r9C@#kWY{7x&EP!4vNQNqUMztOT
zYR+ZXY=til(PI(NzWq;#N99_);=7NhlfA*eij3d9&Sy+9o45~V!bUeJr_^#Muu+tE
zW>WQ%7I$#fN-b#$Dc<G&zWgh2pu$O2{{}Ytk1qY~`aypY4YuZ`F3F5vFgAO__q00&
z<5&VC(7kdi18yQDQ&(D5RWe83x02#)p#0~yc?8gBT5-T`4!06Za@6qW_~MjZaa}ql
zDErqP&^*PET=uvZ1DcWSi~Gy555U=~M~m5ts$?p+-A~Rbf7txC#~dujFQ$2MH}pb-
zC)Vgk#6uM$<pWq6edk87jPiz6t7%i-eWz);vY0HL))BZgwpBB^(VY7KcB)ZyZrq<}
z9GY2eIR?+2>NwrRDLi2XNjk%<s0wYN#<{s`uXq#Fy}hj-O>+%1SO)`l4mxNEvshT>
z3=EtoeL_tY<d0tkE(t`<s!uCa9<G3G0lVMal{aU29zL?RF<vjYhu%w*nlz2@{dlYl
zdKJx@cB#-{Sq-(yMPxy!^Z!{q?5;8OegAVJhrVo`O;P6z>1v5~qD(L#bEV8F!DaKI
z(cJ6u+m*MQ9nH?QngjNuz}ne^gp4<QPaL%o!Nq0eeewgj)3mcPj)RRGtf3#D(!Hpg
zK^jf{4Oa7ve-A)fvpA1mv^$zUsHd*%d!WWH+UY&{l5l<V7Fx@>8RMED#QK~r01g2P
z$376u8e5)oRy7`qB!+Ue@aOJX)eooAec8LT$-px$*o-=6Bt9m36mF+9s*W~DH^pPD
ztFOt&5Ikn`LAuDl0PzQHfVexI0OeK?5avGhV}cbw9F{L)G!et`T?LKsPJ4sZzGLt&
zGMQ>??Ch$N-W{#z4p2MOUK5rwg40!d4mH>9!<-#)wnMQ;iI^9(;*Jx432Et^I-f>{
zi3ccvC8gX#B=Z8ba6qHlIh=n$J6%IP7wz>;X|rn+DK!k!w@R*?gyb*pDPv>gpNd{|
z&PEzKukk$pCdOPZZgOOe;8A*ykkp9E>X}_lqrcMU3QH}_o$G9{C~GqxNF0r|(e#Xz
zw2rgD<>5!)-WxIz*`gi6&!g=8Kw96@GB%r(KBcv(QE>w(9e!K+fAFdC`hldhBE{3V
zpTl`y3Li<Um2PEvwBLPOzbC`7UmDI^7*59tm(XL`!HRASxK_oE7E2{qeZnZ2?S;L1
z#Zj(gMfIh>EK)UPAUF2KFq0v3(cL;>GHC6?+-slc^zt#cP<XQm3vs9Op=7oZRRw8F
z$*Y~_BBM)GNC!?VcW#F`H)}vOUFG?+vxa7YIVl4%6A(njw|WY{y<dC3(btJ-?B@?M
z?^{4t$}E1GbWNyQVvfjTxX<TY_ONE8Srp5QjC1Hu{cp`&`e>FqGa;R5Xls?AUM*eS
z@j;RWmow@z+q}&o<yC(?%a`jR<rk>cJ^#4;xb#16pkKlagV<%VKRtR0NVBe#nmn!T
zMOw_7>;A>U0P796g|V&P_)%&74dWLw;vNBQZfwN3Nyoi9H%R<GaZ~<?*Odb!mFTdd
zob4soW#!V33^xg9#E{6J)yhgE9Z~6|0?OA2#422awfrLYkdS`;NzPA2dlb*<9#)js
zAN77tg70TvNYkI~M4^M$u&8)8{ul5HhPUdRybgizJ^d^v_qLkrsY1)0Y*V~5EYli1
z<~jcsaeebg+dpUX7KOjH)qHAA0{+#L>S^vw18GsAACD3fq{cXRx*AT%dFSpmOR9qz
zJzY2|dS#*ME?#tZi?)xp?M&8|y4<?vVsQD*8=eS!a$EQk8;Ix=>m)&28~gHEI_CL)
zuyQHi&jX8lr=7gMEjzww9K6nR7`x&IC0YjLp`wnlESHr3LQv;hz?&4~R&R`Yeugpf
z*C4_aku;2jWV|o~1(tuySLBCgn}_pQ^)y<38`49K#RtNo`>f0%C2NnNwNo#2AiE~Q
z-prGz+qC<8qU|SdR17OAR_}3*ufxuaVZ9XCUaR4Bzh?K40EWrosr?2K!gqE!<P#(?
zFPM;z|62l(wyILp=)jSfai#*AwT=9e*wpb=##$<#W~e~0G&=Y+BP7gpA|^_jXLNNX
z9289_)0jP6AZI&bGS0Qb+RY`Ws-BU)$Z-2mRZXCTqAwH$L_XF*O2_Xcg}&Gm@|JV;
zPg;+xeN`zyT!7!BZ+Dx6(hx2Uma*1WL5C;|vHUel)_^;YZW2CY2bhVCD0QQ?@yen%
z`B;#^p!N9^Oqlqk)anrxzF+{49v`&`G_Y2B=*io*-Fv%J1E)0AYO!YQ|GZ?ZE>v@*
zdF8Bb|JD86?=oV=?w{FXvQlGpaF2|aFlUDG5->l>Pqhs7VTrmgUkfX(_vm%2Dj@m(
zwin%@FkgU5;KYFWrjqDG<hf-pU7hC6wY6QDa_B&j5GpN1VHt%3w7zH74h=gRK!24g
zZ74zS_C_!P@QrH1SKE(IqXU*7V0K*_{ISID+=NS@yDmyRHI=iZxn$EpLZ*7$TEI&G
z-z$!$(^ivch;c#%3jme4*k!_XxASsDk|H0YDhKLn9gR&drlKu)4kQ7Eqd-(eCy(q?
z+Bz2A^^iU2Knd<af;LJpn4kC<Qj4bf{z<VCp@GHLJT@2DsDoSaJ~76@ZYMfy+Zktq
zyf~#T=b@<VdN4wj=qro8wRN(9mhot(4JdvHhNtKyCC922pF@GH8W<9>e7b5b+%QZv
z9)st93X*NW2!JMj=SMh?8IOMY=4Xm_HRm41?yYR^4DJGIZHMK{j>DR)Wyk(#8BCtn
zZFY)jW_{kq;IOPVZvlPmR|f>ZHEuXV$XjLNU*S0vsz1xPw6Hr)0Di%Y9Mtw3p8Xg@
z^oVs5xdKDD?Zy6kS`BXbY{!unadc<s_el52RE3Z_Z<fhPyHj`!2_>NViPqj3Vcs;h
zh>|5Xu6p^8%?fASWUpyS?^ik&u=e}X-i@u-dWW97p;(;GO+lG2*>;lA9B;6|3Dl{?
zaXk2IBqC)Lr;qI?UtJVuP0puit)g`|`G>y<`zdJjXh35(38Pzu^1@oR%z$*3m=4gu
z3M9^isuvs)mQ5|cGp?Oa`du|s7t<FDY!wh|UR`{zl(FTdt=UeATqxKh(JQ55eO+O~
znlgn1YI3fh#eeS1{V_urMzKNl>`lbF;y5?BR5&3<rCRvZkoDvAO%9*<UjULP$#8IK
zt)u7={K-})VslLReAPVFqPn9FjHKd1`vn!+YHIz9XK5=h*WRFRfT=)6S@LR=JZ52}
z4X2BoR{w3`<GEV|J=q{PWT39zDY}jt1QPe~XPv~qX)7&QWp&>vUABtv3~#wZdku2I
zUid&S!TGwo*XQ4c1k!u#D<yy9K~&yi?w_OTg0z|<n@{2NLh~ON92D23{kxf=&Bva$
zWOUoufY&$|1t>&?=1n16aHEflvw}i(r{+NK5fF~5s{W<p?wwhT<7bgE-@vdvBbW8~
zWN6MWE)&~nsP&`Os+mJWz-prFBYdpDhUjxRQD{J+_26<f701jbn7vx8XP7+Md7vO(
ze9?vq$fAm4aR?#j13@+c;r?;n%7D{payYo2|GPke(hnO)8-X@MgJhb@SjVPa4;*~=
zmg+Yux_fBb$uB{YM(p=>yMM~+|AvG<6EQ2W1WkYlyM1FePYbpTOZ*4Si?G+fG@YN)
z3TfJ7h(H0U@N-_&rDQOBf7**fL@;rH_Y#<dBNTvUp0CxMr7%ER!nG(%KApR7{^J#S
z;GN-F0V3i+5SCrQwz}p+T3s4Hu`Xxy+9RGrDyhR)pC7l2G>J_Xfxo%GW=UGu9sh4M
z@2h~e=S*~RP(lbZC|s}O2Lblc4_X(86#M5!gdkUWwT$=0?L{o`&A-CuvGRIAOE)kf
zYgx0t`SRejaPl>7=LM7AD_}il225jmxG*W3{IRpF@-lYHm+4C=KeBp(kAt*oz$^y3
zDxY)+**c4Is1dtfG~9fkHceXqQ{+1<$gK7(B?f^hfKkGKvE;U1b@_FrjGL;o0T_z_
zB#<jD098lUy+2EfnN2>X)oDgmDU%@t2Oz|lMUm`KP2gHMu8}7FAzkOQxx}&W(fk64
z!#KW24-8<uPl$iK*Z$pEv$$mRIiY)jA&QIrXIf-hwQBL!VQ)dR=6_oinDG0t4-_E%
z$upmE7VTo$E9UB$s)J+%c1p4}&tbazMR`xFwV&5o*51S}_2pga3OyAwZgr6Zj`Lk4
z2{S<aNGuv*$BJ(AnZQURsb?7p0jghrhfK(Xw~nUqa}5@|B6oSkcNY2v_e!_`F4V&-
zd3-U-P43VyjAfsQEO;dp`|UIEKXT%*_K1oPtrayrzMDpAmo6*<Q)Y9tLzKX{6S$68
zHS*{$_mmC{KqOazau|^~ublX@lt3rSl&AJXs@m{ETXGsVz^{E63RRdID5#a}+0YYF
z74_oVaam6kVA2w#fFJUJ{bDOQZcXVQY?&LAF4witFnsOxU@?KUigU#8+ADn1IHZKF
zHo8{5OA;m{Ry#l%9V4ua(E1eyxYHA7>#7Q_;p9Q$6sPynmbXSWRNHtDTdf{RG?cF4
z50!2(7mdg>VUa%~fQ;VZ$hcuzn+F(ajQB&+u7|Dla{jZOEy<gjUA;2C=rdf#^Dee;
zF5H2FK}*xbJN+<Yo5Ir{Pyt<?Sk+>vSY5;%P-#5p;X(s2I%m8YRsAVk3dVKT1pyRu
zp_&wo@iU+=**0}^C4;Exd&KeLLZ!(^Pd?Nn^1Oc13mE1B%&HLH@I(y!q1dc0A<{9I
zH-3F?rSq9D<igG7`8FxXs506jVS`j-T}_?oFMor$_B1=UxZTHFkAMMYC@4_1I@-Gu
zaMH3NdH)1Rc7lFbOsZA%+BdoKv|Se`0TXb5kt8G~#`gZz4vLc=w(5aK+}-uRU3AZ7
z5Lk-54O+c7!#Y#{SO*KQvIg_KSb-TZ)Z{s!<IGl73HJlw7`$bij&1QANC1q6Ya~J(
z&BZG7K0;x+CUH51%G=Z8k)D-f&aVG|4lK}y$cA7B$2vv4a)L7~I^)egONcJ4<1qlF
z6yF2^6{yFP81GwLd@NljZ+7_4QUw$)g4;hc12y}&d&OSqWSWMHG=QqrxicQ=#8<dv
z%jKb_QfwXYGt_~!afuul#X>mPkspu^@Xr#ChYwOD+(zx`d6g@|fN&Y9KBfV#-;T(*
z;1#>y#NHcfXhPO_|9mG;C5Hk`nT||h8cVP8)sXg1Qm5P^|C+ICqyg17_OtjetMEPj
zGlFd_tv1A5<ZfHLhtr>;dTlq*)_*(4^)wbSe`=j9Hc&!w_f0Y13C5W!69gps{zA4B
z!|WHpL1---xlEWnM@gq{y!<#vo40ZC6jWScVf-iIZ*;OHBG&+TBkvew#G|p318s36
znwI|Jru$B6%QUQZD7FC&I0#+eO}$Gd>n789BJ+;IuGBxtV&gx#rvyq}CjwCNh_CUH
zf8p9rOOsj828>{`m8!t;0i4^3BybWM8h6EY;_dc(?86qz)HInxjDT4wx5D)+ML8rp
z%6i(#v>F4%DOHB5n~wpT(E!q9khP>KrpeNI9+;on!y%>DLJC+xFU3;PwX0?OSt$QW
zeQ|RBe<#4T!ry1mo|MzhdhZ$Yf^)9|UC4HEyz6kXj&6)%vEDsk_-Wr)3G&DQLmWbf
zmM>e)*`*GbJpYGW{^}={ulKA9?-1PO@~4}PVhmq}>1xa5;H0{GN#<hm&F*7hL?8mg
zBx+eR!}u~!L{ZqQYdCDFgpW<@JusPR9ezasjk6<RqIv8%a3t|}D7`*uz=(<xD-Rf}
z2O6qbunmEiFOPqh&6S5N^7gRBlkK>Esthw0KD94S75(}!It6s+F2kl<EzoAtTw+)D
z@f)CR>ne7d(oWRP^iHeltlXTIWRYqcSMZrrNZ|7zdTdGFV}RoQSM?umk{XQPt8W`_
zt0|z8!x$)zb~1Jq#lYSXlBrqEw8t}lStjuJd}yx9+=c?UWI-g`PXx&dk|at;I74GH
z-mJ-m$iX_ofZ_qc28ZxTMo&|jh-!#!VRhp{7IqzW7vLsA=QW>G3!x1T)qu`ZiIjQQ
zpW|$Wgo+}UVrPltF&LE?zB3*rCNTZ%*L~QTyVJT=|G?VU)2l)T$x<y-b;++@$oQ@w
zPc6VBjV(3+nKPK?w-t=sbppeT=wWk$j@d@v*B4z9>wI>bD4~*Ds8rP01C}EVf!F=3
z)*#G})3{p-T}&#s1KV-hgTs>_HtQJt!?^0<CJK9=WF+c!T4LCl89^`RE7RE(*mDrm
z`pZk`nz~5~C;M0!Vg<Yfa*t9K<l>aXQ}U_VDtJe$^Ce_hlu$r2F%}hZF6}X4yIY0W
z-OSj#b42;pVFNnEAT|A**E0@tW~!_~Nb)5ps(g$Cl=mh7$2xfg?6t-7s{G~;m&4`L
zl;i%~|M@IX2AXriur|VWvSpX#;`-S%ZsupURhzv#zp5)da@&nJ3qTvi=`O)Mrzrew
zr=-|#B9NrX#j94rH$Y+|j%Ok)k<x2P-%6Fgm+%UiaeOEjdvKiIeJH;LMAD#@it_iy
zXTE=G()6F20Lpk;k|wbzVmXSE`U3Hz9#J3f>v{BO8<KE&U@qmhc{>?26DSa78TIyb
z-}^4$q*>r$inux+3m;u|hNKv=v#OS*?Rw2glpEM9c~3U=kMIE=2jpA*#O7j})G`rX
zqNE#3<vRF~G+1J9b>H!AxlL5RlV^bZNzQBNhz}t>@=P`Iv3VYD4g6d<Lw6DRlKH&(
za-Pz=yjMfa6tYe>i3|`pLVhUogOwiI|5!#7Rro1`UfU3VrH9m}b{h$Eg;b)8b1afs
zv!I%>*ax~K|K|$$1zFpBu%tgQHAXV=<c<GdfX3Z~oyp*{&z=8byugNJhIj-A0tEsh
zsa3C{W?qMEy{fXzMU6!t5^fA&n{tL9wFIk%)GFUs@v(({Z4I~{1OS!@f{*Wf1r=fK
z=&UuXYVax--5szIAfFb11vnRtivQ3OYtK{wE#d#GPlF=1)tuO<X&QWNEXFq)tzZHK
ziy#@|seUgYJ@$`thHtFWwhuiP#%|K*dYmEE&5P$pB*z-(DSrplpzCR|M1u!yo<E#3
zjqdg1DW#Lz?))!Dn*Re^RN+ZXw%-GNDcWMQR}h+=7TW)oO=ssCP$f#lT#;!1cZm<-
zmHM_wKJmB|_8B50WwGd`u60<~!P+|buw+!0Br&KfW=u9|c(Up!f+(3@={iyFKJ=r=
zZp8t|aKOcObh~Z=0u8WWy3j`===keo%D$hN_Ta|^TWt(Dv39{9r1qa)XT_LQnJNfr
zt55On&jUuhWx7G|aO<%6r2GE`Iy0Qh3hjfdX+&f*OO%oYvCPzeK`&8295tpHv993m
zbu(5*AX3(XpZ^i$3rxSG6O?b*|FIKtB}nbzKg33XpLy>MZGPpJy5jn2j{xqoF9C=;
z0iS104&W9G^`%S?@PD1qY9y3QJpL(nACZqcp}FA2ztx5`xt&MHvmptDh5>i%^M9U*
z3V`m0EBCu+_;zw;OQ6>d+v9Rs91SJ_O%ikKjkQcUs7+Hbm;3og=d0d-6Hgo0odFa6
zFYnckdEt8SJsshgcq{~KfBR{}M3b+2?Z9QrBwX*wFYgBv%jikhKz1W|5A;{x<}5b^
zX;#yz=TE2IDGkw7i3rL4&ziG;VgF9M__xE1!&$r&x~(v30!$8)LBy!${Owe|Jq7as
z1KD19e1Urxu%h`B0M4@O+0NWbnrD$PHo&(XDA0gT6_n|~#L;T57l>Wfd`(JcO6MKt
zHJawWO&L%6JgWY0`uLsNchL#$Z@P$21y34XyDUPKvbt(dgr6sK0vTn{LB+)k@Jl|w
z$G0p0a)MSi9yVPKcu#SsIo+Rf2KeE_qhOd<P8vWBSPx2xQ8^d9Rrxf9_TMnLkOhY@
z*IH&()0?U&+U8@OAX2t%>_4byzt@4dI3Leq@#DM>;C}NZ{eA^mQv=Z*5EZ(9vggp9
zP|;&4k&8}yv#*y%qWbn_X#ST%4ftEmSmaNj`6CPHOQCH@0vf<qJRX)a<QmW}3Y9y-
zzza*0ApbPVn$UfS3nC8K2RL}?-CpM=n6Y_h4^xdn_tH0OyD4SU6y%h0+Yzv2G_(CL
zrc7hrjaee)ElLD;uf5~p+@{^N*e(bl85mK&p2xr|;<9g6VZl*t^h5SzlS==7-Y9r2
zQ&8;{o>d|0IB!3d`p=iLt^SkT!$jg=it%23<iniM4@o7IqHAfn3EEG~NT&MbT#xQm
z3!KL_wpMGHb+kn7TilLS&@+S|E;u0u*KP^6*6xPolT@R@V~xA_ma7EpmH=FOcno%j
z0`&2RjmgN}6{tS~I)hL%FFPdNNQoiSSjw<=bKDIsn|@(L!0*KX>I;lF<^L`F|E6Vc
znf2~hE?*7XXik!BZ{Lce0onAVB8TnZeQlXQ(N`WVZ?vpefao^JB^mJI7a{I_Svr)7
zjB>_8`z(cOuntUwi_S{Af=PR2U0W+#8&VZG-skwhqCuNbBV?dw3M5}de{m~THZ|v~
z4B~~quyy48KlaYrhk3Lh->0-h=m2@*wGx@O$|R6d1B&#E#K#8;%MRUHpHrC$9*YDI
z9h<M5?1TP$rsS9ZO}!>KAICP?ZqN#_+o=MIf%y+M-#6)2w(Pj9-&A&)&=48pAjbG`
zs#mC=HofIu9lgp2xbdz7gN#LAplU?E!b%SxX#St=K)S|xM)zv@@7HJ}x4_PT?z4gD
zfc2~X6lwEsz&ZNa3gobk=_&J+w_N^;3WFYcA_i?Bf$m}$D_6Ipl%SE<#4GsqVNroi
zUg?YOCm4W2YkY>1lCk3FPhM6S7OS*xuft3Z^5ZQFMY&Qh^(UlMZF~Y>Z+W$-SAw2{
z1H=|Rr$5*TgThz*jVf6*#1Hy@q{LLF7&<%e+o&XlZCFz?b44RCG1WyfV*&)PcOm&&
zL-!-DK4(%p3t&)2Q+ZYM?gqB2Ee1XS{M_hW&X>c#Ls9AUrPB4*z9N#%Ha!RK?(8+%
z-4*HMtoW+Wbz{k}-dq8bt3jyZ1q#gjlJ`29OT^3rBRerv1#s3ossmD*KaWjB_?pI-
z76Yd+|GO&s<~QuOk$tb>76E_czedul#_uK`K8>@Yq`;I8U2O*H8p#(I&K}=H?PpA%
z0D(SW<&t${1d}1<AU<;IM7Sn=y8YD*>Ap5In|jR^z=@>dK~IaVr{=z`JG~ono90oC
z4}H!o@%dpyt>gq^%EqK8)8M)V0g0aP$VBw2qV*_XUp;HXH-TK*H+g$fwz#X4V1XVC
z$V|br=wxy1j}EQE-i_PEmCRG%mL@I{UiR7Ep7`8?K?B70;be_Z34wqKn44H@nWf1o
z^tHutKr4*|fFa-!L@_dmvdsb|p!341+Sp#@h|hB?fAhbEe8s7IydP5ApQX#fCjYh7
zYX%Q+nIQzHFb%j7Gb@bv<}xy7H&58Iy2as8v+lX12M{xXGGNG9<rj7P-z%pJ0*IL_
z)U;v6zs-fO*I?<3ctFHT1Omnz(qYxt*WXPquVb_diS^w#4rxz&&E}KCt0;1E*8~bp
z43g)U^PTKa&d}jaw`ct|HbxHzkg)Qw<w&A=BVHM`cT{UURYH}Q>A7=5j+bzWF_C4h
zZx5e^aep|vU0(YlK#7O<LhN}o&WOAV=}TZ!!RPmno`b}zXN(&6Ww}AXpQ5aqOx0V{
G&;JJzQ)xE<

diff --git a/embyserver/templates/NOTES.txt b/embyserver/templates/NOTES.txt
deleted file mode 100644
index 660b5d7..0000000
--- a/embyserver/templates/NOTES.txt
+++ /dev/null
@@ -1,21 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
-  {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "emby.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "emby.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "emby.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "emby.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
-{{- end }}
diff --git a/embyserver/templates/_helpers.tpl b/embyserver/templates/_helpers.tpl
deleted file mode 100644
index ecd8646..0000000
--- a/embyserver/templates/_helpers.tpl
+++ /dev/null
@@ -1,63 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "emby.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "emby.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "emby.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Common labels
-*/}}
-{{- define "emby.labels" -}}
-helm.sh/chart: {{ include "emby.chart" . }}
-{{ include "emby.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
-
-{{/*
-Selector labels
-*/}}
-{{- define "emby.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "emby.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end -}}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "emby.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
-    {{ default (include "emby.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
diff --git a/embyserver/templates/configmap.yaml b/embyserver/templates/configmap.yaml
deleted file mode 100644
index 5ed50ae..0000000
--- a/embyserver/templates/configmap.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "emby.fullname" . }}-settings
-  labels:
-    {{- include "emby.labels" . | nindent 4 }}
-data:
-{{- range $k, $v := .Values.configmap }}
-  {{ $k }}: {{ $v | quote }}
-{{- end }}
diff --git a/embyserver/templates/ingress.yaml b/embyserver/templates/ingress.yaml
deleted file mode 100644
index 3d979cf..0000000
--- a/embyserver/templates/ingress.yaml
+++ /dev/null
@@ -1,81 +0,0 @@
-{{- if .Values.ingress.external.enabled -}}
-{{- $fullName := include "emby.fullname" . -}}
-{{- $svcPort := .Values.service.port -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}-ext
-  labels:
-    {{- include "emby.labels" . | nindent 4 }}
-  {{- with .Values.ingress.external.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-{{- if .Values.ingress.external.tls }}
-  tls:
-  {{- range .Values.ingress.external.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
-  {{- end }}
-{{- end }}
-  rules:
-  {{- range .Values.ingress.external.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-        {{- range .paths }}
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ $svcPort }}
-        {{- end }}
-  {{- end }}
-{{- end }}
----
-{{- if .Values.ingress.internal.enabled -}}
-{{- $fullName := include "emby.fullname" . -}}
-{{- $svcPort := .Values.service.port -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}-int
-  labels:
-    {{- include "emby.labels" . | nindent 4 }}
-  {{- with .Values.ingress.external.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-{{- if .Values.ingress.internal.tls }}
-  tls:
-  {{- range .Values.ingress.internal.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
-  {{- end }}
-{{- end }}
-  rules:
-  {{- range .Values.ingress.internal.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-        {{- range .paths }}
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ $svcPort }}
-        {{- end }}
-  {{- end }}
-{{- end }}
diff --git a/embyserver/templates/service.yaml b/embyserver/templates/service.yaml
deleted file mode 100644
index a6bbd43..0000000
--- a/embyserver/templates/service.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "emby.fullname" . }}
-  labels:
-    {{- include "emby.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: 8096
-      protocol: TCP
-      name: emby
-  selector:
-    {{- include "emby.selectorLabels" . | nindent 4 }}
diff --git a/embyserver/templates/serviceaccount.yaml b/embyserver/templates/serviceaccount.yaml
deleted file mode 100644
index fa6b1e8..0000000
--- a/embyserver/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "emby.serviceAccountName" . }}
-  labels:
-{{ include "emby.labels" . | nindent 4 }}
-{{- end -}}
diff --git a/embyserver/templates/statefulset.yaml b/embyserver/templates/statefulset.yaml
deleted file mode 100644
index f222894..0000000
--- a/embyserver/templates/statefulset.yaml
+++ /dev/null
@@ -1,93 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: {{ include "emby.fullname" . }}
-  labels:
-    {{- include "emby.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  serviceName: {{ include "emby.fullname" . }}
-  selector:
-    matchLabels:
-      {{- include "emby.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "emby.selectorLabels" . | nindent 8 }}
-    spec:
-    {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
-      serviceAccountName: {{ include "emby.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: NODE_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: spec.nodeName
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.namespace
-          - name: UID
-            valueFrom:
-              configMapKeyRef:
-                name: emby-settings
-                key: uid
-          - name: GID
-            valueFrom:
-              configMapKeyRef:
-                name: emby-settings
-                key: gid
-          ports:
-            - name: http
-              containerPort: 8096
-              protocol: TCP
-          livenessProbe:
-            tcpSocket:
-              port: 8096
-          readinessProbe:
-            tcpSocket:
-              port: 8096
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          volumeMounts:
-          - mountPath: /data/media
-            name: emby-media-pv
-          - mountPath: /config
-            name: emby-config
-      restartPolicy: Always
-      volumes:
-      - name: emby-media-pv
-        persistentVolumeClaim:
-          claimName: {{ .Values.config.mediaPvc }}
-      - name: emby-config
-        persistentVolumeClaim:
-          claimName: {{ .Values.config.configPvc }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
diff --git a/embyserver/templates/tests/test-connection.yaml b/embyserver/templates/tests/test-connection.yaml
deleted file mode 100644
index cab6465..0000000
--- a/embyserver/templates/tests/test-connection.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "emby.fullname" . }}-test-connection"
-  labels:
-{{ include "emby.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test-success
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args:  ['{{ include "emby.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never
diff --git a/embyserver/values.yaml b/embyserver/values.yaml
deleted file mode 100644
index fd3243c..0000000
--- a/embyserver/values.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-# Default values for jellyfin.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  repository: harbor.ervine.dev/public/x86_64/embyserver
-  pullPolicy: IfNotPresent
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
-service:
-  type: ClusterIP
-  port: 8096
-
-ingress:
-  external:
-    enabled: true
-    annotations:
-      kubernetes.io/ingress.class: nginx
-      nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    hosts:
-    - host: emby.ervine.cloud
-      paths:
-      - path: /
-    tls:
-    - secretName: emby-ervine-cloud-tls
-      hosts:
-      - emby.ervine.cloud
-  internal:
-    enabled: false
-    annotations: {}
-      # kubernetes.io/ingress.class: nginx
-      # kubernetes.io/tls-acme: "true"
-    hosts:
-    - host: chart-example.local
-      paths: []
-    tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
-resources:
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  requests:
-    cpu: 60m
-    memory: 800Mi
-
-nodeSelector:
-  location: bedRoom
-
-tolerations: []
-
-affinity: {}
-
-config:
-  configPvc: emby-config
-  mediaPvc: emby-icarus-media
diff --git a/goldilocks/charts/vpa/values.yaml b/goldilocks/charts/vpa/values.yaml
index 62bd33b..aa4e68f 100644
--- a/goldilocks/charts/vpa/values.yaml
+++ b/goldilocks/charts/vpa/values.yaml
@@ -200,7 +200,10 @@ admissionController:
     # admissionController.certGen.env -- Additional environment variables to be added to the certgen container. Format is KEY: Value format
     env: {}
     # admissionController.certGen.resources -- The resources block for the certgen pod
-    resources: {}
+    resources:
+      requests:
+        memory: 50Mi
+        cpu: 10m
     # admissionController.certGen.securityContext -- The securityContext block for the certgen pod
     securityContext: {}
     nodeSelector: {}
diff --git a/harbor/values.home.yaml b/harbor/values.home.yaml
index b38f02e..885a1f4 100644
--- a/harbor/values.home.yaml
+++ b/harbor/values.home.yaml
@@ -420,8 +420,8 @@ portal:
   revisionHistoryLimit: 10
   resources:
     requests:
-      memory: 256Mi
-      cpu: 100m
+      memory: 32Mi
+      cpu: 50m
   extraEnvVars: []
   nodeSelector:
     location: bedRoom
diff --git a/teleport-cluster-17.4.9/.lint/acme-off.yaml b/teleport-cluster-17.4.9/.lint/acme-off.yaml
new file mode 100644
index 0000000..29a9052
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/acme-off.yaml
@@ -0,0 +1,3 @@
+clusterName: test-cluster-name
+extraArgs:
+- "--insecure"
diff --git a/teleport-cluster-17.4.9/.lint/acme-on.yaml b/teleport-cluster-17.4.9/.lint/acme-on.yaml
new file mode 100644
index 0000000..02821dc
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/acme-on.yaml
@@ -0,0 +1,3 @@
+clusterName: test-acme-cluster
+acme: true
+acmeEmail: test@email.com
diff --git a/teleport-cluster-17.4.9/.lint/acme-uri-staging.yaml b/teleport-cluster-17.4.9/.lint/acme-uri-staging.yaml
new file mode 100644
index 0000000..2794d6d
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/acme-uri-staging.yaml
@@ -0,0 +1,4 @@
+clusterName: test-acme-cluster
+acme: true
+acmeEmail: test@email.com
+acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory
diff --git a/teleport-cluster-17.4.9/.lint/affinity.yaml b/teleport-cluster-17.4.9/.lint/affinity.yaml
new file mode 100644
index 0000000..e984e7d
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/affinity.yaml
@@ -0,0 +1,29 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 2
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: gravitational.io/dedicated
+          operator: In
+          values:
+          - teleport
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+    - podAffinityTerm:
+        labelSelector:
+          matchExpressions:
+          - key: app
+            operator: In
+            values:
+            - teleport
+        topologyKey: kubernetes.io/hostname
+      weight: 1
diff --git a/teleport-cluster-17.4.9/.lint/annotations.yaml b/teleport-cluster-17.4.9/.lint/annotations.yaml
new file mode 100644
index 0000000..4e9fce5
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/annotations.yaml
@@ -0,0 +1,17 @@
+clusterName: helm-lint
+annotations:
+  config:
+    kubernetes.io/config: "test-annotation"
+    kubernetes.io/config-different: 2
+  deployment:
+    kubernetes.io/deployment: "test-annotation"
+    kubernetes.io/deployment-different: 3
+  pod:
+    kubernetes.io/pod: "test-annotation"
+    kubernetes.io/pod-different: 4
+  service:
+    kubernetes.io/service: "test-annotation"
+    kubernetes.io/service-different: 5
+  serviceAccount:
+    kubernetes.io/serviceaccount: "test-annotation"
+    kubernetes.io/serviceaccount-different: 6
diff --git a/teleport-cluster-17.4.9/.lint/auth-connector-name.yaml b/teleport-cluster-17.4.9/.lint/auth-connector-name.yaml
new file mode 100644
index 0000000..4e77b8b
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-connector-name.yaml
@@ -0,0 +1,3 @@
+clusterName: helm-lint
+authentication:
+  connectorName: "okta"
diff --git a/teleport-cluster-17.4.9/.lint/auth-disable-local.yaml b/teleport-cluster-17.4.9/.lint/auth-disable-local.yaml
new file mode 100644
index 0000000..b4d6aa1
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-disable-local.yaml
@@ -0,0 +1,5 @@
+clusterName: helm-lint
+authentication:
+  type: "github"
+  localAuth: false
+  secondFactor: "off"
diff --git a/teleport-cluster-17.4.9/.lint/auth-disable-passwordless.yaml b/teleport-cluster-17.4.9/.lint/auth-disable-passwordless.yaml
new file mode 100644
index 0000000..ccbe289
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-disable-passwordless.yaml
@@ -0,0 +1,5 @@
+clusterName: helm-lint
+authentication:
+  type: "github"
+  passwordless: false
+  secondFactor: "off"
diff --git a/teleport-cluster-17.4.9/.lint/auth-enterprise-license.yaml b/teleport-cluster-17.4.9/.lint/auth-enterprise-license.yaml
new file mode 100644
index 0000000..a86c526
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-enterprise-license.yaml
@@ -0,0 +1,4 @@
+clusterName: helm-lint
+enterprise: true
+licenseSecretName: enterprise-license
+
diff --git a/teleport-cluster-17.4.9/.lint/auth-locking-mode.yaml b/teleport-cluster-17.4.9/.lint/auth-locking-mode.yaml
new file mode 100644
index 0000000..4c64cfb
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-locking-mode.yaml
@@ -0,0 +1,3 @@
+clusterName: helm-lint
+authentication:
+  lockingMode: "strict"
diff --git a/teleport-cluster-17.4.9/.lint/auth-passwordless.yaml b/teleport-cluster-17.4.9/.lint/auth-passwordless.yaml
new file mode 100644
index 0000000..9e33d9c
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-passwordless.yaml
@@ -0,0 +1,4 @@
+clusterName: helm-lint
+authentication:
+  connectorName: passwordless
+  secondFactor: webauthn
diff --git a/teleport-cluster-17.4.9/.lint/auth-secondfactors-sso.yaml b/teleport-cluster-17.4.9/.lint/auth-secondfactors-sso.yaml
new file mode 100644
index 0000000..9c49c8b
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-secondfactors-sso.yaml
@@ -0,0 +1,4 @@
+clusterName: helm-lint
+authentication:
+  secondFactors:
+    - sso
diff --git a/teleport-cluster-17.4.9/.lint/auth-secondfactors-webauthn.yaml b/teleport-cluster-17.4.9/.lint/auth-secondfactors-webauthn.yaml
new file mode 100644
index 0000000..3693dd8
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-secondfactors-webauthn.yaml
@@ -0,0 +1,10 @@
+clusterName: helm-lint
+authentication:
+  secondFactors:
+    - sso
+    - webauthn
+  webauthn:
+    attestationAllowedCas:
+      - "/etc/ssl/certs/ca-certificates.crt"
+    attestationDeniedCas:
+      - "/etc/ssl/certs/ca-certificates.crt"
diff --git a/teleport-cluster-17.4.9/.lint/auth-type-legacy.yaml b/teleport-cluster-17.4.9/.lint/auth-type-legacy.yaml
new file mode 100644
index 0000000..5420bf1
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-type-legacy.yaml
@@ -0,0 +1,4 @@
+clusterName: helm-lint
+authentication:
+  type: "this-should-be-ignored"
+authenticationType: "github"
diff --git a/teleport-cluster-17.4.9/.lint/auth-type.yaml b/teleport-cluster-17.4.9/.lint/auth-type.yaml
new file mode 100644
index 0000000..9c71d82
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-type.yaml
@@ -0,0 +1,3 @@
+clusterName: helm-lint
+authentication:
+  type: "github"
diff --git a/teleport-cluster-17.4.9/.lint/auth-webauthn-legacy.yaml b/teleport-cluster-17.4.9/.lint/auth-webauthn-legacy.yaml
new file mode 100644
index 0000000..fd69d97
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-webauthn-legacy.yaml
@@ -0,0 +1,10 @@
+clusterName: helm-lint
+authentication:
+  secondFactor: "off" # this should be overridden
+authenticationSecondFactor:
+  secondFactor: "on"
+  webauthn:
+    attestationAllowedCas:
+      - "/etc/ssl/certs/ca-certificates.crt"
+    attestationDeniedCas:
+      - "/etc/ssl/certs/ca-certificates.crt"
diff --git a/teleport-cluster-17.4.9/.lint/auth-webauthn.yaml b/teleport-cluster-17.4.9/.lint/auth-webauthn.yaml
new file mode 100644
index 0000000..e8702e1
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/auth-webauthn.yaml
@@ -0,0 +1,8 @@
+clusterName: helm-lint
+authentication:
+  secondFactor: "on"
+  webauthn:
+    attestationAllowedCas:
+      - "/etc/ssl/certs/ca-certificates.crt"
+    attestationDeniedCas:
+      - "/etc/ssl/certs/ca-certificates.crt"
diff --git a/teleport-cluster-17.4.9/.lint/aws-access-monitoring.yaml b/teleport-cluster-17.4.9/.lint/aws-access-monitoring.yaml
new file mode 100644
index 0000000..e4c0024
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/aws-access-monitoring.yaml
@@ -0,0 +1,13 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+  athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+
+  accessMonitoring:
+    enabled: true
+    reportResults: "s3://example-athena-long-term/report_results"
+    roleARN: "arn:aws:iam::123456789012:role/example_AccessMonitoringRole"
+    workgroup: "example_access_monitoring_workgroup"
diff --git a/teleport-cluster-17.4.9/.lint/aws-dynamodb-autoscaling.yaml b/teleport-cluster-17.4.9/.lint/aws-dynamodb-autoscaling.yaml
new file mode 100644
index 0000000..c1dde28
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/aws-dynamodb-autoscaling.yaml
@@ -0,0 +1,14 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+  dynamoAutoScaling: true
+  readMinCapacity: 5
+  readMaxCapacity: 100
+  readTargetValue: 50.0
+  writeMinCapacity: 5
+  writeMaxCapacity: 100
+  writeTargetValue: 50.0
diff --git a/teleport-cluster-17.4.9/.lint/aws-ha-acme.yaml b/teleport-cluster-17.4.9/.lint/aws-ha-acme.yaml
new file mode 100644
index 0000000..c2c4d2e
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/aws-ha-acme.yaml
@@ -0,0 +1,14 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  certManager:
+    enabled: true
+    issuerName: letsencrypt-production
+labels:
+  env: aws
diff --git a/teleport-cluster-17.4.9/.lint/aws-ha-antiaffinity.yaml b/teleport-cluster-17.4.9/.lint/aws-ha-antiaffinity.yaml
new file mode 100644
index 0000000..0e639a2
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/aws-ha-antiaffinity.yaml
@@ -0,0 +1,12 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  requireAntiAffinity: true
+labels:
+  env: aws
diff --git a/teleport-cluster-17.4.9/.lint/aws-ha-log.yaml b/teleport-cluster-17.4.9/.lint/aws-ha-log.yaml
new file mode 100644
index 0000000..733466b
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/aws-ha-log.yaml
@@ -0,0 +1,17 @@
+clusterName: test-aws-cluster
+chartMode: aws
+log:
+  level: DEBUG
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  auditLogMirrorOnStdout: true
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 2
+  certManager:
+    enabled: true
+    issuerName: letsencrypt-production
+labels:
+  env: aws
diff --git a/teleport-cluster-17.4.9/.lint/aws-ha.yaml b/teleport-cluster-17.4.9/.lint/aws-ha.yaml
new file mode 100644
index 0000000..5bb2120
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/aws-ha.yaml
@@ -0,0 +1,11 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+labels:
+  env: aws
diff --git a/teleport-cluster-17.4.9/.lint/aws.yaml b/teleport-cluster-17.4.9/.lint/aws.yaml
new file mode 100644
index 0000000..0c822e3
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/aws.yaml
@@ -0,0 +1,11 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: aws
diff --git a/teleport-cluster-17.4.9/.lint/azure.yaml b/teleport-cluster-17.4.9/.lint/azure.yaml
new file mode 100644
index 0000000..f755c36
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/azure.yaml
@@ -0,0 +1,11 @@
+clusterName: test-azure-cluster
+chartMode: azure
+azure:
+  databaseHost: "mypostgresinstance.postgres.database.azure.com"
+  databaseUser: "teleport"
+  backendDatabase: "teleport_backend"
+  auditLogDatabase: "teleport_audit"
+  auditLogMirrorOnStdout: true
+  sessionRecordingStorageAccount: "mystorageaccount.blob.core.windows.net"
+  clientID: "1234"
+  databasePoolMaxConnections: 100
diff --git a/teleport-cluster-17.4.9/.lint/cert-manager.yaml b/teleport-cluster-17.4.9/.lint/cert-manager.yaml
new file mode 100644
index 0000000..7748890
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/cert-manager.yaml
@@ -0,0 +1,15 @@
+clusterName: test-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  certManager:
+    addCommonName: true
+    enabled: true
+    issuerGroup: custom.cert-manager.io
+    issuerName: custom
+    issuerKind: CustomClusterIssuer
diff --git a/teleport-cluster-17.4.9/.lint/cert-secret.yaml b/teleport-cluster-17.4.9/.lint/cert-secret.yaml
new file mode 100644
index 0000000..d86eb31
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/cert-secret.yaml
@@ -0,0 +1,15 @@
+clusterName: test-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+annotations:
+  certSecret:
+    kubernetes.io/cert-secret: value
+highAvailability:
+  replicaCount: 3
+  certManager:
+    enabled: true
+    issuerName: letsencrypt
diff --git a/teleport-cluster-17.4.9/.lint/example-minimal-standalone.yaml b/teleport-cluster-17.4.9/.lint/example-minimal-standalone.yaml
new file mode 100644
index 0000000..9cdba9a
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/example-minimal-standalone.yaml
@@ -0,0 +1,7 @@
+# This setup is not safe for production because the proxy will self-sign its certificate.
+# Use those values for testing only
+
+# The chart should deploy and work only with a clusterName.
+# This setup can also cause redirection issues if the proxy is contacted with a hostName instead of an IP address
+# as it is not aware of its external hostname and will attempt to perform a redirection.
+clusterName: helm-lint
diff --git a/teleport-cluster-17.4.9/.lint/existing-tls-secret-with-ca.yaml b/teleport-cluster-17.4.9/.lint/existing-tls-secret-with-ca.yaml
new file mode 100644
index 0000000..086c628
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/existing-tls-secret-with-ca.yaml
@@ -0,0 +1,4 @@
+clusterName: test-cluster-name
+tls:
+  existingSecretName: helm-lint-existing-tls-secret
+  existingCASecretName: helm-lint-existing-tls-secret-ca
diff --git a/teleport-cluster-17.4.9/.lint/existing-tls-secret.yaml b/teleport-cluster-17.4.9/.lint/existing-tls-secret.yaml
new file mode 100644
index 0000000..37f07ea
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/existing-tls-secret.yaml
@@ -0,0 +1,3 @@
+clusterName: test-cluster-name
+tls:
+  existingSecretName: helm-lint-existing-tls-secret
diff --git a/teleport-cluster-17.4.9/.lint/extra-containers.yaml b/teleport-cluster-17.4.9/.lint/extra-containers.yaml
new file mode 100644
index 0000000..14d04af
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/extra-containers.yaml
@@ -0,0 +1,12 @@
+clusterName: helm-lint.example.com
+extraContainers:
+  - name: nscenter
+    command:
+      - /bin/bash
+      - -c
+      - sleep infinity & wait
+    image: praqma/network-multitool
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      privileged: true
+      runAsNonRoot: false
diff --git a/teleport-cluster-17.4.9/.lint/extra-env.yaml b/teleport-cluster-17.4.9/.lint/extra-env.yaml
new file mode 100644
index 0000000..ea0d122
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/extra-env.yaml
@@ -0,0 +1,4 @@
+clusterName: helm-lint.example.com
+extraEnv:
+  - name: SOME_ENVIRONMENT_VARIABLE
+    value: "some-value"
diff --git a/teleport-cluster-17.4.9/.lint/gcp-ha-acme.yaml b/teleport-cluster-17.4.9/.lint/gcp-ha-acme.yaml
new file mode 100644
index 0000000..d122907
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/gcp-ha-acme.yaml
@@ -0,0 +1,14 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  certManager:
+    enabled: true
+    issuerName: letsencrypt-production
+labels:
+  env: gcp
diff --git a/teleport-cluster-17.4.9/.lint/gcp-ha-antiaffinity.yaml b/teleport-cluster-17.4.9/.lint/gcp-ha-antiaffinity.yaml
new file mode 100644
index 0000000..9743cad
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/gcp-ha-antiaffinity.yaml
@@ -0,0 +1,12 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  requireAntiAffinity: true
+labels:
+  env: gcp
diff --git a/teleport-cluster-17.4.9/.lint/gcp-ha-log.yaml b/teleport-cluster-17.4.9/.lint/gcp-ha-log.yaml
new file mode 100644
index 0000000..d13f73c
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/gcp-ha-log.yaml
@@ -0,0 +1,17 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+log:
+  level: DEBUG
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  auditLogMirrorOnStdout: true
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  certManager:
+    enabled: true
+    issuerName: letsencrypt-production
+labels:
+  env: gcp
diff --git a/teleport-cluster-17.4.9/.lint/gcp-ha-workload.yaml b/teleport-cluster-17.4.9/.lint/gcp-ha-workload.yaml
new file mode 100644
index 0000000..0568bbf
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/gcp-ha-workload.yaml
@@ -0,0 +1,12 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+  credentialSecretName: ""
+highAvailability:
+  replicaCount: 3
+labels:
+  env: gcp
diff --git a/teleport-cluster-17.4.9/.lint/gcp-ha.yaml b/teleport-cluster-17.4.9/.lint/gcp-ha.yaml
new file mode 100644
index 0000000..26b43d4
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/gcp-ha.yaml
@@ -0,0 +1,11 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+labels:
+  env: gcp
diff --git a/teleport-cluster-17.4.9/.lint/gcp.yaml b/teleport-cluster-17.4.9/.lint/gcp.yaml
new file mode 100644
index 0000000..56a395b
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/gcp.yaml
@@ -0,0 +1,11 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: gcp
diff --git a/teleport-cluster-17.4.9/.lint/imagepullsecrets.yaml b/teleport-cluster-17.4.9/.lint/imagepullsecrets.yaml
new file mode 100644
index 0000000..f414f8c
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/imagepullsecrets.yaml
@@ -0,0 +1,4 @@
+clusterName: test-standalone-cluster
+chartMode: standalone
+imagePullSecrets:
+- name: myRegistryKeySecretName
diff --git a/teleport-cluster-17.4.9/.lint/ingress-publicaddr.yaml b/teleport-cluster-17.4.9/.lint/ingress-publicaddr.yaml
new file mode 100644
index 0000000..0e9692a
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/ingress-publicaddr.yaml
@@ -0,0 +1,8 @@
+clusterName: teleport.example.com
+publicAddr: ["my-teleport-ingress.example.com:443"]
+ingress:
+  enabled: true
+  suppressAutomaticWildcards: true
+proxyListenerMode: multiplex
+service:
+  type: ClusterIP
diff --git a/teleport-cluster-17.4.9/.lint/ingress.yaml b/teleport-cluster-17.4.9/.lint/ingress.yaml
new file mode 100644
index 0000000..e5fbbc4
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/ingress.yaml
@@ -0,0 +1,6 @@
+clusterName: teleport.example.com
+ingress:
+  enabled: true
+proxyListenerMode: multiplex
+service:
+  type: ClusterIP
diff --git a/teleport-cluster-17.4.9/.lint/initcontainers.yaml b/teleport-cluster-17.4.9/.lint/initcontainers.yaml
new file mode 100644
index 0000000..a558e45
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/initcontainers.yaml
@@ -0,0 +1,8 @@
+clusterName: helm-lint
+initContainers:
+- name: "teleport-init"
+  image: "alpine"
+  args: ["echo test"]
+- name: "teleport-init2"
+  image: "alpine"
+  args: ["echo test2"]
diff --git a/teleport-cluster-17.4.9/.lint/kube-cluster-name.yaml b/teleport-cluster-17.4.9/.lint/kube-cluster-name.yaml
new file mode 100644
index 0000000..ccd510b
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/kube-cluster-name.yaml
@@ -0,0 +1,2 @@
+clusterName: test-aws-cluster
+kubeClusterName: test-kube-cluster
diff --git a/teleport-cluster-17.4.9/.lint/log-basic.yaml b/teleport-cluster-17.4.9/.lint/log-basic.yaml
new file mode 100644
index 0000000..037e189
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/log-basic.yaml
@@ -0,0 +1,4 @@
+clusterName: test-log-cluster
+log:
+  format: json
+  level: INFO
diff --git a/teleport-cluster-17.4.9/.lint/log-extra.yaml b/teleport-cluster-17.4.9/.lint/log-extra.yaml
new file mode 100644
index 0000000..7f3e21b
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/log-extra.yaml
@@ -0,0 +1,6 @@
+clusterName: test-log-cluster
+log:
+  format: json
+  level: DEBUG
+  output: /var/lib/teleport/test.log
+  extraFields: ["level", "timestamp", "component", "caller"]
diff --git a/teleport-cluster-17.4.9/.lint/log-legacy.yaml b/teleport-cluster-17.4.9/.lint/log-legacy.yaml
new file mode 100644
index 0000000..b28d3ab
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/log-legacy.yaml
@@ -0,0 +1,2 @@
+clusterName: test-log-cluster
+logLevel: DEBUG
diff --git a/teleport-cluster-17.4.9/.lint/node-selector.yaml b/teleport-cluster-17.4.9/.lint/node-selector.yaml
new file mode 100644
index 0000000..d3c1f06
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/node-selector.yaml
@@ -0,0 +1,4 @@
+clusterName: test-cluster-name
+nodeSelector:
+  role: bastion
+  environment: security
diff --git a/teleport-cluster-17.4.9/.lint/operator.yaml b/teleport-cluster-17.4.9/.lint/operator.yaml
new file mode 100644
index 0000000..e390d5b
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/operator.yaml
@@ -0,0 +1,4 @@
+clusterName: test-cluster-name
+operator:
+  enabled: true
+installCRDs: true
diff --git a/teleport-cluster-17.4.9/.lint/pdb.yaml b/teleport-cluster-17.4.9/.lint/pdb.yaml
new file mode 100644
index 0000000..0504d09
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/pdb.yaml
@@ -0,0 +1,12 @@
+clusterName: helm-lint
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  podDisruptionBudget:
+    enabled: true
+    minAvailable: 2
diff --git a/teleport-cluster-17.4.9/.lint/persistence-legacy.yaml b/teleport-cluster-17.4.9/.lint/persistence-legacy.yaml
new file mode 100644
index 0000000..0d9a124
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/persistence-legacy.yaml
@@ -0,0 +1,4 @@
+clusterName: test-persistence-cluster
+standalone:
+  existingClaimName: ""
+  volumeSize: 10Gi
diff --git a/teleport-cluster-17.4.9/.lint/pod-security-context-empty.yaml b/teleport-cluster-17.4.9/.lint/pod-security-context-empty.yaml
new file mode 100644
index 0000000..14ff546
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/pod-security-context-empty.yaml
@@ -0,0 +1 @@
+clusterName: helm-lint
diff --git a/teleport-cluster-17.4.9/.lint/pod-security-context.yaml b/teleport-cluster-17.4.9/.lint/pod-security-context.yaml
new file mode 100644
index 0000000..50710c4
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/pod-security-context.yaml
@@ -0,0 +1,7 @@
+clusterName: helm-lint
+podSecurityContext:
+  fsGroup: 99
+  fsGroupChangePolicy: OnRootMismatch
+  runAsGroup: 99
+  runAsNonRoot: true
+  runAsUser: 99
diff --git a/teleport-cluster-17.4.9/.lint/podmonitor.yaml b/teleport-cluster-17.4.9/.lint/podmonitor.yaml
new file mode 100644
index 0000000..1c263f5
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/podmonitor.yaml
@@ -0,0 +1,6 @@
+clusterName: test-kube-cluster-name
+podMonitor:
+  enabled: true
+  additionalLabels:
+    prometheus: default
+  interval: 30s
diff --git a/teleport-cluster-17.4.9/.lint/priority-class-name.yaml b/teleport-cluster-17.4.9/.lint/priority-class-name.yaml
new file mode 100644
index 0000000..3386375
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/priority-class-name.yaml
@@ -0,0 +1,4 @@
+clusterName: helm-lint
+# These are just sample values to test the chart.
+# They are not intended to be guidelines or suggestions for running teleport.
+priorityClassName: "system-cluster-critical"
diff --git a/teleport-cluster-17.4.9/.lint/probe-timeout-seconds.yaml b/teleport-cluster-17.4.9/.lint/probe-timeout-seconds.yaml
new file mode 100644
index 0000000..a239435
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/probe-timeout-seconds.yaml
@@ -0,0 +1,4 @@
+clusterName: helm-lint
+# These are just sample values to test the chart.
+# They are not intended to be guidelines or suggestions for running teleport.
+probeTimeoutSeconds: 5
diff --git a/teleport-cluster-17.4.9/.lint/proxy-listener-mode-multiplex.yaml b/teleport-cluster-17.4.9/.lint/proxy-listener-mode-multiplex.yaml
new file mode 100644
index 0000000..87ac0b3
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/proxy-listener-mode-multiplex.yaml
@@ -0,0 +1,2 @@
+clusterName: test-proxy-listener-mode
+proxyListenerMode: multiplex
diff --git a/teleport-cluster-17.4.9/.lint/proxy-listener-mode-separate.yaml b/teleport-cluster-17.4.9/.lint/proxy-listener-mode-separate.yaml
new file mode 100644
index 0000000..3be257a
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/proxy-listener-mode-separate.yaml
@@ -0,0 +1,2 @@
+clusterName: test-proxy-listener-mode
+proxyListenerMode: separate
diff --git a/teleport-cluster-17.4.9/.lint/public-addresses.yaml b/teleport-cluster-17.4.9/.lint/public-addresses.yaml
new file mode 100644
index 0000000..1122492
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/public-addresses.yaml
@@ -0,0 +1,11 @@
+clusterName: helm-lint
+publicAddr: ["loadbalancer.example.com:443"]
+sshPublicAddr: ["loadbalancer.example.com:3023"]
+tunnelPublicAddr: ["loadbalancer.example.com:3024"]
+postgresPublicAddr: ["loadbalancer.example.com:5432"]
+mongoPublicAddr: ["loadbalancer.example.com:27017"]
+mysqlPublicAddr: ["loadbalancer.example.com:3036"]
+kubePublicAddr: ["loadbalancer.example.com:3026"]
+
+separatePostgresListener: true
+separateMongoListener: true
diff --git a/teleport-cluster-17.4.9/.lint/resources.yaml b/teleport-cluster-17.4.9/.lint/resources.yaml
new file mode 100644
index 0000000..070a85c
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/resources.yaml
@@ -0,0 +1,10 @@
+clusterName: helm-lint
+# These are just sample values to test the chart.
+# They are not intended to be guidelines or suggestions for running teleport.
+resources:
+  limits:
+    cpu: 2
+    memory: 4Gi
+  requests:
+    cpu: 1
+    memory: 2Gi
diff --git a/teleport-cluster-17.4.9/.lint/security-context-empty.yaml b/teleport-cluster-17.4.9/.lint/security-context-empty.yaml
new file mode 100644
index 0000000..14ff546
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/security-context-empty.yaml
@@ -0,0 +1 @@
+clusterName: helm-lint
diff --git a/teleport-cluster-17.4.9/.lint/security-context.yaml b/teleport-cluster-17.4.9/.lint/security-context.yaml
new file mode 100644
index 0000000..32e4015
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/security-context.yaml
@@ -0,0 +1,8 @@
+clusterName: helm-lint
+securityContext:
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsGroup: 99
+  runAsNonRoot: true
+  runAsUser: 99
diff --git a/teleport-cluster-17.4.9/.lint/separate-mongo-listener.yaml b/teleport-cluster-17.4.9/.lint/separate-mongo-listener.yaml
new file mode 100644
index 0000000..23bac08
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/separate-mongo-listener.yaml
@@ -0,0 +1,2 @@
+clusterName: helm-lint
+separateMongoListener: true
diff --git a/teleport-cluster-17.4.9/.lint/separate-postgres-listener.yaml b/teleport-cluster-17.4.9/.lint/separate-postgres-listener.yaml
new file mode 100644
index 0000000..0a1196f
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/separate-postgres-listener.yaml
@@ -0,0 +1,2 @@
+clusterName: helm-lint
+separatePostgresListener: true
diff --git a/teleport-cluster-17.4.9/.lint/service-account.yaml b/teleport-cluster-17.4.9/.lint/service-account.yaml
new file mode 100644
index 0000000..a6f9678
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/service-account.yaml
@@ -0,0 +1,7 @@
+clusterName: helm-lint
+serviceAccount:
+  create: true
+  name: helm-lint
+annotations:
+  serviceAccount:
+    kubernetes.io/serviceaccount: "test-annotation"
diff --git a/teleport-cluster-17.4.9/.lint/service.yaml b/teleport-cluster-17.4.9/.lint/service.yaml
new file mode 100644
index 0000000..0a8eed6
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/service.yaml
@@ -0,0 +1,5 @@
+clusterName: helm-lint
+service:
+  type: LoadBalancer
+  spec:
+    loadBalancerIP: 1.2.3.4
diff --git a/teleport-cluster-17.4.9/.lint/session-recording-off.yaml b/teleport-cluster-17.4.9/.lint/session-recording-off.yaml
new file mode 100644
index 0000000..20ee1ba
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/session-recording-off.yaml
@@ -0,0 +1,2 @@
+clusterName: helm-lint
+sessionRecording: "off"
diff --git a/teleport-cluster-17.4.9/.lint/session-recording.yaml b/teleport-cluster-17.4.9/.lint/session-recording.yaml
new file mode 100644
index 0000000..8b41012
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/session-recording.yaml
@@ -0,0 +1,2 @@
+clusterName: helm-lint
+sessionRecording: "node-sync"
diff --git a/teleport-cluster-17.4.9/.lint/standalone-custom-storage-class.yaml b/teleport-cluster-17.4.9/.lint/standalone-custom-storage-class.yaml
new file mode 100644
index 0000000..4cf5ade
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/standalone-custom-storage-class.yaml
@@ -0,0 +1,9 @@
+clusterName: test-standalone-cluster
+chartMode: standalone
+persistence:
+  enabled: true
+  storageClassName: ebs-ssd
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: standalone
diff --git a/teleport-cluster-17.4.9/.lint/standalone-customsize.yaml b/teleport-cluster-17.4.9/.lint/standalone-customsize.yaml
new file mode 100644
index 0000000..c994faa
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/standalone-customsize.yaml
@@ -0,0 +1,9 @@
+clusterName: test-standalone-cluster
+chartMode: standalone
+persistence:
+  enabled: true
+  volumeSize: 50Gi
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: standalone
diff --git a/teleport-cluster-17.4.9/.lint/standalone-existingpvc.yaml b/teleport-cluster-17.4.9/.lint/standalone-existingpvc.yaml
new file mode 100644
index 0000000..89292ef
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/standalone-existingpvc.yaml
@@ -0,0 +1,9 @@
+clusterName: test-standalone-cluster
+chartMode: standalone
+persistence:
+  enabled: true
+  existingClaimName: teleport-storage
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: standalone
diff --git a/teleport-cluster-17.4.9/.lint/tolerations.yaml b/teleport-cluster-17.4.9/.lint/tolerations.yaml
new file mode 100644
index 0000000..69d4161
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/tolerations.yaml
@@ -0,0 +1,18 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+tolerations:
+- key: "dedicated"
+  operator: "Equal"
+  value: "teleport"
+  effect: "NoExecute"
+- key: "dedicated"
+  operator: "Equal"
+  value: "teleport"
+  effect: "NoSchedule"
diff --git a/teleport-cluster-17.4.9/.lint/version-override.yaml b/teleport-cluster-17.4.9/.lint/version-override.yaml
new file mode 100644
index 0000000..689e958
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/version-override.yaml
@@ -0,0 +1,5 @@
+clusterName: test-cluster-name
+teleportVersionOverride: 5.2.1
+labels:
+  env: test
+  version: 5.2.1
diff --git a/teleport-cluster-17.4.9/.lint/volumes.yaml b/teleport-cluster-17.4.9/.lint/volumes.yaml
new file mode 100644
index 0000000..a1ce300
--- /dev/null
+++ b/teleport-cluster-17.4.9/.lint/volumes.yaml
@@ -0,0 +1,8 @@
+clusterName: helm-lint
+extraVolumeMounts:
+- name: "my-mount"
+  mountPath: "/path/to/mount"
+extraVolumes:
+- name: "my-mount"
+  secret:
+    secretName: "mySecret"
diff --git a/teleport-cluster-17.4.9/Chart.yaml b/teleport-cluster-17.4.9/Chart.yaml
new file mode 100644
index 0000000..97d66f1
--- /dev/null
+++ b/teleport-cluster-17.4.9/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v2
+appVersion: 17.4.9
+dependencies:
+- alias: operator
+  name: teleport-operator
+  repository: ""
+  version: 17.4.9
+description: Teleport is an access platform for your infrastructure
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
+keywords:
+- Teleport
+name: teleport-cluster
+version: 17.4.9
diff --git a/teleport-cluster-17.4.9/README.md b/teleport-cluster-17.4.9/README.md
new file mode 100644
index 0000000..a198737
--- /dev/null
+++ b/teleport-cluster-17.4.9/README.md
@@ -0,0 +1,68 @@
+# Teleport Cluster
+
+This chart sets up a Teleport cluster composed of at least 1 Proxy instance
+and 1 Auth instance. When applicable, the chart will default to 2 pods to
+provide high-availability.
+
+## Important Notices
+
+- The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x
+- Teleport does mutual TLS to authenticate clients. Establishing mTLS through a L7
+  LoadBalancer, like a Kubernetes `Ingress` [requires ALPN support](https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies).
+  Exposing Teleport through a `Service` with type `LoadBalancer` is still recommended
+  because its the most flexible and least complex setup.
+
+## Getting Started
+
+### Single-node example
+
+To install Teleport in a separate namespace and provision a web certificate using Let's Encrypt, run:
+
+```bash
+$ helm install teleport/teleport-cluster \
+    --set acme=true \
+    --set acmeEmail=alice@example.com \
+    --set clusterName=teleport.example.com\
+    --create-namespace \
+    --namespace=teleport-cluster \
+    ./teleport-cluster/
+```
+
+Finally, configure the DNS for `teleport.example.com` to point to the newly created LoadBalancer.
+
+Note: this guide uses the built-in ACME client to get certificates.
+In this setup, Teleport nodes cannot be replicated. If you want to run multiple
+Teleport replicas, you must provide a certificate through `tls.existingSecretName`
+or by installing [cert-manager](https://cert-manager.io/docs/) and setting the `highAvailability.certManager.*` values.
+
+### Replicated setup guides
+
+- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/aws/)
+- [Running an HA Teleport cluster in Kubernetes using an Google Cloud GKE cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/gcp/)
+- [Running an HA Teleport cluster in Kubernetes using an Azure AKS cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/azure/)
+- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/custom/)
+
+### Creating first user
+
+The first user can be created by executing a command in one of the auth pods.
+
+```code
+kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access
+```
+
+The command should output a registration link to finalize the user creation.
+
+## Uninstalling
+
+```bash
+helm uninstall --namespace teleport-cluster teleport-cluster
+```
+
+## Documentation
+
+See https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/ for guides on setting up HA Teleport clusters
+in EKS or GKE, plus a comprehensive chart reference.
+
+## Contributing to the chart
+
+Please read [CONTRIBUTING.md](../CONTRIBUTING.md) before raising a pull request to this chart.
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/.lint/annotations.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/annotations.yaml
new file mode 100644
index 0000000..dc3a4c8
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/annotations.yaml
@@ -0,0 +1,14 @@
+annotations:
+  deployment:
+    kubernetes.io/deployment: "test-annotation"
+    kubernetes.io/deployment-different: 3
+  pod:
+    kubernetes.io/pod: "test-annotation"
+    kubernetes.io/pod-different: 4
+  serviceAccount:
+    kubernetes.io/serviceaccount: "test-annotation"
+    kubernetes.io/serviceaccount-different: 6
+
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+teleportClusterName: "example.teleport.sh"
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/.lint/cloud-join.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/cloud-join.yaml
new file mode 100644
index 0000000..16ba976
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/cloud-join.yaml
@@ -0,0 +1,3 @@
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+teleportClusterName: "example.teleport.sh"
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/.lint/disabled.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/disabled.yaml
new file mode 100644
index 0000000..bc11441
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/disabled.yaml
@@ -0,0 +1 @@
+enabled: false
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/.lint/existing-tls-ca.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/existing-tls-ca.yaml
new file mode 100644
index 0000000..354a5e2
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/existing-tls-ca.yaml
@@ -0,0 +1,6 @@
+tls:
+  existingCASecretName: helm-lint-existing-tls-secret-ca
+
+teleportAddress: "teleport.example.com:3080"
+token: "my-operator-bot"
+teleportClusterName: "teleport.example.com"
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/.lint/labels.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/labels.yaml
new file mode 100644
index 0000000..15d33de
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/labels.yaml
@@ -0,0 +1,10 @@
+labels:
+  deployment:
+    kubernetes.io/deployment: "test-label"
+    kubernetes.io/deployment-different: 3
+  pod:
+    kubernetes.io/pod: "test-label"
+    kubernetes.io/pod-different: 4
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+teleportClusterName: "example.teleport.sh"
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/.lint/non-kubernetes-joining.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/non-kubernetes-joining.yaml
new file mode 100644
index 0000000..4000fc8
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/non-kubernetes-joining.yaml
@@ -0,0 +1,3 @@
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+joinMethod: "iam"
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/.lint/resources.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/resources.yaml
new file mode 100644
index 0000000..acf9ab5
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/.lint/resources.yaml
@@ -0,0 +1,13 @@
+# These are just sample values to test the chart.
+# They are not intended to be guidelines or suggestions for running teleport.
+resources:
+  limits:
+    cpu: 2
+    memory: 4Gi
+  requests:
+    cpu: 1
+    memory: 2Gi
+
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+teleportClusterName: "example.teleport.sh"
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/Chart.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/Chart.yaml
new file mode 100644
index 0000000..64d9260
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 17.4.9
+description: Teleport Operator provides management of select Teleport resources.
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
+keywords:
+- Teleport
+name: teleport-operator
+version: 17.4.9
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/README.md b/teleport-cluster-17.4.9/charts/teleport-operator/README.md
new file mode 100644
index 0000000..8755e8c
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/README.md
@@ -0,0 +1,28 @@
+# Teleport Operator
+
+This chart deploys the Teleport Kubernetes Operator. The operator allows to manage
+Teleport resources from inside Kubernetes.
+
+## Important notice
+
+The chart version follows the Teleport and Teleport Kube Operator version. e.g.
+chart v15.0.1 runs the operator version 15.0.1 by default. To control which
+operator version is deployed, use the `--version` Helm flag.
+
+## Deployment
+
+The chart can be deployed in two ways:
+- in standalone mode by running
+  ```code
+  helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token
+  ```
+  See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details.
+- as a dependency of the `teleport-cluster` Helm chart by adding `--set operator.enabled=true`. See
+  [the operator within teleport-cluster chart guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-helm/).
+
+## Values and reference
+
+The `values.yaml` is documented through comment or via
+[the reference docs](https://goteleport.com/docs/reference/helm-reference/teleport-operator/).
+
+Please make sure you are looking at the correct version when looking at the values reference.
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml
new file mode 100644
index 0000000..2c59561
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml
@@ -0,0 +1,269 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportaccesslists.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportAccessList
+    listKind: TeleportAccessListList
+    plural: teleportaccesslists
+    shortNames:
+    - accesslist
+    - accesslists
+    singular: teleportaccesslist
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AccessList is the Schema for the accesslists API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AccessList resource definition v1 from Teleport
+            properties:
+              audit:
+                description: audit describes the frequency that this Access List must
+                  be audited.
+                nullable: true
+                properties:
+                  next_audit_date:
+                    description: next_audit_date is when the next audit date should
+                      be done by.
+                    format: date-time
+                    type: string
+                  notifications:
+                    description: notifications is the configuration for notifying
+                      users.
+                    nullable: true
+                    properties:
+                      start:
+                        description: start specifies when to start notifying users
+                          that the next audit date is coming up.
+                        format: duration
+                        type: string
+                    type: object
+                  recurrence:
+                    description: recurrence is the recurrence definition
+                    nullable: true
+                    properties:
+                      day_of_month:
+                        description: day_of_month is the day of month that reviews
+                          will be scheduled on. Supported values are 0, 1, 15, and
+                          31.
+                        x-kubernetes-int-or-string: true
+                      frequency:
+                        description: frequency is the frequency of reviews. This represents
+                          the period in months between two reviews. Supported values
+                          are 0, 1, 3, 6, and 12.
+                        x-kubernetes-int-or-string: true
+                    type: object
+                type: object
+              description:
+                description: description is an optional plaintext description of the
+                  Access List.
+                type: string
+              grants:
+                description: grants describes the access granted by membership to
+                  this Access List.
+                nullable: true
+                properties:
+                  roles:
+                    description: roles are the roles that are granted to users who
+                      are members of the Access List.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  traits:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: traits are the traits that are granted to users who
+                      are members of the Access List.
+                    type: object
+                type: object
+              membership_requires:
+                description: membership_requires describes the requirements for a
+                  user to be a member of the Access List. For a membership to an Access
+                  List to be effective, the user must meet the requirements of Membership_requires
+                  and must be in the members list.
+                nullable: true
+                properties:
+                  roles:
+                    description: roles are the user roles that must be present for
+                      the user to obtain access.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  traits:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: traits are the traits that must be present for the
+                      user to obtain access.
+                    type: object
+                type: object
+              owner_grants:
+                description: owner_grants describes the access granted by owners to
+                  this Access List.
+                nullable: true
+                properties:
+                  roles:
+                    description: roles are the roles that are granted to users who
+                      are members of the Access List.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  traits:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: traits are the traits that are granted to users who
+                      are members of the Access List.
+                    type: object
+                type: object
+              owners:
+                description: owners is a list of owners of the Access List.
+                items:
+                  properties:
+                    description:
+                      description: description is the plaintext description of the
+                        owner and why they are an owner.
+                      type: string
+                    ineligible_status:
+                      description: ineligible_status describes if this owner is eligible
+                        or not and if not, describes how they're lacking eligibility.
+                      x-kubernetes-int-or-string: true
+                    membership_kind:
+                      description: membership_kind describes the type of membership,
+                        either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
+                      x-kubernetes-int-or-string: true
+                    name:
+                      description: name is the username of the owner.
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              ownership_requires:
+                description: ownership_requires describes the requirements for a user
+                  to be an owner of the Access List. For ownership of an Access List
+                  to be effective, the user must meet the requirements of ownership_requires
+                  and must be in the owners list.
+                nullable: true
+                properties:
+                  roles:
+                    description: roles are the user roles that must be present for
+                      the user to obtain access.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  traits:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: traits are the traits that must be present for the
+                      user to obtain access.
+                    type: object
+                type: object
+              title:
+                description: title is a plaintext short description of the Access
+                  List.
+                type: string
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml
new file mode 100644
index 0000000..599afe1
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml
@@ -0,0 +1,146 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportbotsv1.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportBotV1
+    listKind: TeleportBotV1List
+    plural: teleportbotsv1
+    shortNames:
+    - botv1
+    - botsv1
+    singular: teleportbotv1
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: BotV1 is the Schema for the botsv1 API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Bot resource definition v1 from Teleport
+            properties:
+              max_session_ttl:
+                description: The max session TTL value for the bot's internal role.
+                  Unless specified, bots may not request a value beyond the default
+                  maximum TTL of 12 hours. This value may not be larger than 7 days
+                  (168 hours).
+                format: duration
+                type: string
+              roles:
+                description: The roles that the bot should be able to impersonate.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              traits:
+                description: The traits that will be associated with the bot for the
+                  purposes of role templating.  Where multiple specified with the
+                  same name, these will be merged by the server.
+                items:
+                  properties:
+                    name:
+                      description: The name of the trait. This is what allows the
+                        trait to be queried in role templates.
+                      type: string
+                    values:
+                      description: The values associated with the named trait.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                  type: object
+                nullable: true
+                type: array
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml
new file mode 100644
index 0000000..1832b3d
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml
@@ -0,0 +1,178 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportgithubconnectors.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportGithubConnector
+    listKind: TeleportGithubConnectorList
+    plural: teleportgithubconnectors
+    shortNames:
+    - githubconnector
+    - githubconnectors
+    singular: teleportgithubconnector
+  scope: Namespaced
+  versions:
+  - name: v3
+    schema:
+      openAPIV3Schema:
+        description: GithubConnector is the Schema for the githubconnectors API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GithubConnector resource definition v3 from Teleport
+            properties:
+              api_endpoint_url:
+                description: APIEndpointURL is the URL of the API endpoint of the
+                  Github instance this connector is for.
+                type: string
+              client_id:
+                description: ClientID is the Github OAuth app client ID.
+                type: string
+              client_redirect_settings:
+                description: ClientRedirectSettings defines which client redirect
+                  URLs are allowed for non-browser SSO logins other than the standard
+                  localhost ones.
+                nullable: true
+                properties:
+                  allowed_https_hostnames:
+                    description: a list of hostnames allowed for https client redirect
+                      URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                type: object
+              client_secret:
+                description: ClientSecret is the Github OAuth app client secret. This
+                  field supports secret lookup. See the operator documentation for
+                  more details.
+                type: string
+              display:
+                description: Display is the connector display name.
+                type: string
+              endpoint_url:
+                description: EndpointURL is the URL of the GitHub instance this connector
+                  is for.
+                type: string
+              redirect_url:
+                description: RedirectURL is the authorization callback URL.
+                type: string
+              teams_to_roles:
+                description: TeamsToRoles maps Github team memberships onto allowed
+                  roles.
+                items:
+                  properties:
+                    organization:
+                      description: Organization is a Github organization a user belongs
+                        to.
+                      type: string
+                    roles:
+                      description: Roles is a list of allowed logins for this org/team.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                    team:
+                      description: Team is a team within the organization a user belongs
+                        to.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml
new file mode 100644
index 0000000..0f116e8
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml
@@ -0,0 +1,134 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportloginrules.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportLoginRule
+    listKind: TeleportLoginRuleList
+    plural: teleportloginrules
+    shortNames:
+    - loginrule
+    - loginrules
+    singular: teleportloginrule
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: LoginRule is the Schema for the loginrules API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: LoginRule resource definition v1 from Teleport
+            properties:
+              priority:
+                description: Priority is the priority of the login rule relative to
+                  other login rules in the same cluster. Login rules with a lower
+                  numbered priority will be evaluated first.
+                format: int32
+                type: integer
+              traits_expression:
+                description: TraitsExpression is a predicate expression which should
+                  return the desired traits for the user upon login.
+                type: string
+              traits_map:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: TraitsMap is a map of trait keys to lists of predicate
+                  expressions which should evaluate to the desired values for that
+                  trait.
+                nullable: true
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
new file mode 100644
index 0000000..29a7b8e
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
@@ -0,0 +1,259 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportoidcconnectors.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportOIDCConnector
+    listKind: TeleportOIDCConnectorList
+    plural: teleportoidcconnectors
+    shortNames:
+    - oidcconnector
+    - oidcconnectors
+    singular: teleportoidcconnector
+  scope: Namespaced
+  versions:
+  - name: v3
+    schema:
+      openAPIV3Schema:
+        description: OIDCConnector is the Schema for the oidcconnectors API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OIDCConnector resource definition v3 from Teleport
+            properties:
+              acr_values:
+                description: ACR is an Authentication Context Class Reference value.
+                  The meaning of the ACR value is context-specific and varies for
+                  identity providers.
+                type: string
+              allow_unverified_email:
+                description: AllowUnverifiedEmail tells the connector to accept OIDC
+                  users with unverified emails.
+                type: boolean
+              claims_to_roles:
+                description: ClaimsToRoles specifies a dynamic mapping from claims
+                  to roles.
+                items:
+                  properties:
+                    claim:
+                      description: Claim is a claim name.
+                      type: string
+                    roles:
+                      description: Roles is a list of static teleport roles to match.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                    value:
+                      description: Value is a claim value to match.
+                      type: string
+                  type: object
+                type: array
+              client_id:
+                description: ClientID is the id of the authentication client (Teleport
+                  Auth Service).
+                type: string
+              client_redirect_settings:
+                description: ClientRedirectSettings defines which client redirect
+                  URLs are allowed for non-browser SSO logins other than the standard
+                  localhost ones.
+                nullable: true
+                properties:
+                  allowed_https_hostnames:
+                    description: a list of hostnames allowed for https client redirect
+                      URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                type: object
+              client_secret:
+                description: ClientSecret is used to authenticate the client. This
+                  field supports secret lookup. See the operator documentation for
+                  more details.
+                type: string
+              display:
+                description: Display is the friendly name for this provider.
+                type: string
+              google_admin_email:
+                description: GoogleAdminEmail is the email of a google admin to impersonate.
+                type: string
+              google_service_account:
+                description: GoogleServiceAccount is a string containing google service
+                  account credentials.
+                type: string
+              google_service_account_uri:
+                description: GoogleServiceAccountURI is a path to a google service
+                  account uri.
+                type: string
+              issuer_url:
+                description: IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
+                type: string
+              max_age:
+                description: MaxAge is the amount of time that user logins are valid
+                  for. If a user logs in, but then does not login again within this
+                  time period, they will be forced to re-authenticate.
+                format: duration
+                type: string
+              mfa:
+                description: MFASettings contains settings to enable SSO MFA checks
+                  through this auth connector.
+                nullable: true
+                properties:
+                  acr_values:
+                    description: AcrValues are Authentication Context Class Reference
+                      values. The meaning of the ACR value is context-specific and
+                      varies for identity providers. Some identity providers support
+                      MFA specific contexts, such Okta with its "phr" (phishing-resistant)
+                      ACR.
+                    type: string
+                  client_id:
+                    description: ClientID is the OIDC OAuth app client ID.
+                    type: string
+                  client_secret:
+                    description: ClientSecret is the OIDC OAuth app client secret.
+                    type: string
+                  enabled:
+                    description: Enabled specified whether this OIDC connector supports
+                      MFA checks. Defaults to false.
+                    type: boolean
+                  max_age:
+                    description: MaxAge is the amount of time in nanoseconds that
+                      an IdP session is valid for. Defaults to 0 to always force re-authentication
+                      for MFA checks. This should only be set to a non-zero value
+                      if the IdP is setup to perform MFA checks on top of active user
+                      sessions.
+                    format: duration
+                    type: string
+                  prompt:
+                    description: Prompt is an optional OIDC prompt. An empty string
+                      omits prompt. If not specified, it defaults to select_account
+                      for backwards compatibility.
+                    type: string
+                type: object
+              prompt:
+                description: Prompt is an optional OIDC prompt. An empty string omits
+                  prompt. If not specified, it defaults to select_account for backwards
+                  compatibility.
+                type: string
+              provider:
+                description: Provider is the external identity provider.
+                type: string
+              redirect_url:
+                description: RedirectURLs is a list of callback URLs which the identity
+                  provider can use to redirect the client back to the Teleport Proxy
+                  to complete authentication. This list should match the URLs on the
+                  provider's side. The URL used for a given auth request will be chosen
+                  to match the requesting Proxy's public address. If there is no match,
+                  the first url in the list will be used.
+                items:
+                  type: string
+                type: array
+              scope:
+                description: Scope specifies additional scopes set by provider.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              username_claim:
+                description: UsernameClaim specifies the name of the claim from the
+                  OIDC connector to be used as the user's username.
+                type: string
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml
new file mode 100644
index 0000000..00c5c08
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml
@@ -0,0 +1,172 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportoktaimportrules.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportOktaImportRule
+    listKind: TeleportOktaImportRuleList
+    plural: teleportoktaimportrules
+    shortNames:
+    - oktaimportrule
+    - oktaimportrules
+    singular: teleportoktaimportrule
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: OktaImportRule is the Schema for the oktaimportrules API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OktaImportRule resource definition v1 from Teleport
+            properties:
+              mappings:
+                description: Mappings is a list of matches that will map match conditions
+                  to labels.
+                items:
+                  properties:
+                    add_labels:
+                      description: AddLabels specifies which labels to add if any
+                        of the previous matches match.
+                      nullable: true
+                      properties:
+                        key:
+                          type: string
+                        value:
+                          type: string
+                      type: object
+                    match:
+                      description: Match is a set of matching rules for this mapping.
+                        If any of these match, then the mapping will be applied.
+                      items:
+                        properties:
+                          app_ids:
+                            description: AppIDs is a list of app IDs to match against.
+                            items:
+                              type: string
+                            nullable: true
+                            type: array
+                          app_name_regexes:
+                            description: AppNameRegexes is a list of regexes to match
+                              against app names.
+                            items:
+                              type: string
+                            nullable: true
+                            type: array
+                          group_ids:
+                            description: GroupIDs is a list of group IDs to match
+                              against.
+                            items:
+                              type: string
+                            nullable: true
+                            type: array
+                          group_name_regexes:
+                            description: GroupNameRegexes is a list of regexes to
+                              match against group names.
+                            items:
+                              type: string
+                            nullable: true
+                            type: array
+                        type: object
+                      nullable: true
+                      type: array
+                  type: object
+                nullable: true
+                type: array
+              priority:
+                description: Priority represents the priority of the rule application.
+                  Lower numbered rules will be applied first.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml
new file mode 100644
index 0000000..bad8469
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml
@@ -0,0 +1,263 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportopenssheiceserversv2.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportOpenSSHEICEServerV2
+    listKind: TeleportOpenSSHEICEServerV2List
+    plural: teleportopenssheiceserversv2
+    shortNames:
+    - openssheiceserverv2
+    - openssheiceserversv2
+    singular: teleportopenssheiceserverv2
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Server hostname
+      jsonPath: .spec.hostname
+      name: Hostname
+      type: string
+    - description: Server address, with SSH port.
+      jsonPath: .spec.addr
+      name: Address
+      type: string
+    - description: The age of this resource
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: OpenSSHEICEServerV2 is the Schema for the openssheiceserversv2
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OpenSSHEICEServer resource definition v2 from Teleport
+            properties:
+              addr:
+                description: Addr is a host:port address where this server can be
+                  reached.
+                type: string
+              cloud_metadata:
+                description: CloudMetadata contains info about the cloud instance
+                  the server is running on, if any.
+                nullable: true
+                properties:
+                  aws:
+                    description: AWSInfo contains attributes to match to an EC2 instance.
+                    nullable: true
+                    properties:
+                      account_id:
+                        description: AccountID is an AWS account ID.
+                        type: string
+                      instance_id:
+                        description: InstanceID is an EC2 instance ID.
+                        type: string
+                      integration:
+                        description: Integration is the integration name that added
+                          this Node. When connecting to it, it will use this integration
+                          to issue AWS API calls in order to set up the connection.
+                          This includes sending an SSH Key and then opening a tunnel
+                          (EC2 Instance Connect Endpoint) so Teleport can connect
+                          to it.
+                        type: string
+                      region:
+                        description: Region is the AWS EC2 Instance Region.
+                        type: string
+                      subnet_id:
+                        description: SubnetID is the Subnet ID in use by the instance.
+                        type: string
+                      vpc_id:
+                        description: VPCID is the AWS VPC ID where the Instance is
+                          running.
+                        type: string
+                    type: object
+                type: object
+              github:
+                description: GitHub contains info about GitHub proxies where each
+                  server represents a GitHub organization.
+                nullable: true
+                properties:
+                  integration:
+                    description: Integration is the integration that is associated
+                      with this Server.
+                    type: string
+                  organization:
+                    description: Organization specifies the name of the organization
+                      for the GitHub integration.
+                    type: string
+                type: object
+              hostname:
+                description: Hostname is server hostname
+                type: string
+              peer_addr:
+                description: PeerAddr is the address a proxy server is reachable at
+                  by its peer proxies.
+                type: string
+              proxy_ids:
+                description: ProxyIDs is a list of proxy IDs this server is expected
+                  to be connected to.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              public_addrs:
+                description: PublicAddrs is a list of public addresses where this
+                  server can be reached.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              rotation:
+                description: Rotation specifies server rotation
+                properties:
+                  current_id:
+                    description: CurrentID is the ID of the rotation operation to
+                      differentiate between rotation attempts.
+                    type: string
+                  grace_period:
+                    description: GracePeriod is a period during which old and new
+                      CA are valid for checking purposes, but only new CA is issuing
+                      certificates.
+                    format: duration
+                    type: string
+                  last_rotated:
+                    description: LastRotated specifies the last time of the completed
+                      rotation.
+                    format: date-time
+                    type: string
+                  mode:
+                    description: Mode sets manual or automatic rotation mode.
+                    type: string
+                  phase:
+                    description: Phase is the current rotation phase.
+                    type: string
+                  schedule:
+                    description: Schedule is a rotation schedule - used in automatic
+                      mode to switch between phases.
+                    properties:
+                      standby:
+                        description: Standby specifies time to switch to the "Standby"
+                          phase.
+                        format: date-time
+                        type: string
+                      update_clients:
+                        description: UpdateClients specifies time to switch to the
+                          "Update clients" phase
+                        format: date-time
+                        type: string
+                      update_servers:
+                        description: UpdateServers specifies time to switch to the
+                          "Update servers" phase.
+                        format: date-time
+                        type: string
+                    type: object
+                  started:
+                    description: Started is set to the time when rotation has been
+                      started in case if the state of the rotation is "in_progress".
+                    format: date-time
+                    type: string
+                  state:
+                    description: State could be one of "init" or "in_progress".
+                    type: string
+                type: object
+              use_tunnel:
+                description: UseTunnel indicates that connections to this server should
+                  occur over a reverse tunnel.
+                type: boolean
+              version:
+                description: TeleportVersion is the teleport version that the server
+                  is running on
+                type: string
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml
new file mode 100644
index 0000000..fe3d76a
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml
@@ -0,0 +1,262 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportopensshserversv2.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportOpenSSHServerV2
+    listKind: TeleportOpenSSHServerV2List
+    plural: teleportopensshserversv2
+    shortNames:
+    - opensshserverv2
+    - opensshserversv2
+    singular: teleportopensshserverv2
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Server hostname
+      jsonPath: .spec.hostname
+      name: Hostname
+      type: string
+    - description: Server address, with SSH port.
+      jsonPath: .spec.addr
+      name: Address
+      type: string
+    - description: The age of this resource
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: OpenSSHServerV2 is the Schema for the opensshserversv2 API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OpenSSHServer resource definition v2 from Teleport
+            properties:
+              addr:
+                description: Addr is a host:port address where this server can be
+                  reached.
+                type: string
+              cloud_metadata:
+                description: CloudMetadata contains info about the cloud instance
+                  the server is running on, if any.
+                nullable: true
+                properties:
+                  aws:
+                    description: AWSInfo contains attributes to match to an EC2 instance.
+                    nullable: true
+                    properties:
+                      account_id:
+                        description: AccountID is an AWS account ID.
+                        type: string
+                      instance_id:
+                        description: InstanceID is an EC2 instance ID.
+                        type: string
+                      integration:
+                        description: Integration is the integration name that added
+                          this Node. When connecting to it, it will use this integration
+                          to issue AWS API calls in order to set up the connection.
+                          This includes sending an SSH Key and then opening a tunnel
+                          (EC2 Instance Connect Endpoint) so Teleport can connect
+                          to it.
+                        type: string
+                      region:
+                        description: Region is the AWS EC2 Instance Region.
+                        type: string
+                      subnet_id:
+                        description: SubnetID is the Subnet ID in use by the instance.
+                        type: string
+                      vpc_id:
+                        description: VPCID is the AWS VPC ID where the Instance is
+                          running.
+                        type: string
+                    type: object
+                type: object
+              github:
+                description: GitHub contains info about GitHub proxies where each
+                  server represents a GitHub organization.
+                nullable: true
+                properties:
+                  integration:
+                    description: Integration is the integration that is associated
+                      with this Server.
+                    type: string
+                  organization:
+                    description: Organization specifies the name of the organization
+                      for the GitHub integration.
+                    type: string
+                type: object
+              hostname:
+                description: Hostname is server hostname
+                type: string
+              peer_addr:
+                description: PeerAddr is the address a proxy server is reachable at
+                  by its peer proxies.
+                type: string
+              proxy_ids:
+                description: ProxyIDs is a list of proxy IDs this server is expected
+                  to be connected to.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              public_addrs:
+                description: PublicAddrs is a list of public addresses where this
+                  server can be reached.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              rotation:
+                description: Rotation specifies server rotation
+                properties:
+                  current_id:
+                    description: CurrentID is the ID of the rotation operation to
+                      differentiate between rotation attempts.
+                    type: string
+                  grace_period:
+                    description: GracePeriod is a period during which old and new
+                      CA are valid for checking purposes, but only new CA is issuing
+                      certificates.
+                    format: duration
+                    type: string
+                  last_rotated:
+                    description: LastRotated specifies the last time of the completed
+                      rotation.
+                    format: date-time
+                    type: string
+                  mode:
+                    description: Mode sets manual or automatic rotation mode.
+                    type: string
+                  phase:
+                    description: Phase is the current rotation phase.
+                    type: string
+                  schedule:
+                    description: Schedule is a rotation schedule - used in automatic
+                      mode to switch between phases.
+                    properties:
+                      standby:
+                        description: Standby specifies time to switch to the "Standby"
+                          phase.
+                        format: date-time
+                        type: string
+                      update_clients:
+                        description: UpdateClients specifies time to switch to the
+                          "Update clients" phase
+                        format: date-time
+                        type: string
+                      update_servers:
+                        description: UpdateServers specifies time to switch to the
+                          "Update servers" phase.
+                        format: date-time
+                        type: string
+                    type: object
+                  started:
+                    description: Started is set to the time when rotation has been
+                      started in case if the state of the rotation is "in_progress".
+                    format: date-time
+                    type: string
+                  state:
+                    description: State could be one of "init" or "in_progress".
+                    type: string
+                type: object
+              use_tunnel:
+                description: UseTunnel indicates that connections to this server should
+                  occur over a reverse tunnel.
+                type: boolean
+              version:
+                description: TeleportVersion is the teleport version that the server
+                  is running on
+                type: string
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
new file mode 100644
index 0000000..00ebc52
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
@@ -0,0 +1,568 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportprovisiontokens.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportProvisionToken
+    listKind: TeleportProvisionTokenList
+    plural: teleportprovisiontokens
+    shortNames:
+    - provisiontoken
+    - provisiontokens
+    singular: teleportprovisiontoken
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Token join method.
+      jsonPath: .spec.join_method
+      name: Join Method
+      type: string
+    - description: System roles granted by this token.
+      jsonPath: .spec.roles
+      name: System Roles
+      type: string
+    - description: The age of this resource
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v2
+    schema:
+      openAPIV3Schema:
+        description: ProvisionToken is the Schema for the provisiontokens API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ProvisionToken resource definition v2 from Teleport
+            properties:
+              allow:
+                description: Allow is a list of TokenRules, nodes using this token
+                  must match one allow rule to use this token.
+                items:
+                  properties:
+                    aws_account:
+                      description: AWSAccount is the AWS account ID.
+                      type: string
+                    aws_arn:
+                      description: AWSARN is used for the IAM join method, the AWS
+                        identity of joining nodes must match this ARN. Supports wildcards
+                        "*" and "?".
+                      type: string
+                    aws_regions:
+                      description: AWSRegions is used for the EC2 join method and
+                        is a list of AWS regions a node is allowed to join from.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                    aws_role:
+                      description: AWSRole is used for the EC2 join method and is
+                        the ARN of the AWS role that the Auth Service will assume
+                        in order to call the ec2 API.
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              aws_iid_ttl:
+                description: AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity
+                  Documents used to join the cluster with this token.
+                format: duration
+                type: string
+              azure:
+                description: Azure allows the configuration of options specific to
+                  the "azure" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        resource_groups:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        subscription:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                type: object
+              bitbucket:
+                description: Bitbucket allows the configuration of options specific
+                  to the "bitbucket" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        branch_name:
+                          type: string
+                        deployment_environment_uuid:
+                          type: string
+                        repository_uuid:
+                          type: string
+                        workspace_uuid:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  audience:
+                    description: Audience is a Bitbucket-specified audience value
+                      for this token. It is unique to each Bitbucket repository, and
+                      must be set to the value as written in the Pipelines -> OpenID
+                      Connect section of the repository settings.
+                    type: string
+                  identity_provider_url:
+                    description: IdentityProviderURL is a Bitbucket-specified issuer
+                      URL for incoming OIDC tokens. It is unique to each Bitbucket
+                      repository, and must be set to the value as written in the Pipelines
+                      -> OpenID Connect section of the repository settings.
+                    type: string
+                type: object
+              bot_name:
+                description: BotName is the name of the bot this token grants access
+                  to, if any
+                type: string
+              circleci:
+                description: CircleCI allows the configuration of options specific
+                  to the "circleci" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of TokenRules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        context_id:
+                          type: string
+                        project_id:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  organization_id:
+                    type: string
+                type: object
+              gcp:
+                description: GCP allows the configuration of options specific to the
+                  "gcp" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        locations:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        project_ids:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        service_accounts:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                type: object
+              github:
+                description: GitHub allows the configuration of options specific to
+                  the "github" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of TokenRules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        actor:
+                          type: string
+                        environment:
+                          type: string
+                        ref:
+                          type: string
+                        ref_type:
+                          type: string
+                        repository:
+                          type: string
+                        repository_owner:
+                          type: string
+                        sub:
+                          type: string
+                        workflow:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  enterprise_server_host:
+                    description: EnterpriseServerHost allows joining from runners
+                      associated with a GitHub Enterprise Server instance. When unconfigured,
+                      tokens will be validated against github.com, but when configured
+                      to the host of a GHES instance, then the tokens will be validated
+                      against host.  This value should be the hostname of the GHES
+                      instance, and should not include the scheme or a path. The instance
+                      must be accessible over HTTPS at this hostname and the certificate
+                      must be trusted by the Auth Service.
+                    type: string
+                  enterprise_slug:
+                    description: EnterpriseSlug allows the slug of a GitHub Enterprise
+                      organisation to be included in the expected issuer of the OIDC
+                      tokens. This is for compatibility with the `include_enterprise_slug`
+                      option in GHE.  This field should be set to the slug of your
+                      enterprise if this is enabled. If this is not enabled, then
+                      this field must be left empty. This field cannot be specified
+                      if `enterprise_server_host` is specified.  See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise
+                      for more information about customized issuer values.
+                    type: string
+                  static_jwks:
+                    description: StaticJWKS disables fetching of the GHES signing
+                      keys via the JWKS/OIDC endpoints, and allows them to be directly
+                      specified. This allows joining from GitHub Actions in GHES instances
+                      that are not reachable by the Teleport Auth Service.
+                    type: string
+                type: object
+              gitlab:
+                description: GitLab allows the configuration of options specific to
+                  the "gitlab" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of TokenRules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        ci_config_ref_uri:
+                          type: string
+                        ci_config_sha:
+                          type: string
+                        deployment_tier:
+                          type: string
+                        environment:
+                          type: string
+                        environment_protected:
+                          type: boolean
+                        namespace_path:
+                          type: string
+                        pipeline_source:
+                          type: string
+                        project_path:
+                          type: string
+                        project_visibility:
+                          type: string
+                        ref:
+                          type: string
+                        ref_protected:
+                          type: boolean
+                        ref_type:
+                          type: string
+                        sub:
+                          type: string
+                        user_email:
+                          type: string
+                        user_id:
+                          type: string
+                        user_login:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  domain:
+                    description: Domain is the domain of your GitLab instance. This
+                      will default to `gitlab.com` - but can be set to the domain
+                      of your self-hosted GitLab e.g `gitlab.example.com`.
+                    type: string
+                  static_jwks:
+                    description: StaticJWKS disables fetching of the GitLab signing
+                      keys via the JWKS/OIDC endpoints, and allows them to be directly
+                      specified. This allows joining from GitLab CI instances that
+                      are not reachable by the Teleport Auth Service.
+                    type: string
+                type: object
+              join_method:
+                description: 'JoinMethod is the joining method required in order to
+                  use this token. Supported joining methods include: azure, circleci,
+                  ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm'
+                type: string
+              kubernetes:
+                description: Kubernetes allows the configuration of options specific
+                  to the "kubernetes" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        service_account:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  static_jwks:
+                    description: StaticJWKS is the configuration specific to the `static_jwks`
+                      type.
+                    nullable: true
+                    properties:
+                      jwks:
+                        type: string
+                    type: object
+                  type:
+                    description: 'Type controls which behavior should be used for
+                      validating the Kubernetes Service Account token. Support values:
+                      - `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
+                    type: string
+                type: object
+              oracle:
+                description: Oracle allows the configuration of options specific to
+                  the "oracle" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        parent_compartments:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        regions:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        tenancy:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                type: object
+              roles:
+                description: Roles is a list of roles associated with the token, that
+                  will be converted to metadata in the SSH and X509 certificates issued
+                  to the user of the token
+                items:
+                  type: string
+                nullable: true
+                type: array
+              spacelift:
+                description: Spacelift allows the configuration of options specific
+                  to the "spacelift" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        caller_id:
+                          type: string
+                        caller_type:
+                          type: string
+                        scope:
+                          type: string
+                        space_id:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  hostname:
+                    description: Hostname is the hostname of the Spacelift tenant
+                      that tokens will originate from. E.g `example.app.spacelift.io`
+                    type: string
+                type: object
+              suggested_agent_matcher_labels:
+                additionalProperties:
+                  x-kubernetes-preserve-unknown-fields: true
+                description: SuggestedAgentMatcherLabels is a set of labels to be
+                  used by agents to match on resources. When an agent uses this token,
+                  the agent should monitor resources that match those labels. For
+                  databases, this means adding the labels to `db_service.resources.labels`.
+                  Currently, only node-join scripts create a configuration according
+                  to the suggestion.
+                type: object
+              suggested_labels:
+                additionalProperties:
+                  x-kubernetes-preserve-unknown-fields: true
+                description: SuggestedLabels is a set of labels that resources should
+                  set when using this token to enroll themselves in the cluster. Currently,
+                  only node-join scripts create a configuration according to the suggestion.
+                type: object
+              terraform_cloud:
+                description: TerraformCloud allows the configuration of options specific
+                  to the "terraform_cloud" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, nodes using this token
+                      must match one allow rule to use this token.
+                    items:
+                      properties:
+                        organization_id:
+                          type: string
+                        organization_name:
+                          type: string
+                        project_id:
+                          type: string
+                        project_name:
+                          type: string
+                        run_phase:
+                          type: string
+                        workspace_id:
+                          type: string
+                        workspace_name:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  audience:
+                    description: Audience is the JWT audience as configured in the
+                      TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform
+                      Cloud. If unset, defaults to the Teleport cluster name. For
+                      example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is
+                      set in Terraform Cloud, this value should be `foo`. If the variable
+                      is set to match the cluster name, it does not need to be set
+                      here.
+                    type: string
+                  hostname:
+                    description: Hostname is the hostname of the Terraform Enterprise
+                      instance expected to issue JWTs allowed by this token. This
+                      may be unset for regular Terraform Cloud use, in which case
+                      it will be assumed to be `app.terraform.io`. Otherwise, it must
+                      both match the `iss` (issuer) field included in JWTs, and provide
+                      standard JWKS endpoints.
+                    type: string
+                type: object
+              tpm:
+                description: TPM allows the configuration of options specific to the
+                  "tpm" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of Rules, the presented delegated
+                      identity must match one allow rule to permit joining.
+                    items:
+                      properties:
+                        description:
+                          type: string
+                        ek_certificate_serial:
+                          type: string
+                        ek_public_hash:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  ekcert_allowed_cas:
+                    description: EKCertAllowedCAs is a list of CA certificates that
+                      will be used to validate TPM EKCerts. When specified, joining
+                      TPMs must present an EKCert signed by one of the specified CAs.
+                      TPMs that do not present an EKCert will be not permitted to
+                      join. When unspecified, TPMs will be allowed to join with either
+                      an EKCert or an EKPubHash.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
new file mode 100644
index 0000000..5b8d0cd
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
@@ -0,0 +1,2966 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportroles.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportRole
+    listKind: TeleportRoleList
+    plural: teleportroles
+    singular: teleportrole
+  scope: Namespaced
+  versions:
+  - name: v5
+    schema:
+      openAPIV3Schema:
+        description: Role is the Schema for the roles API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Role resource definition v5 from Teleport
+            properties:
+              allow:
+                description: Allow is the set of conditions evaluated to grant access.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              deny:
+                description: Deny is the set of conditions evaluated to deny access.
+                  Deny takes priority over allow.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              options:
+                description: Options is for OpenSSH options like agent forwarding.
+                properties:
+                  cert_extensions:
+                    description: CertExtensions specifies the key/values
+                    items:
+                      properties:
+                        mode:
+                          description: Mode is the type of extension to be used --
+                            currently critical-option is not supported. 0 is "extension".
+                          x-kubernetes-int-or-string: true
+                        name:
+                          description: Name specifies the key to be used in the cert
+                            extension.
+                          type: string
+                        type:
+                          description: Type represents the certificate type being
+                            extended, only ssh is supported at this time. 0 is "ssh".
+                          x-kubernetes-int-or-string: true
+                        value:
+                          description: Value specifies the value to be used in the
+                            cert extension.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  cert_format:
+                    description: CertificateFormat defines the format of the user
+                      certificate to allow compatibility with older versions of OpenSSH.
+                    type: string
+                  client_idle_timeout:
+                    description: ClientIdleTimeout sets disconnect clients on idle
+                      timeout behavior, if set to 0 means do not disconnect, otherwise
+                      is set to the idle duration.
+                    format: duration
+                    type: string
+                  create_db_user:
+                    description: CreateDatabaseUser enabled automatic database user
+                      creation.
+                    type: boolean
+                  create_db_user_mode:
+                    description: CreateDatabaseUserMode allows users to be automatically
+                      created on a database when not set to off. 0 is "unspecified",
+                      1 is "off", 2 is "keep", 3 is "best_effort_drop".
+                    x-kubernetes-int-or-string: true
+                  create_desktop_user:
+                    description: CreateDesktopUser allows users to be automatically
+                      created on a Windows desktop
+                    type: boolean
+                  create_host_user:
+                    description: 'Deprecated: use CreateHostUserMode instead.'
+                    type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
+                  create_host_user_mode:
+                    description: CreateHostUserMode allows users to be automatically
+                      created on a host when not set to off. 0 is "unspecified"; 1
+                      is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep";
+                      4 is "insecure-drop".
+                    x-kubernetes-int-or-string: true
+                  desktop_clipboard:
+                    description: DesktopClipboard indicates whether clipboard sharing
+                      is allowed between the user's workstation and the remote desktop.
+                      It defaults to true unless explicitly set to false.
+                    type: boolean
+                  desktop_directory_sharing:
+                    description: DesktopDirectorySharing indicates whether directory
+                      sharing is allowed between the user's workstation and the remote
+                      desktop. It defaults to false unless explicitly set to true.
+                    type: boolean
+                  device_trust_mode:
+                    description: DeviceTrustMode is the device authorization mode
+                      used for the resources associated with the role. See DeviceTrust.Mode.
+                    type: string
+                  disconnect_expired_cert:
+                    description: DisconnectExpiredCert sets disconnect clients on
+                      expired certificates.
+                    type: boolean
+                  enhanced_recording:
+                    description: BPF defines what events to record for the BPF-based
+                      session recorder.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  forward_agent:
+                    description: ForwardAgent is SSH agent forwarding.
+                    type: boolean
+                  idp:
+                    description: IDP is a set of options related to accessing IdPs
+                      within Teleport. Requires Teleport Enterprise.
+                    nullable: true
+                    properties:
+                      saml:
+                        description: SAML are options related to the Teleport SAML
+                          IdP.
+                        nullable: true
+                        properties:
+                          enabled:
+                            description: Enabled is set to true if this option allows
+                              access to the Teleport SAML IdP.
+                            type: boolean
+                        type: object
+                    type: object
+                  lock:
+                    description: Lock specifies the locking mode (strict|best_effort)
+                      to be applied with the role.
+                    type: string
+                  max_connections:
+                    description: MaxConnections defines the maximum number of concurrent
+                      connections a user may hold.
+                    format: int64
+                    type: integer
+                  max_kubernetes_connections:
+                    description: MaxKubernetesConnections defines the maximum number
+                      of concurrent Kubernetes sessions a user may hold.
+                    format: int64
+                    type: integer
+                  max_session_ttl:
+                    description: MaxSessionTTL defines how long a SSH session can
+                      last for.
+                    format: duration
+                    type: string
+                  max_sessions:
+                    description: MaxSessions defines the maximum number of concurrent
+                      sessions per connection.
+                    format: int64
+                    type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
+                  permit_x11_forwarding:
+                    description: PermitX11Forwarding authorizes use of X11 forwarding.
+                    type: boolean
+                  pin_source_ip:
+                    description: PinSourceIP forces the same client IP for certificate
+                      generation and usage
+                    type: boolean
+                  port_forwarding:
+                    description: 'Deprecated: Use SSHPortForwarding instead'
+                    type: boolean
+                  record_session:
+                    description: RecordDesktopSession indicates whether desktop access
+                      sessions should be recorded. It defaults to true unless explicitly
+                      set to false.
+                    nullable: true
+                    properties:
+                      default:
+                        description: Default indicates the default value for the services.
+                        type: string
+                      desktop:
+                        description: Desktop indicates whether desktop sessions should
+                          be recorded. It defaults to true unless explicitly set to
+                          false.
+                        type: boolean
+                      ssh:
+                        description: SSH indicates the session mode used on SSH sessions.
+                        type: string
+                    type: object
+                  request_access:
+                    description: RequestAccess defines the request strategy (optional|reason|always)
+                      where optional is the default.
+                    type: string
+                  request_prompt:
+                    description: RequestPrompt is an optional message which tells
+                      users what they aught to request.
+                    type: string
+                  require_session_mfa:
+                    description: RequireMFAType is the type of MFA requirement enforced
+                      for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY",
+                      3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
+                    x-kubernetes-int-or-string: true
+                  ssh_file_copy:
+                    description: SSHFileCopy indicates whether remote file operations
+                      via SCP or SFTP are allowed over an SSH session. It defaults
+                      to true unless explicitly set to false.
+                    type: boolean
+                  ssh_port_forwarding:
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
+                    nullable: true
+                    properties:
+                      local:
+                        description: Allow local port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                      remote:
+                        description: Allow remote port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v6
+    schema:
+      openAPIV3Schema:
+        description: Role is the Schema for the roles API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Role resource definition v6 from Teleport
+            properties:
+              allow:
+                description: Allow is the set of conditions evaluated to grant access.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              deny:
+                description: Deny is the set of conditions evaluated to deny access.
+                  Deny takes priority over allow.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              options:
+                description: Options is for OpenSSH options like agent forwarding.
+                properties:
+                  cert_extensions:
+                    description: CertExtensions specifies the key/values
+                    items:
+                      properties:
+                        mode:
+                          description: Mode is the type of extension to be used --
+                            currently critical-option is not supported. 0 is "extension".
+                          x-kubernetes-int-or-string: true
+                        name:
+                          description: Name specifies the key to be used in the cert
+                            extension.
+                          type: string
+                        type:
+                          description: Type represents the certificate type being
+                            extended, only ssh is supported at this time. 0 is "ssh".
+                          x-kubernetes-int-or-string: true
+                        value:
+                          description: Value specifies the value to be used in the
+                            cert extension.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  cert_format:
+                    description: CertificateFormat defines the format of the user
+                      certificate to allow compatibility with older versions of OpenSSH.
+                    type: string
+                  client_idle_timeout:
+                    description: ClientIdleTimeout sets disconnect clients on idle
+                      timeout behavior, if set to 0 means do not disconnect, otherwise
+                      is set to the idle duration.
+                    format: duration
+                    type: string
+                  create_db_user:
+                    description: CreateDatabaseUser enabled automatic database user
+                      creation.
+                    type: boolean
+                  create_db_user_mode:
+                    description: CreateDatabaseUserMode allows users to be automatically
+                      created on a database when not set to off. 0 is "unspecified",
+                      1 is "off", 2 is "keep", 3 is "best_effort_drop".
+                    x-kubernetes-int-or-string: true
+                  create_desktop_user:
+                    description: CreateDesktopUser allows users to be automatically
+                      created on a Windows desktop
+                    type: boolean
+                  create_host_user:
+                    description: 'Deprecated: use CreateHostUserMode instead.'
+                    type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
+                  create_host_user_mode:
+                    description: CreateHostUserMode allows users to be automatically
+                      created on a host when not set to off. 0 is "unspecified"; 1
+                      is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep";
+                      4 is "insecure-drop".
+                    x-kubernetes-int-or-string: true
+                  desktop_clipboard:
+                    description: DesktopClipboard indicates whether clipboard sharing
+                      is allowed between the user's workstation and the remote desktop.
+                      It defaults to true unless explicitly set to false.
+                    type: boolean
+                  desktop_directory_sharing:
+                    description: DesktopDirectorySharing indicates whether directory
+                      sharing is allowed between the user's workstation and the remote
+                      desktop. It defaults to false unless explicitly set to true.
+                    type: boolean
+                  device_trust_mode:
+                    description: DeviceTrustMode is the device authorization mode
+                      used for the resources associated with the role. See DeviceTrust.Mode.
+                    type: string
+                  disconnect_expired_cert:
+                    description: DisconnectExpiredCert sets disconnect clients on
+                      expired certificates.
+                    type: boolean
+                  enhanced_recording:
+                    description: BPF defines what events to record for the BPF-based
+                      session recorder.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  forward_agent:
+                    description: ForwardAgent is SSH agent forwarding.
+                    type: boolean
+                  idp:
+                    description: IDP is a set of options related to accessing IdPs
+                      within Teleport. Requires Teleport Enterprise.
+                    nullable: true
+                    properties:
+                      saml:
+                        description: SAML are options related to the Teleport SAML
+                          IdP.
+                        nullable: true
+                        properties:
+                          enabled:
+                            description: Enabled is set to true if this option allows
+                              access to the Teleport SAML IdP.
+                            type: boolean
+                        type: object
+                    type: object
+                  lock:
+                    description: Lock specifies the locking mode (strict|best_effort)
+                      to be applied with the role.
+                    type: string
+                  max_connections:
+                    description: MaxConnections defines the maximum number of concurrent
+                      connections a user may hold.
+                    format: int64
+                    type: integer
+                  max_kubernetes_connections:
+                    description: MaxKubernetesConnections defines the maximum number
+                      of concurrent Kubernetes sessions a user may hold.
+                    format: int64
+                    type: integer
+                  max_session_ttl:
+                    description: MaxSessionTTL defines how long a SSH session can
+                      last for.
+                    format: duration
+                    type: string
+                  max_sessions:
+                    description: MaxSessions defines the maximum number of concurrent
+                      sessions per connection.
+                    format: int64
+                    type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
+                  permit_x11_forwarding:
+                    description: PermitX11Forwarding authorizes use of X11 forwarding.
+                    type: boolean
+                  pin_source_ip:
+                    description: PinSourceIP forces the same client IP for certificate
+                      generation and usage
+                    type: boolean
+                  port_forwarding:
+                    description: 'Deprecated: Use SSHPortForwarding instead'
+                    type: boolean
+                  record_session:
+                    description: RecordDesktopSession indicates whether desktop access
+                      sessions should be recorded. It defaults to true unless explicitly
+                      set to false.
+                    nullable: true
+                    properties:
+                      default:
+                        description: Default indicates the default value for the services.
+                        type: string
+                      desktop:
+                        description: Desktop indicates whether desktop sessions should
+                          be recorded. It defaults to true unless explicitly set to
+                          false.
+                        type: boolean
+                      ssh:
+                        description: SSH indicates the session mode used on SSH sessions.
+                        type: string
+                    type: object
+                  request_access:
+                    description: RequestAccess defines the request strategy (optional|reason|always)
+                      where optional is the default.
+                    type: string
+                  request_prompt:
+                    description: RequestPrompt is an optional message which tells
+                      users what they aught to request.
+                    type: string
+                  require_session_mfa:
+                    description: RequireMFAType is the type of MFA requirement enforced
+                      for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY",
+                      3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
+                    x-kubernetes-int-or-string: true
+                  ssh_file_copy:
+                    description: SSHFileCopy indicates whether remote file operations
+                      via SCP or SFTP are allowed over an SSH session. It defaults
+                      to true unless explicitly set to false.
+                    type: boolean
+                  ssh_port_forwarding:
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
+                    nullable: true
+                    properties:
+                      local:
+                        description: Allow local port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                      remote:
+                        description: Allow remote port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
new file mode 100644
index 0000000..dd182ab
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
@@ -0,0 +1,1496 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportrolesv6.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportRoleV6
+    listKind: TeleportRoleV6List
+    plural: teleportrolesv6
+    shortNames:
+    - rolev6
+    - rolesv6
+    singular: teleportrolev6
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RoleV6 is the Schema for the rolesv6 API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Role resource definition v6 from Teleport
+            properties:
+              allow:
+                description: Allow is the set of conditions evaluated to grant access.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              deny:
+                description: Deny is the set of conditions evaluated to deny access.
+                  Deny takes priority over allow.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              options:
+                description: Options is for OpenSSH options like agent forwarding.
+                properties:
+                  cert_extensions:
+                    description: CertExtensions specifies the key/values
+                    items:
+                      properties:
+                        mode:
+                          description: Mode is the type of extension to be used --
+                            currently critical-option is not supported. 0 is "extension".
+                          x-kubernetes-int-or-string: true
+                        name:
+                          description: Name specifies the key to be used in the cert
+                            extension.
+                          type: string
+                        type:
+                          description: Type represents the certificate type being
+                            extended, only ssh is supported at this time. 0 is "ssh".
+                          x-kubernetes-int-or-string: true
+                        value:
+                          description: Value specifies the value to be used in the
+                            cert extension.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  cert_format:
+                    description: CertificateFormat defines the format of the user
+                      certificate to allow compatibility with older versions of OpenSSH.
+                    type: string
+                  client_idle_timeout:
+                    description: ClientIdleTimeout sets disconnect clients on idle
+                      timeout behavior, if set to 0 means do not disconnect, otherwise
+                      is set to the idle duration.
+                    format: duration
+                    type: string
+                  create_db_user:
+                    description: CreateDatabaseUser enabled automatic database user
+                      creation.
+                    type: boolean
+                  create_db_user_mode:
+                    description: CreateDatabaseUserMode allows users to be automatically
+                      created on a database when not set to off. 0 is "unspecified",
+                      1 is "off", 2 is "keep", 3 is "best_effort_drop".
+                    x-kubernetes-int-or-string: true
+                  create_desktop_user:
+                    description: CreateDesktopUser allows users to be automatically
+                      created on a Windows desktop
+                    type: boolean
+                  create_host_user:
+                    description: 'Deprecated: use CreateHostUserMode instead.'
+                    type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
+                  create_host_user_mode:
+                    description: CreateHostUserMode allows users to be automatically
+                      created on a host when not set to off. 0 is "unspecified"; 1
+                      is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep";
+                      4 is "insecure-drop".
+                    x-kubernetes-int-or-string: true
+                  desktop_clipboard:
+                    description: DesktopClipboard indicates whether clipboard sharing
+                      is allowed between the user's workstation and the remote desktop.
+                      It defaults to true unless explicitly set to false.
+                    type: boolean
+                  desktop_directory_sharing:
+                    description: DesktopDirectorySharing indicates whether directory
+                      sharing is allowed between the user's workstation and the remote
+                      desktop. It defaults to false unless explicitly set to true.
+                    type: boolean
+                  device_trust_mode:
+                    description: DeviceTrustMode is the device authorization mode
+                      used for the resources associated with the role. See DeviceTrust.Mode.
+                    type: string
+                  disconnect_expired_cert:
+                    description: DisconnectExpiredCert sets disconnect clients on
+                      expired certificates.
+                    type: boolean
+                  enhanced_recording:
+                    description: BPF defines what events to record for the BPF-based
+                      session recorder.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  forward_agent:
+                    description: ForwardAgent is SSH agent forwarding.
+                    type: boolean
+                  idp:
+                    description: IDP is a set of options related to accessing IdPs
+                      within Teleport. Requires Teleport Enterprise.
+                    nullable: true
+                    properties:
+                      saml:
+                        description: SAML are options related to the Teleport SAML
+                          IdP.
+                        nullable: true
+                        properties:
+                          enabled:
+                            description: Enabled is set to true if this option allows
+                              access to the Teleport SAML IdP.
+                            type: boolean
+                        type: object
+                    type: object
+                  lock:
+                    description: Lock specifies the locking mode (strict|best_effort)
+                      to be applied with the role.
+                    type: string
+                  max_connections:
+                    description: MaxConnections defines the maximum number of concurrent
+                      connections a user may hold.
+                    format: int64
+                    type: integer
+                  max_kubernetes_connections:
+                    description: MaxKubernetesConnections defines the maximum number
+                      of concurrent Kubernetes sessions a user may hold.
+                    format: int64
+                    type: integer
+                  max_session_ttl:
+                    description: MaxSessionTTL defines how long a SSH session can
+                      last for.
+                    format: duration
+                    type: string
+                  max_sessions:
+                    description: MaxSessions defines the maximum number of concurrent
+                      sessions per connection.
+                    format: int64
+                    type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
+                  permit_x11_forwarding:
+                    description: PermitX11Forwarding authorizes use of X11 forwarding.
+                    type: boolean
+                  pin_source_ip:
+                    description: PinSourceIP forces the same client IP for certificate
+                      generation and usage
+                    type: boolean
+                  port_forwarding:
+                    description: 'Deprecated: Use SSHPortForwarding instead'
+                    type: boolean
+                  record_session:
+                    description: RecordDesktopSession indicates whether desktop access
+                      sessions should be recorded. It defaults to true unless explicitly
+                      set to false.
+                    nullable: true
+                    properties:
+                      default:
+                        description: Default indicates the default value for the services.
+                        type: string
+                      desktop:
+                        description: Desktop indicates whether desktop sessions should
+                          be recorded. It defaults to true unless explicitly set to
+                          false.
+                        type: boolean
+                      ssh:
+                        description: SSH indicates the session mode used on SSH sessions.
+                        type: string
+                    type: object
+                  request_access:
+                    description: RequestAccess defines the request strategy (optional|reason|always)
+                      where optional is the default.
+                    type: string
+                  request_prompt:
+                    description: RequestPrompt is an optional message which tells
+                      users what they aught to request.
+                    type: string
+                  require_session_mfa:
+                    description: RequireMFAType is the type of MFA requirement enforced
+                      for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY",
+                      3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
+                    x-kubernetes-int-or-string: true
+                  ssh_file_copy:
+                    description: SSHFileCopy indicates whether remote file operations
+                      via SCP or SFTP are allowed over an SSH session. It defaults
+                      to true unless explicitly set to false.
+                    type: boolean
+                  ssh_port_forwarding:
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
+                    nullable: true
+                    properties:
+                      local:
+                        description: Allow local port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                      remote:
+                        description: Allow remote port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
new file mode 100644
index 0000000..2f43956
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
@@ -0,0 +1,1496 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportrolesv7.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportRoleV7
+    listKind: TeleportRoleV7List
+    plural: teleportrolesv7
+    shortNames:
+    - rolev7
+    - rolesv7
+    singular: teleportrolev7
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RoleV7 is the Schema for the rolesv7 API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Role resource definition v7 from Teleport
+            properties:
+              allow:
+                description: Allow is the set of conditions evaluated to grant access.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              deny:
+                description: Deny is the set of conditions evaluated to deny access.
+                  Deny takes priority over allow.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              options:
+                description: Options is for OpenSSH options like agent forwarding.
+                properties:
+                  cert_extensions:
+                    description: CertExtensions specifies the key/values
+                    items:
+                      properties:
+                        mode:
+                          description: Mode is the type of extension to be used --
+                            currently critical-option is not supported. 0 is "extension".
+                          x-kubernetes-int-or-string: true
+                        name:
+                          description: Name specifies the key to be used in the cert
+                            extension.
+                          type: string
+                        type:
+                          description: Type represents the certificate type being
+                            extended, only ssh is supported at this time. 0 is "ssh".
+                          x-kubernetes-int-or-string: true
+                        value:
+                          description: Value specifies the value to be used in the
+                            cert extension.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  cert_format:
+                    description: CertificateFormat defines the format of the user
+                      certificate to allow compatibility with older versions of OpenSSH.
+                    type: string
+                  client_idle_timeout:
+                    description: ClientIdleTimeout sets disconnect clients on idle
+                      timeout behavior, if set to 0 means do not disconnect, otherwise
+                      is set to the idle duration.
+                    format: duration
+                    type: string
+                  create_db_user:
+                    description: CreateDatabaseUser enabled automatic database user
+                      creation.
+                    type: boolean
+                  create_db_user_mode:
+                    description: CreateDatabaseUserMode allows users to be automatically
+                      created on a database when not set to off. 0 is "unspecified",
+                      1 is "off", 2 is "keep", 3 is "best_effort_drop".
+                    x-kubernetes-int-or-string: true
+                  create_desktop_user:
+                    description: CreateDesktopUser allows users to be automatically
+                      created on a Windows desktop
+                    type: boolean
+                  create_host_user:
+                    description: 'Deprecated: use CreateHostUserMode instead.'
+                    type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
+                  create_host_user_mode:
+                    description: CreateHostUserMode allows users to be automatically
+                      created on a host when not set to off. 0 is "unspecified"; 1
+                      is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep";
+                      4 is "insecure-drop".
+                    x-kubernetes-int-or-string: true
+                  desktop_clipboard:
+                    description: DesktopClipboard indicates whether clipboard sharing
+                      is allowed between the user's workstation and the remote desktop.
+                      It defaults to true unless explicitly set to false.
+                    type: boolean
+                  desktop_directory_sharing:
+                    description: DesktopDirectorySharing indicates whether directory
+                      sharing is allowed between the user's workstation and the remote
+                      desktop. It defaults to false unless explicitly set to true.
+                    type: boolean
+                  device_trust_mode:
+                    description: DeviceTrustMode is the device authorization mode
+                      used for the resources associated with the role. See DeviceTrust.Mode.
+                    type: string
+                  disconnect_expired_cert:
+                    description: DisconnectExpiredCert sets disconnect clients on
+                      expired certificates.
+                    type: boolean
+                  enhanced_recording:
+                    description: BPF defines what events to record for the BPF-based
+                      session recorder.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  forward_agent:
+                    description: ForwardAgent is SSH agent forwarding.
+                    type: boolean
+                  idp:
+                    description: IDP is a set of options related to accessing IdPs
+                      within Teleport. Requires Teleport Enterprise.
+                    nullable: true
+                    properties:
+                      saml:
+                        description: SAML are options related to the Teleport SAML
+                          IdP.
+                        nullable: true
+                        properties:
+                          enabled:
+                            description: Enabled is set to true if this option allows
+                              access to the Teleport SAML IdP.
+                            type: boolean
+                        type: object
+                    type: object
+                  lock:
+                    description: Lock specifies the locking mode (strict|best_effort)
+                      to be applied with the role.
+                    type: string
+                  max_connections:
+                    description: MaxConnections defines the maximum number of concurrent
+                      connections a user may hold.
+                    format: int64
+                    type: integer
+                  max_kubernetes_connections:
+                    description: MaxKubernetesConnections defines the maximum number
+                      of concurrent Kubernetes sessions a user may hold.
+                    format: int64
+                    type: integer
+                  max_session_ttl:
+                    description: MaxSessionTTL defines how long a SSH session can
+                      last for.
+                    format: duration
+                    type: string
+                  max_sessions:
+                    description: MaxSessions defines the maximum number of concurrent
+                      sessions per connection.
+                    format: int64
+                    type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
+                  permit_x11_forwarding:
+                    description: PermitX11Forwarding authorizes use of X11 forwarding.
+                    type: boolean
+                  pin_source_ip:
+                    description: PinSourceIP forces the same client IP for certificate
+                      generation and usage
+                    type: boolean
+                  port_forwarding:
+                    description: 'Deprecated: Use SSHPortForwarding instead'
+                    type: boolean
+                  record_session:
+                    description: RecordDesktopSession indicates whether desktop access
+                      sessions should be recorded. It defaults to true unless explicitly
+                      set to false.
+                    nullable: true
+                    properties:
+                      default:
+                        description: Default indicates the default value for the services.
+                        type: string
+                      desktop:
+                        description: Desktop indicates whether desktop sessions should
+                          be recorded. It defaults to true unless explicitly set to
+                          false.
+                        type: boolean
+                      ssh:
+                        description: SSH indicates the session mode used on SSH sessions.
+                        type: string
+                    type: object
+                  request_access:
+                    description: RequestAccess defines the request strategy (optional|reason|always)
+                      where optional is the default.
+                    type: string
+                  request_prompt:
+                    description: RequestPrompt is an optional message which tells
+                      users what they aught to request.
+                    type: string
+                  require_session_mfa:
+                    description: RequireMFAType is the type of MFA requirement enforced
+                      for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY",
+                      3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
+                    x-kubernetes-int-or-string: true
+                  ssh_file_copy:
+                    description: SSHFileCopy indicates whether remote file operations
+                      via SCP or SFTP are allowed over an SSH session. It defaults
+                      to true unless explicitly set to false.
+                    type: boolean
+                  ssh_port_forwarding:
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
+                    nullable: true
+                    properties:
+                      local:
+                        description: Allow local port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                      remote:
+                        description: Allow remote port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml
new file mode 100644
index 0000000..c681433
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml
@@ -0,0 +1,265 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportsamlconnectors.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportSAMLConnector
+    listKind: TeleportSAMLConnectorList
+    plural: teleportsamlconnectors
+    shortNames:
+    - samlconnector
+    - samlconnectors
+    singular: teleportsamlconnector
+  scope: Namespaced
+  versions:
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: SAMLConnector is the Schema for the samlconnectors API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SAMLConnector resource definition v2 from Teleport
+            properties:
+              acs:
+                description: AssertionConsumerService is a URL for assertion consumer
+                  service on the service provider (Teleport's side).
+                type: string
+              allow_idp_initiated:
+                description: AllowIDPInitiated is a flag that indicates if the connector
+                  can be used for IdP-initiated logins.
+                type: boolean
+              assertion_key_pair:
+                description: EncryptionKeyPair is a key pair used for decrypting SAML
+                  assertions.
+                nullable: true
+                properties:
+                  cert:
+                    description: Cert is a PEM-encoded x509 certificate.
+                    type: string
+                  private_key:
+                    description: PrivateKey is a PEM encoded x509 private key.
+                    type: string
+                type: object
+              attributes_to_roles:
+                description: AttributesToRoles is a list of mappings of attribute
+                  statements to roles.
+                items:
+                  properties:
+                    name:
+                      description: Name is an attribute statement name.
+                      type: string
+                    roles:
+                      description: Roles is a list of static teleport roles to map
+                        to.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                    value:
+                      description: Value is an attribute statement value to match.
+                      type: string
+                  type: object
+                type: array
+              audience:
+                description: Audience uniquely identifies our service provider.
+                type: string
+              cert:
+                description: Cert is the identity provider certificate PEM. IDP signs
+                  `<Response>` responses using this certificate.
+                type: string
+              client_redirect_settings:
+                description: ClientRedirectSettings defines which client redirect
+                  URLs are allowed for non-browser SSO logins other than the standard
+                  localhost ones.
+                nullable: true
+                properties:
+                  allowed_https_hostnames:
+                    description: a list of hostnames allowed for https client redirect
+                      URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                type: object
+              display:
+                description: Display controls how this connector is displayed.
+                type: string
+              entity_descriptor:
+                description: EntityDescriptor is XML with descriptor. It can be used
+                  to supply configuration parameters in one XML file rather than supplying
+                  them in the individual elements.
+                type: string
+              entity_descriptor_url:
+                description: EntityDescriptorURL is a URL that supplies a configuration
+                  XML.
+                type: string
+              force_authn:
+                description: ForceAuthn specified whether re-authentication should
+                  be forced on login. UNSPECIFIED is treated as NO.
+                x-kubernetes-int-or-string: true
+              issuer:
+                description: Issuer is the identity provider issuer.
+                type: string
+              mfa:
+                description: MFASettings contains settings to enable SSO MFA checks
+                  through this auth connector.
+                nullable: true
+                properties:
+                  cert:
+                    description: Cert is the identity provider certificate PEM. IDP
+                      signs `<Response>` responses using this certificate.
+                    type: string
+                  enabled:
+                    description: Enabled specified whether this SAML connector supports
+                      MFA checks. Defaults to false.
+                    type: boolean
+                  entity_descriptor:
+                    description: EntityDescriptor is XML with descriptor. It can be
+                      used to supply configuration parameters in one XML file rather
+                      than supplying them in the individual elements. Usually set
+                      from EntityDescriptorUrl.
+                    type: string
+                  entity_descriptor_url:
+                    description: EntityDescriptorUrl is a URL that supplies a configuration
+                      XML.
+                    type: string
+                  force_authn:
+                    description: ForceAuthn specified whether re-authentication should
+                      be forced for MFA checks. UNSPECIFIED is treated as YES to always
+                      re-authentication for MFA checks. This should only be set to
+                      NO if the IdP is setup to perform MFA checks on top of active
+                      user sessions.
+                    x-kubernetes-int-or-string: true
+                  issuer:
+                    description: Issuer is the identity provider issuer. Usually set
+                      from EntityDescriptor.
+                    type: string
+                  sso:
+                    description: SSO is the URL of the identity provider's SSO service.
+                      Usually set from EntityDescriptor.
+                    type: string
+                type: object
+              provider:
+                description: Provider is the external identity provider.
+                type: string
+              service_provider_issuer:
+                description: ServiceProviderIssuer is the issuer of the service provider
+                  (Teleport).
+                type: string
+              signing_key_pair:
+                description: SigningKeyPair is an x509 key pair used to sign AuthnRequest.
+                nullable: true
+                properties:
+                  cert:
+                    description: Cert is a PEM-encoded x509 certificate.
+                    type: string
+                  private_key:
+                    description: PrivateKey is a PEM encoded x509 private key.
+                    type: string
+                type: object
+              single_logout_url:
+                description: SingleLogoutURL is the SAML Single log-out URL to initiate
+                  SAML SLO (single log-out). If this is not provided, SLO is disabled.
+                type: string
+              sso:
+                description: SSO is the URL of the identity provider's SSO service.
+                type: string
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_trustedclustersv2.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_trustedclustersv2.yaml
new file mode 100644
index 0000000..4cf1410
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_trustedclustersv2.yaml
@@ -0,0 +1,149 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleporttrustedclustersv2.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportTrustedClusterV2
+    listKind: TeleportTrustedClusterV2List
+    plural: teleporttrustedclustersv2
+    shortNames:
+    - trustedclusterv2
+    - trustedclustersv2
+    singular: teleporttrustedclusterv2
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: TrustedClusterV2 is the Schema for the trustedclustersv2 API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TrustedCluster resource definition v2 from Teleport
+            properties:
+              enabled:
+                description: Enabled is a bool that indicates if the TrustedCluster
+                  is enabled or disabled. Setting Enabled to false has a side effect
+                  of deleting the user and host certificate authority (CA).
+                type: boolean
+              role_map:
+                description: RoleMap specifies role mappings to remote roles.
+                items:
+                  properties:
+                    local:
+                      description: Local specifies local roles to map to
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                    remote:
+                      description: Remote specifies remote role name to map from
+                      type: string
+                  type: object
+                type: array
+              token:
+                description: Token is the authorization token provided by another
+                  cluster needed by this cluster to join. This field supports secret
+                  lookup. See the operator documentation for more details.
+                type: string
+              tunnel_addr:
+                description: ReverseTunnelAddress is the address of the SSH proxy
+                  server of the cluster to join. If not set, it is derived from `<metadata.name>:<default
+                  reverse tunnel port>`.
+                type: string
+              web_proxy_addr:
+                description: ProxyAddress is the address of the web proxy server of
+                  the cluster to join. If not set, it is derived from `<metadata.name>:<default
+                  web proxy server port>`.
+                type: string
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
new file mode 100644
index 0000000..0c68b6d
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
@@ -0,0 +1,220 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportusers.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportUser
+    listKind: TeleportUserList
+    plural: teleportusers
+    shortNames:
+    - user
+    - users
+    singular: teleportuser
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: List of Teleport roles granted to the user.
+      jsonPath: .spec.roles
+      name: Roles
+      type: string
+    - description: The age of this resource
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v2
+    schema:
+      openAPIV3Schema:
+        description: User is the Schema for the users API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: User resource definition v2 from Teleport
+            properties:
+              github_identities:
+                description: GithubIdentities list associated Github OAuth2 identities
+                  that let user log in using externally verified identity
+                items:
+                  properties:
+                    connector_id:
+                      description: ConnectorID is id of registered OIDC connector,
+                        e.g. 'google-example.com'
+                      type: string
+                    samlSingleLogoutUrl:
+                      description: SAMLSingleLogoutURL is the SAML Single log-out
+                        URL to initiate SAML SLO (single log-out), if applicable.
+                      type: string
+                    user_id:
+                      description: UserID is the ID of the identity. Some connectors
+                        like GitHub have an unique ID apart from the username.
+                      type: string
+                    username:
+                      description: Username is username supplied by external identity
+                        provider
+                      type: string
+                  type: object
+                type: array
+              oidc_identities:
+                description: OIDCIdentities lists associated OpenID Connect identities
+                  that let user log in using externally verified identity
+                items:
+                  properties:
+                    connector_id:
+                      description: ConnectorID is id of registered OIDC connector,
+                        e.g. 'google-example.com'
+                      type: string
+                    samlSingleLogoutUrl:
+                      description: SAMLSingleLogoutURL is the SAML Single log-out
+                        URL to initiate SAML SLO (single log-out), if applicable.
+                      type: string
+                    user_id:
+                      description: UserID is the ID of the identity. Some connectors
+                        like GitHub have an unique ID apart from the username.
+                      type: string
+                    username:
+                      description: Username is username supplied by external identity
+                        provider
+                      type: string
+                  type: object
+                type: array
+              roles:
+                description: Roles is a list of roles assigned to user
+                items:
+                  type: string
+                nullable: true
+                type: array
+              saml_identities:
+                description: SAMLIdentities lists associated SAML identities that
+                  let user log in using externally verified identity
+                items:
+                  properties:
+                    connector_id:
+                      description: ConnectorID is id of registered OIDC connector,
+                        e.g. 'google-example.com'
+                      type: string
+                    samlSingleLogoutUrl:
+                      description: SAMLSingleLogoutURL is the SAML Single log-out
+                        URL to initiate SAML SLO (single log-out), if applicable.
+                      type: string
+                    user_id:
+                      description: UserID is the ID of the identity. Some connectors
+                        like GitHub have an unique ID apart from the username.
+                      type: string
+                    username:
+                      description: Username is username supplied by external identity
+                        provider
+                      type: string
+                  type: object
+                type: array
+              traits:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: Traits are key/value pairs received from an identity
+                  provider (through OIDC claims or SAML assertions) or from a system
+                  administrator for local accounts. Traits are used to populate role
+                  variables.
+                type: object
+              trusted_device_ids:
+                description: TrustedDeviceIDs contains the IDs of trusted devices
+                  enrolled by the user.  Note that SSO users are transient and thus
+                  may contain an empty TrustedDeviceIDs field, even though the user->device
+                  association exists under the Device Trust subsystem. Do not rely
+                  on this field to determine device associations or ownership, it
+                  exists for legacy/informative purposes only.  Managed by the Device
+                  Trust subsystem, avoid manual edits.
+                items:
+                  type: string
+                nullable: true
+                type: array
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml
new file mode 100644
index 0000000..ccf4beb
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml
@@ -0,0 +1,273 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportworkloadidentitiesv1.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportWorkloadIdentityV1
+    listKind: TeleportWorkloadIdentityV1List
+    plural: teleportworkloadidentitiesv1
+    shortNames:
+    - workloadidentityv1
+    - workloadidentitiesv1
+    singular: teleportworkloadidentityv1
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: WorkloadIdentityV1 is the Schema for the workloadidentitiesv1
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: WorkloadIdentity resource definition v1 from Teleport
+            properties:
+              rules:
+                description: The rules which are evaluated before the WorkloadIdentity
+                  can be issued.
+                nullable: true
+                properties:
+                  allow:
+                    description: A list of rules used to determine if a WorkloadIdentity
+                      can be issued. If none are provided, it will be considered a
+                      pass. If any are provided, then at least one must pass for the
+                      rules to be considered passed.
+                    items:
+                      properties:
+                        conditions:
+                          description: The conditions that must be met for this rule
+                            to be considered passed.  Mutually exclusive with expression.
+                          items:
+                            properties:
+                              attribute:
+                                description: The name of the attribute to evaluate
+                                  the condition against.
+                                type: string
+                              eq:
+                                description: The attribute casted to a string must
+                                  be equal to the value.
+                                nullable: true
+                                properties:
+                                  value:
+                                    description: The value to compare the attribute
+                                      against.
+                                    type: string
+                                type: object
+                              in:
+                                description: The attribute casted to a string must
+                                  be in the list of values.
+                                nullable: true
+                                properties:
+                                  values:
+                                    description: The list of values to compare the
+                                      attribute against.
+                                    items:
+                                      type: string
+                                    nullable: true
+                                    type: array
+                                type: object
+                              not_eq:
+                                description: The attribute casted to a string must
+                                  not be equal to the value.
+                                nullable: true
+                                properties:
+                                  value:
+                                    description: The value to compare the attribute
+                                      against.
+                                    type: string
+                                type: object
+                              not_in:
+                                description: The attribute casted to a string must
+                                  not be in the list of values.
+                                nullable: true
+                                properties:
+                                  values:
+                                    description: The list of values to compare the
+                                      attribute against.
+                                    items:
+                                      type: string
+                                    nullable: true
+                                    type: array
+                                type: object
+                            type: object
+                          nullable: true
+                          type: array
+                        expression:
+                          description: An expression written in Teleport's predicate
+                            language that must evaluate to true for this rule to be
+                            considered passed.  Mutually exclusive with conditions.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                type: object
+              spiffe:
+                description: Configuration pertaining to the issuance of SPIFFE-compatible
+                  workload identity credentials.
+                nullable: true
+                properties:
+                  hint:
+                    description: A freeform text field which is provided to workloads
+                      along with a credential produced by this WorkloadIdentity. This
+                      can be used to provide additional context that can be used to
+                      select between multiple credentials.
+                    type: string
+                  id:
+                    description: The path of the SPIFFE ID that will be issued to
+                      the workload.  This should be prefixed with a forward-slash
+                      ("/").  This field supports templating using attributes.
+                    type: string
+                  jwt:
+                    description: Configuration specific to JWT-SVIDs.
+                    nullable: true
+                    properties:
+                      extra_claims:
+                        additionalProperties: true
+                        description: Additional claims that will be added to the JWT.
+                        nullable: true
+                        type: object
+                      maximum_ttl:
+                        description: Control the maximum TTL of JWT-SVIDs issued using
+                          this WorkloadIdentity.  If a JWT-SVID is requested with
+                          a TTL greater than this value, then the returned JWT-SVID
+                          will have a TTL of this value.  Defaults to 24 hours. The
+                          maximum this value can be set to is 24 hours.
+                        format: duration
+                        type: string
+                    type: object
+                  x509:
+                    description: Configuration specific to X509-SVIDs.
+                    nullable: true
+                    properties:
+                      dns_sans:
+                        description: The DNS Subject Alternative Names (SANs) that
+                          should be included in an X509-SVID issued using this WorkloadIdentity.  Each
+                          entry in this list supports templating using attributes.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      maximum_ttl:
+                        description: Control the maximum TTL of X509-SVIDs issued
+                          using this WorkloadIdentity.  If a X509-SVID is requested
+                          with a TTL greater than this value, then the returned X509-SVID
+                          will have a TTL of this value.  Defaults to 24 hours. The
+                          maximum this value can be set to is 14 days.
+                        format: duration
+                        type: string
+                      subject_template:
+                        description: Used to configure the Subject Distinguished Name
+                          (DN) of the X509-SVID.  In most circumstances, it is recommended
+                          to prefer relying on the SPIFFE ID encoded in the URI SAN.
+                          However, the Subject DN may be needed to support legacy
+                          systems designed for X509 and not SPIFFE/WIMSE.  If not
+                          provided, the X509-SVID will be issued with an empty Subject
+                          DN.
+                        nullable: true
+                        properties:
+                          common_name:
+                            description: Common Name (CN) - 2.5.4.3 If empty, the
+                              RDN will be omitted from the DN.
+                            type: string
+                          organization:
+                            description: Organization (O) - 2.5.4.10 If empty, the
+                              RDN will be omitted from the DN.
+                            type: string
+                          organizational_unit:
+                            description: Organizational Unit (OU) - 2.5.4.11 If empty,
+                              the RDN will be omitted from the DN.
+                            type: string
+                        type: object
+                    type: object
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/templates/_helpers.tpl b/teleport-cluster-17.4.9/charts/teleport-operator/templates/_helpers.tpl
new file mode 100644
index 0000000..3da8bed
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/templates/_helpers.tpl
@@ -0,0 +1,131 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "teleport-cluster.operator.name" -}}
+    {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+This is a modified version of the default fully qualified app name helper.
+We diverge by always honouring "nameOverride" when it's set, as opposed to the
+default behaviour of shortening if `nameOverride` is included in chart name.
+This is done to avoid naming conflicts when including th chart in `teleport-cluster`
+*/}}
+{{- define "teleport-cluster.operator.fullname" -}}
+    {{- if .Values.fullnameOverride }}
+        {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+        {{- if .Values.nameOverride }}
+            {{- printf "%s-%s" .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+        {{- else }}
+            {{- if contains .Chart.Name .Release.Name }}
+                {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+            {{- else }}
+                {{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
+            {{- end }}
+        {{- end }}
+    {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
+*/}}
+{{- define "teleport-cluster.operator.serviceAccountName" -}}
+{{- coalesce .Values.serviceAccount.name (include "teleport-cluster.operator.fullname" .) -}}
+{{- end -}}
+
+{{- define "teleport-cluster.version" -}}
+{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
+{{- end -}}
+
+{{- define "teleport-cluster.majorVersion" -}}
+{{- (semver (include "teleport-cluster.version" .)).Major -}}
+{{- end -}}
+
+{{/* Operator selector labels */}}
+{{- define "teleport-cluster.operator.selectorLabels" -}}
+app.kubernetes.io/name: '{{ include "teleport-cluster.operator.name" . }}'
+app.kubernetes.io/instance: '{{ .Release.Name }}'
+app.kubernetes.io/component: 'operator'
+{{- end -}}
+
+{{/* Operator all labels */}}
+{{- define "teleport-cluster.operator.labels" -}}
+{{ include "teleport-cluster.operator.selectorLabels" . }}
+helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
+teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
+teleport.dev/release: '{{ include "teleport-cluster.operator.namespacedRelease" . }}'
+{{- end -}}
+
+{{/* Teleport auth or proxy address */}}
+{{- define "teleport-cluster.operator.teleportAddress" -}}
+{{- $clusterAddr := include "teleport-cluster.auth.serviceFQDN" . -}}
+{{- if empty $clusterAddr -}}
+    {{- required "The `teleportAddress` value is mandatory when deploying a standalone operator." .Values.teleportAddress -}}
+    {{- if and (eq .Values.joinMethod "kubernetes") (empty .Values.teleportClusterName) (not (hasSuffix ":3025" .Values.teleportAddress)) -}}
+        {{- fail "When joining using the Kubernetes JWKS join method, you must set the value `teleportClusterName`" -}}
+    {{- end -}}
+{{- else -}}
+    {{- $clusterAddr | printf "%s:3025" -}}
+{{- end -}}
+{{- end -}}
+
+{{- /* This template is a placeholder.
+If we are imported by the main chart "teleport-cluster" it is overridden*/ -}}
+{{- define "teleport-cluster.auth.serviceFQDN" -}}{{- end }}
+
+{{- /* This templates returns "true" or "false"  describing if the CRDs should be deployed.
+If we have an explicit requirement ("always" or "never") things are easy.
+If we don't we check if the operator is enabled.
+However, we cannot just trash the CRDs if the operator is disabled, this causes
+a mass CR deletion and users will shoot themselves in the foot whith this
+(temporarily disabling the operator would cause havoc).
+So we check if there's a CRD already deployed, it that's the case, we keep the CRDs.
+*/ -}}
+{{- define "teleport-cluster.operator.shouldInstallCRDs" -}}
+  {{- if eq .Values.installCRDs "always" -}}
+    true
+  {{- else if eq .Values.installCRDs "never" -}}
+    false
+  {{- else if eq .Values.installCRDs "dynamic" -}}
+    {{- if .Values.enabled -}}
+      true
+    {{- else -}}
+      {{- include "teleport-cluster.operator.checkExistingCRDs" . -}}
+    {{- end -}}
+  {{- else -}}
+    {{- fail ".Values.installCRDs must be 'never', 'always' or 'dynamic'." -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* This template checks if a known CRD is depployed (rolev7) and owned by
+the release. As CRDs are not namespaced, we must use a custom annotation to avoid
+a conflict when two releases are deployed with the same name in different namespaces. */ -}}
+{{- define "teleport-cluster.operator.checkExistingCRDs" -}}
+  {{ $existingCRD := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "teleportrolesv7.resources.teleport.dev"}}
+  {{- if not $existingCRD -}}
+    false
+  {{- else -}}
+    {{- $release := index $existingCRD.metadata.labels "teleport.dev/release" }}
+    {{- if eq $release (include "teleport-cluster.operator.namespacedRelease" .) -}}
+      true
+    {{- else -}}
+    false
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* This is a custom label containing the namespaced release.
+This is used to avoid conflicts for non-namespaced resources like CRDs. */ -}}
+{{- define "teleport-cluster.operator.namespacedRelease" -}}
+  {{ .Release.Namespace }}_{{ .Release.Name }}
+{{- end -}}
+
+{{- /* This is the object merged with CRDs manifests to enrich them (add labels). */ -}}
+{{- define "teleport-cluster.operator.crdOverrides" -}}
+metadata:
+  labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/templates/crds.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/templates/crds.yaml
new file mode 100644
index 0000000..feacc38
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/templates/crds.yaml
@@ -0,0 +1,24 @@
+{{- /* This template iterates over every CRD in the `operator-crds/` directory
+and creates them if needed. It also adds common labels, like any other
+Helm-deployed resource.
+
+We cannot rely on the "crds/" Helm directory as Helm's strategy is "fire and forget".
+We have no way to update the CRDs after the initial deployment. As Teleport keeps
+adding new field to existing CRs, we need a deployment strategy that supports
+updating CRDs.
+
+The obvious solution would be to have a separate chart for CRs but we wanted to
+have everything functional in a single "helm install", hence the rube goldberg
+mechanism to try to guess what to do with the CRDs (see the implementation of
+shouldInstallCRDs in _helpers.yaml for more details). */ -}}
+{{- if eq (include "teleport-cluster.operator.shouldInstallCRDs" . ) "true" -}}
+{{ $currentScope := .}}
+{{ range $path, $_ :=  .Files.Glob  "operator-crds/*" }}
+  {{- with $currentScope}}
+    {{- $crd := (.Files.Get $path | fromYaml) -}}
+    {{- $injectedCRD := mustMergeOverwrite $crd (include "teleport-cluster.operator.crdOverrides" $currentScope | fromYaml) -}}
+    {{- toYaml $injectedCRD -}}
+  {{- end }}
+---
+{{ end }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/templates/deployment.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/templates/deployment.yaml
new file mode 100644
index 0000000..ae0395a
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/templates/deployment.yaml
@@ -0,0 +1,163 @@
+{{- if .Values.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
+    {{- if .Values.labels.deployment }}
+    {{- toYaml .Values.labels.deployment | nindent 4 }}
+    {{- end }}
+  {{- if .Values.annotations.deployment }}
+  annotations: {{- toYaml .Values.annotations.deployment | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.highAvailability.replicaCount }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+  selector:
+    matchLabels: {{- include "teleport-cluster.operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+  {{- if .Values.annotations.pod }}
+      annotations: {{- toYaml .Values.annotations.pod | nindent 8 }}
+  {{- end }}
+      labels:
+      {{- include "teleport-cluster.operator.labels" . | nindent 8 }}
+      {{- if .Values.labels.pod }}
+      {{- toYaml .Values.labels.pod | nindent 8 }}
+      {{- end }}
+    spec:
+  {{- if .Values.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }}
+  {{- end }}
+  {{- if .Values.affinity }}
+      affinity: {{- toYaml .Values.affinity | nindent 8 }}
+  {{- end }}
+  {{- if .Values.tolerations }}
+      tolerations: {{- toYaml .Values.tolerations | nindent 8 }}
+  {{- end }}
+  {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
+  {{- end }}
+      containers:
+        - name: "operator"
+          image: '{{ .Values.image }}:{{ include "teleport-cluster.version" . }}'
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          command:
+            - /teleport-operator
+            - -auth-server
+            - '{{ include "teleport-cluster.operator.teleportAddress" . }}'
+            - -join-method
+            - '{{ .Values.joinMethod }}'
+            - -token
+            - '{{ .Values.token }}'
+  {{- if .Values.caPins }}
+            - -ca-pin
+            - '{{ join "," .Values.caPins }}'
+  {{- end }}
+  {{- if or (.Values.tls.existingCASecretName) (.Values.teleportClusterName) }}
+          env:
+    {{- if .Values.tls.existingCASecretName }}
+            - name: SSL_CERT_FILE
+              value: /etc/teleport-tls-ca/ca.pem
+    {{- end }}
+    {{- if .Values.teleportClusterName }}
+            - name: KUBERNETES_TOKEN_PATH
+              value: /var/run/secrets/teleport/serviceaccount/token
+    {{- end }}
+  {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          ports:
+            - name: op-metrics
+              containerPort: 8080
+              protocol: TCP
+            - name: op-health
+              containerPort: 8081
+              protocol: TCP
+  {{- if .Values.securityContext }}
+          securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+  {{- end }}
+  {{- if .Values.resources }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+  {{- end }}
+          volumeMounts:
+          - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: operator-serviceaccount-token
+            readOnly: true
+  {{- if .Values.teleportClusterName }}
+          - mountPath: /var/run/secrets/teleport/serviceaccount
+            name: bot-serviceaccount-token
+            readOnly: true
+  {{- end }}
+  {{- if .Values.tls.existingCASecretName }}
+          - mountPath: /etc/teleport-tls-ca
+            name: "teleport-tls-ca"
+            readOnly: true
+  {{- end }}
+      automountServiceAccountToken: false
+      volumes:
+        # This projected token volume mimics the `automountServiceAccountToken`
+        # behaviour but defaults to a 1h TTL instead of 1y.
+        - name: operator-serviceaccount-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: token
+              - configMap:
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                  name: kube-root-ca.crt
+              - downwardAPI:
+                  items:
+                    - path: "namespace"
+                      fieldRef:
+                        fieldPath: metadata.namespace
+  {{- if .Values.teleportClusterName }}
+        - name: bot-serviceaccount-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: token
+                  audience: "{{ .Values.teleportClusterName }}"
+                  expirationSeconds: 600
+              - configMap:
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                  name: kube-root-ca.crt
+              - downwardAPI:
+                  items:
+                    - path: "namespace"
+                      fieldRef:
+                        fieldPath: metadata.namespace
+  {{- end }}
+  {{- if .Values.tls.existingCASecretName }}
+        - name: teleport-tls-ca
+          secret:
+            secretName: {{ .Values.tls.existingCASecretName }}
+  {{- end }}
+  {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+  {{- end }}
+  {{- if .Values.podSecurityContext }}
+      securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
+  {{- end }}
+      serviceAccountName: {{ include "teleport-cluster.operator.serviceAccountName" . }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/templates/role.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/templates/role.yaml
new file mode 100644
index 0000000..e6f073c
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/templates/role.yaml
@@ -0,0 +1,77 @@
+{{- if .Values.enabled }}
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+rules:
+  # Rights to manage the Teleport CRs
+  - apiGroups:
+      - "resources.teleport.dev"
+    resources:
+      - teleportroles
+      - teleportroles/status
+      - teleportrolesv6
+      - teleportrolesv6/status
+      - teleportrolesv7
+      - teleportrolesv7/status
+      - teleportusers
+      - teleportusers/status
+      - teleportgithubconnectors
+      - teleportgithubconnectors/status
+      - teleportoidcconnectors
+      - teleportoidcconnectors/status
+      - teleportsamlconnectors
+      - teleportsamlconnectors/status
+      - teleportloginrules
+      - teleportloginrules/status
+      - teleportprovisiontokens
+      - teleportprovisiontokens/status
+      - teleportoktaimportrules
+      - teleportoktaimportrules/status
+      - teleportaccesslists
+      - teleportaccesslists/status
+      - teleportopensshserversv2
+      - teleportopensshserversv2/status
+      - teleportopenssheiceserversv2
+      - teleportopenssheiceserversv2/status
+      - teleporttrustedclustersv2
+      - teleporttrustedclustersv2/status
+      - teleportbotsv1
+      - teleportbotsv1/status
+      - teleportworkloadidentitiesv1
+      - teleportworkloadidentitiesv1/status
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  # Used to perform leader election when running with multiple replicas
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+  # Ability to emit reconciliation events
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+  # Ability to lookup sensitive values from secrets rather than CRs
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+{{- end -}}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/templates/rolebinding.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/templates/rolebinding.yaml
new file mode 100644
index 0000000..a3425b5
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/templates/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.enabled }}
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "teleport-cluster.operator.serviceAccountName" . }}
+{{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/templates/serviceaccount.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/templates/serviceaccount.yaml
new file mode 100644
index 0000000..13b3b0f
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.enabled }}
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "teleport-cluster.operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.annotations.serviceAccount }}
+  annotations: {{- toYaml .Values.annotations.serviceAccount | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/tests/crds_test.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/tests/crds_test.yaml
new file mode 100644
index 0000000..13097bd
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/tests/crds_test.yaml
@@ -0,0 +1,44 @@
+suite: Operator CRDs
+templates:
+  - crds.yaml
+tests:
+  - it: creates no CRDs when installCRDs is "never"
+    set:
+      installCRDs: "never"
+      enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: creates CRDs when installCRDs is "always"
+    set:
+      installCRDs: "always"
+      enabled: false
+    asserts:
+      - containsDocument:
+          apiVersion: apiextensions.k8s.io/v1
+          kind: CustomResourceDefinition
+          name: teleportrolesv7.resources.teleport.dev
+  - it: labels CRDs
+    set:
+      installCRDs: "always"
+      enabled: false
+    asserts:
+      - equal:
+          path: metadata.labels.[teleport.dev/release]
+          value: NAMESPACE_RELEASE-NAME
+  - it: creates CRDs when installCRDs is "dynamic" and operator enabled
+    set:
+      installCRDs: "dynamic"
+      enabled: true
+    asserts:
+      - containsDocument:
+          apiVersion: apiextensions.k8s.io/v1
+          kind: CustomResourceDefinition
+          name: teleportrolesv7.resources.teleport.dev
+  - it: creates no CRDs when installCRDs is "dynamic" and operator disabled (and no existing CRD)
+    set:
+      installCRDs: "dynamic"
+      enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/tests/deployment_test.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/tests/deployment_test.yaml
new file mode 100644
index 0000000..ca261d8
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/tests/deployment_test.yaml
@@ -0,0 +1,218 @@
+suite: Operator Deployment
+templates:
+  - deployment.yaml
+tests:
+  - it: creates no deployment when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a deployment when operator is enabled
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: RELEASE-NAME-operator
+
+  - it: sets annotations when specified
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      # Pod annotations
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod
+          value: test-annotation
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod-different
+          value: 4
+      # Deployment annotations
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment-different
+          value: 3
+
+  - it: sets labels when specified
+    values:
+      - ../.lint/labels.yaml
+    asserts:
+      # Pod labels
+      - equal:
+          path: spec.template.metadata.labels.kubernetes\.io/pod
+          value: test-label
+      - equal:
+          path: spec.template.metadata.labels.kubernetes\.io/pod-different
+          value: 4
+      # Deployment labels
+      - equal:
+          path: metadata.labels.kubernetes\.io/deployment
+          value: test-label
+      - equal:
+          path: metadata.labels.kubernetes\.io/deployment-different
+          value: 3
+
+  - it: should mount tls.existingCASecretName and set environment when set in values
+    values:
+      - ../.lint/existing-tls-ca.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls-ca
+            secret:
+              secretName: helm-lint-existing-tls-secret-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls-ca
+            name: teleport-tls-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSL_CERT_FILE
+            value: /etc/teleport-tls-ca/ca.pem
+
+  - it: mounts tokens through projected volumes
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: operator-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - path: "namespace"
+                        fieldRef:
+                          fieldPath: metadata.namespace
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: operator-serviceaccount-token
+            readOnly: true
+
+  - it: should set imagePullPolicy when set in values
+    values:
+      - ../.lint/cloud-join.yaml
+    set:
+      imagePullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+
+  - it: should set resources when set in values
+    values:
+      - ../.lint/resources.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 2Gi
+
+  - it: should set security contexts by default
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            seccompProfile:
+              type: RuntimeDefault
+            runAsUser: 65532
+            runAsGroup: 65532
+            fsGroup: 65532
+            runAsNonRoot: true
+
+  - it: configures a dedicated token when kube JWKS joining
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: bot-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    audience: example.teleport.sh
+                    expirationSeconds: 600
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - fieldRef:
+                          fieldPath: metadata.namespace
+                        path: namespace
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/teleport/serviceaccount
+            name: bot-serviceaccount-token
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBERNETES_TOKEN_PATH
+            value: /var/run/secrets/teleport/serviceaccount/token
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/tests/role_test.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/tests/role_test.yaml
new file mode 100644
index 0000000..4ae5d4b
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/tests/role_test.yaml
@@ -0,0 +1,52 @@
+suite: Operator Role
+templates:
+  - role.yaml
+tests:
+  - it: creates no role when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates no role when rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a role by default
+    asserts:
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    asserts:
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-operator
+
+  - it: grants access to secret in the namespace
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: [""]
+            resources: ["secrets"]
+            verbs: ["get", "list", "watch"]
\ No newline at end of file
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/tests/rolebinding_test.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/tests/rolebinding_test.yaml
new file mode 100644
index 0000000..6794d90
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/tests/rolebinding_test.yaml
@@ -0,0 +1,43 @@
+suite: Operator RoleBinding
+templates:
+  - rolebinding.yaml
+tests:
+  - it: creates no RoleBinding when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates no RoleBinding when rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a RoleBinding by default
+    asserts:
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    asserts:
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-operator
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/tests/serviceaccount_test.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/tests/serviceaccount_test.yaml
new file mode 100644
index 0000000..38c7cae
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/tests/serviceaccount_test.yaml
@@ -0,0 +1,63 @@
+suite: Operator ServiceAccount
+templates:
+  - serviceaccount.yaml
+tests:
+  - it: creates no ServiceAccount when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: creates no ServiceAccount when rbac.create is false
+    set:
+      serviceAccount:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a ServiceAccount by default
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: RELEASE-NAME-operator
+
+  - it: does not shorten fullname if .Release.Name == .Chart.Name but there's a nameOverride
+    release:
+      name: teleport-operator
+    set:
+      nameOverride: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: teleport-operator-teleport-operator
+
+  - it: names the ServiceAccount according to serviceAccount.name
+    set:
+      serviceAccount:
+        name: foobar
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: foobar
diff --git a/teleport-cluster-17.4.9/charts/teleport-operator/values.yaml b/teleport-cluster-17.4.9/charts/teleport-operator/values.yaml
new file mode 100644
index 0000000..f96b8ec
--- /dev/null
+++ b/teleport-cluster-17.4.9/charts/teleport-operator/values.yaml
@@ -0,0 +1,222 @@
+# enabled(bool) -- controls if the operator should be enabled and deployed.
+#
+# - When `true`, the chart creates both the `CustomResourceDefinition` and operator `Deployment` Kubernetes resources.
+# - When `false`, the chart creates the `CustomResourceDefinition` resources without the operator `Deployment`.
+enabled: true
+
+# installCRDs(string) -- controls if the chart should install the CRDs.
+# There are 3 possible values: dynamic, always, never.
+#
+# - "dynamic" means the CRDs are installed if the operator is enabled or if
+#   the CRDs are already present in the cluster. The presence check is here to
+#   avoid all CRDs to be removed if you temporarily disable the operator.
+#   Removing CRDs triggers a cascading deletion, which removes CRs, and all the
+#   related resources in Teleport.
+# - "always" means the CRDs are always installed
+# - "never" means the CRDs are never installed
+installCRDs: "dynamic"
+
+# teleportAddress(string) -- is the address of the Teleport cluster whose resources
+# are managed by the operator. The address must contain both the domain name and
+# the port of the Teleport cluster. It can be either the address of the Auth Service
+# or the Proxy Service.
+#
+# For example:
+#   - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
+#   - joining an Auth: `teleport-auth.example.com:3025`
+#   - joining a Cloud-hosted Teleport: `example.teleport.sh:443`
+teleportAddress: ""
+
+# caPins(list[string]) -- is a list of Teleport CA fingerprints that is used by the operator to
+# validate the identity of the Teleport Auth Service. This is only used when joining
+# an Auth Service directly (on port `3025`) and is ignored when joining through a Proxy
+# (port `443` or `3080`).
+caPins: []
+
+# joinMethod(string) -- describes how the Teleport Kubernetes Operator joins the Teleport cluster.
+# The operator does not store its Teleport-issued identity, it must be able to join the
+# cluster again on each pod restart. To achieve this, it needs to use a delegated join
+# method. `kubernetes` is the most common one.
+joinMethod: "kubernetes"
+
+# teleportClusterName(string) -- is the name of the joined Teleport cluster.
+# Setting this value is required when joining via the
+# [Kubernetes JWKS](../../reference/join-methods.mdx#kubernetes-jwks) join method.
+teleportClusterName: ""
+
+# token(string) -- is the name of the token used by the operator to join the Teleport cluster.
+token: ""
+
+# teleportVersionOverride(string) -- controls the Teleport Kubernetes Operator
+# image version deployed by the chart.
+#
+# Normally, the version of the Teleport Kubernetes Operator matches the
+# version of the chart. If you install chart version 15.0.0, you'll use
+# Teleport Kubernetes Operator version 15.0.0. Upgrading the operator is
+# done by upgrading the chart.
+#
+# <Admonition type="warning">
+# `teleportVersionOverride` is intended for development and MUST NOT be
+# used to control the Teleport version in a typical deployment. This
+# chart is designed to run a specific Teleport version. You will face
+# compatibility issues trying to run a different Teleport version with it.
+#
+# If you want to run Teleport version `X.Y.Z`, you should use
+# `helm install --version X.Y.Z` instead.
+#
+# </Admonition>
+teleportVersionOverride: ""
+
+nameOverride: ""
+fullNameOverride: ""
+
+# image(string) -- sets the container image used for Teleport Kubernetes Operator
+# pods run by the chart.
+#
+# You can override this to use your own Teleport Kubernetes Operator
+# image rather than a Teleport-published image.
+image: public.ecr.aws/gravitational/teleport-operator
+
+# annotations --
+annotations:
+  # annotations.deployment(object) -- contains the Kubernetes annotations
+  # put on the `Deployment` resource created by the chart.
+  deployment: {}
+  # annotations.pod(object) -- contains the Kubernetes annotations
+  # put on the `Pod` resources created by the chart.
+  pod: {}
+  # annotations.serviceAccount(object) -- contains the Kubernetes annotations
+  # put on the `Deployment` resource created by the chart.
+  serviceAccount: {}
+
+# annotations --
+labels:
+  # labels.deployment(object) -- contains the Kubernetes labels
+  # put on the `Deployment` resource created by the chart.
+  deployment: {}
+  # labels.pod(object) -- contains the Kubernetes labels
+  # put on the `Pod` resources created by the chart.
+  pod: {}
+
+# serviceAccount --
+serviceAccount:
+  # serviceAccount.create(bool) -- controls if the chart should create the Kubernetes
+  # `ServiceAccount` resource for the operator.
+  #
+  # - When `true`, the chart creates a `ServiceAccount` resource for the operator.
+  # - When `false`, the chart does not create the `ServiceAccount` resource.
+  #   The user is responsible for deploying and maintaining it separately.
+  #
+  # This value can be set to `false` when deploying in constrained environments
+  # where the user deploying the operator is not allowed to edit `ServiceAccount`
+  # resources.
+  create: true
+  # serviceAccount.name(string) -- controls the name of the operator Kubernetes `ServiceAccount`.
+  # The operator pods use by default a `ServiceAccount` named after the Helm chart release.
+  # This value overrides this behaviour, this is useful when `serviceAccount.create`
+  # is false and the operator must use an existing `ServiceAccount`.
+  name: ""
+
+# rbac --
+rbac:
+  # rbac.create(bool) -- controls if the chart should create RBAC Kubernetes resources.
+  #
+  # - When `true`, the chart creates both `Role` and `RoleBinding` resources for the operator.
+  # - When `false`, the chart does not create the `Role` and `RoleBinding` resources.
+  #   The user is responsible for deploying and maintaining them separately.
+  #
+  # This value can be set to `false` when deploying in constrained environments
+  # where the user deploying the operator is not allowed to edit RBAC resources.
+  create: true
+
+# imagePullPolicy(string) -- sets the pull policy for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images)
+# for more details.
+imagePullPolicy: IfNotPresent
+
+# resources(object) -- sets the resource requests/limits for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+# for more details.
+resources: {}
+
+# priorityClassName(string) -- sets the priority class used by any pods created by the chart.
+# The user is responsible for creating the `PriorityClass` resource before deploying the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+# for more details.
+priorityClassName: ""
+
+# tolerations(list) -- sets the tolerations for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+# for more details.
+tolerations: []
+
+# nodeSelector(object) -- sets the node selector for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+# for more details.
+nodeSelector: {}
+
+# affinity(object) -- sets the affinities for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+# for more details.
+affinity: {}
+
+# imagePullSecrets(list) -- sets the image pull secrets for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod)
+# for more details.
+imagePullSecrets: []
+
+# highAvailability --
+highAvailability:
+  # highAvailability.replicaCount(int) -- controls the amount of operator pod replicas deployed
+  # by the chart.
+  #
+  # When multiple pods are running, all pods join the Teleport cluster on
+  # startup but a single pod actively reconciles resources.
+  #
+  # The operator replicas elect a replica leader using
+  # [Kubernetes leases](https://kubernetes.io/docs/concepts/architecture/leases/).
+  # If the leader fails, its lease will expire and another replica will start
+  # reconciling resources.
+  replicaCount: 1
+
+# tls --
+tls:
+  # tls.existingCASecretName(string) -- makes the operator pods trust an additional CA certificate.
+  # This is used to trust Proxy certificates if they're signed by a private CA. The operator
+  # trusts by default CAs part of Mozilla's Web PKI (the `ca-certificates` package).
+  #
+  # To use this value, you must create a Kubernetes `Secret` containing the CA
+  # certs in the same namespace as the Teleport Kubernetes Operator using a
+  # command such as:
+  #
+  # ```code
+  # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+  # ```
+  existingCASecretName: ""
+
+# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+# for more details.
+#
+# The default value supports running under the `restricted`
+# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
+  runAsUser: 65532
+  runAsGroup: 65532
+  fsGroup: 65532
+  runAsNonRoot: true
+
+# securityContext(object) -- sets the container security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+# for more details.
+#
+# The default value supports running under the `restricted`
+# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
diff --git a/teleport-cluster-17.4.9/templates/NOTES.txt b/teleport-cluster-17.4.9/templates/NOTES.txt
new file mode 100644
index 0000000..f85e1fa
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/NOTES.txt
@@ -0,0 +1,35 @@
+{{- if .Values.highAvailability.certManager.enabled }}
+You have enabled cert-manager support in high availability mode.
+
+There may be a short delay before Teleport pods start while an ACME certificate is issued.
+You can check the status of the certificate with `kubectl -n {{ .Release.Namespace }} describe certificate/{{ .Release.Name }}`
+
+NOTE: For certificates to be provisioned, you must also install cert-manager (https://cert-manager.io/docs/) and configure an appropriate
+      Issuer with access to your DNS provider to handle DNS01 challenges (https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers)
+
+For more information, please see the Helm guides in the Teleport docs (https://goteleport.com/docs/kubernetes-access/helm/guides/)
+{{- end }}
+
+{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }}
+
+SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm
+doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12
+the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older.
+Instead, we recommend you to configure Pod Security AdmissionControllers for
+the namespace "{{.Release.Namespace}}" by adding the label
+`pod-security.kubernetes.io/enforce: baseline` on the namespace resource.
+
+See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
+
+To remove this warning, explicitly set "podSecurityPolicy.enabled=false".
+{{- end }}
+
+{{- if .Values.teleportVersionOverride }}
+
+DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
+This chart is designed to run Teleport version {{ .Chart.AppVersion }}.
+You will face compatibility issues trying to run a different Teleport version with it.
+
+If you want to run Teleport version {{.Values.teleportVersionOverride}},
+you should use `helm --version {{.Values.teleportVersionOverride}}` instead.
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/_helpers.tpl b/teleport-cluster-17.4.9/templates/_helpers.tpl
new file mode 100644
index 0000000..7e2f4de
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/_helpers.tpl
@@ -0,0 +1,158 @@
+{{/*
+Create the name of the service account to use
+if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
+*/}}
+{{- define "teleport-cluster.auth.serviceAccountName" -}}
+{{- coalesce .Values.serviceAccount.name .Release.Name -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use in the auth config check hook.
+
+If the chart is creating service accounts, we know we can create new arbitrary service accounts.
+We cannot reuse the same name as the deployment SA because the non-hook service account might
+not exist yet. We tried being smart with hooks but ArgoCD doesn't differentiate between install
+and upgrade, causing various issues on update and eventually forcing us to use a separate SA.
+
+If the chart is not creating service accounts, for backward compatibility we don't want
+to force new service account names to existing chart users. We know the SA should already exist,
+so we can use the same SA for deployments and hooks.
+*/}}
+{{- define "teleport-cluster.auth.hookServiceAccountName" -}}
+{{- include "teleport-cluster.auth.serviceAccountName" . -}}
+{{- if .Values.serviceAccount.create -}}
+-hook
+{{- end -}}
+{{- end -}}
+
+{{- define "teleport-cluster.proxy.serviceAccountName" -}}
+{{- coalesce .Values.serviceAccount.name .Release.Name -}}-proxy
+{{- end -}}
+
+{{/*
+Create the name of the service account to use in the proxy config check hook.
+
+If the chart is creating service accounts, we know we can create new arbitrary service accounts.
+We cannot reuse the same name as the deployment SA because the non-hook service account might
+not exist yet. We tried being smart with hooks but ArgoCD doesn't differentiate between install
+and upgrade, causing various issues on update and eventually forcing us to use a separate SA.
+
+If the chart is not creating service accounts, for backward compatibility we don't want
+to force new service account names to existing chart users. We know the SA should already exist,
+so we can use the same SA for deployments and hooks.
+*/}}
+{{- define "teleport-cluster.proxy.hookServiceAccountName" -}}
+{{- include "teleport-cluster.proxy.serviceAccountName" . -}}
+{{- if .Values.serviceAccount.create -}}
+-hook
+{{- end -}}
+{{- end -}}
+
+{{- define "teleport-cluster.version" -}}
+{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
+{{- end -}}
+
+{{- define "teleport-cluster.majorVersion" -}}
+{{- (semver (include "teleport-cluster.version" .)).Major -}}
+{{- end -}}
+
+{{- define "teleport-cluster.previousMajorVersion" -}}
+{{- sub (include "teleport-cluster.majorVersion" . | atoi ) 1 -}}
+{{- end -}}
+
+{{/* Proxy selector labels */}}
+{{- define "teleport-cluster.proxy.selectorLabels" -}}
+app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
+app.kubernetes.io/instance: '{{ .Release.Name }}'
+app.kubernetes.io/component: 'proxy'
+{{- end -}}
+
+{{/* Proxy all labels */}}
+{{- define "teleport-cluster.proxy.labels" -}}
+{{ include "teleport-cluster.proxy.selectorLabels" . }}
+helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
+teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
+{{- end -}}
+
+{{/* Auth pods selector labels */}}
+{{- define "teleport-cluster.auth.selectorLabels" -}}
+app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
+app.kubernetes.io/instance: '{{ .Release.Name }}'
+app.kubernetes.io/component: 'auth'
+{{- end -}}
+
+{{/* All pods all labels */}}
+{{- define "teleport-cluster.labels" -}}
+{{ include "teleport-cluster.selectorLabels" . }}
+helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
+teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
+{{- end -}}
+
+{{/* All pods selector labels */}}
+{{- define "teleport-cluster.selectorLabels" -}}
+app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
+app.kubernetes.io/instance: '{{ .Release.Name }}'
+{{- end -}}
+
+{{/* Auth pods all labels */}}
+{{- define "teleport-cluster.auth.labels" -}}
+{{ include "teleport-cluster.auth.selectorLabels" . }}
+helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
+teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
+{{- end -}}
+
+{{/* ServiceNames are limited to 63 characters, we might have to truncate the ReleaseName
+     to make sure the auth serviceName won't exceed this limit */}}
+{{- define "teleport-cluster.auth.serviceName" -}}
+{{- .Release.Name | trunc 58 | trimSuffix "-" -}}-auth
+{{- end -}}
+
+{{- define "teleport-cluster.auth.currentVersionServiceName" -}}
+{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.majorVersion" . }}
+{{- end -}}
+
+{{- define "teleport-cluster.auth.previousVersionServiceName" -}}
+{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.previousMajorVersion" . }}
+{{- end -}}
+
+
+{{/* In most places we want to use the FQDN instead of relying on Kubernetes ndots behaviour
+     for performance reasons */}}
+{{- define "teleport-cluster.auth.serviceFQDN" -}}
+{{ include "teleport-cluster.auth.serviceName" . }}.{{ .Release.Namespace }}.svc.{{ include "teleport-cluster.clusterDomain" . }}
+{{- end -}}
+
+{{/* Returns the cluster domain if set, otherwise fallback to "cluster.local" */}}
+{{- define "teleport-cluster.clusterDomain" -}}
+{{ default "cluster.local" .Values.global.clusterDomain }}
+{{- end -}}
+
+{{/* Matches the operator template "teleport-cluster.operator.fullname" but can be
+     evaluated in a "teleport-cluster" context. */}}
+{{- define "teleport-cluster.auth.operatorFullName" -}}
+{{- if .Values.operator.fullnameOverride }}
+    {{- .Values.operator.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+    {{- if .Values.operator.nameOverride }}
+        {{- printf "%s-%s" .Release.Name .Values.operator.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+        {{- if contains "teleport-operator" .Release.Name }}
+            {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+        {{- else }}
+            {{- printf "%s-%s" .Release.Name "teleport-operator" | trunc 63 | trimSuffix "-" }}
+        {{- end }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/* Matches the operator template "teleport-cluster.operator.serviceAccountName"
+     but can be evaluated in a "teleport-cluster" context. */}}
+{{- define "teleport-cluster.auth.operatorServiceAccountName" -}}
+{{- coalesce .Values.operator.serviceAccount.name (include "teleport-cluster.auth.operatorFullName" .) -}}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/_config.aws.tpl b/teleport-cluster-17.4.9/templates/auth/_config.aws.tpl
new file mode 100644
index 0000000..3d04106
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/_config.aws.tpl
@@ -0,0 +1,60 @@
+{{- define "teleport-cluster.auth.config.aws" -}}
+{{ mustMergeOverwrite (include "teleport-cluster.auth.config.common" . | fromYaml) (include "teleport-cluster.auth.config.aws.overrides" . | fromYaml) | toYaml }}
+{{- end -}}
+
+{{- define "teleport-cluster.auth.config.aws.overrides" -}}
+teleport:
+  storage:
+    type: dynamodb
+    region: {{ required "aws.region is required in chart values" .Values.aws.region }}
+    table_name: {{ required "aws.backendTable is required in chart values" .Values.aws.backendTable }}
+    audit_events_uri: {{- include "teleport-cluster.auth.config.aws.audit" . | nindent 4 }}
+    audit_sessions_uri: s3://{{ required "aws.sessionRecordingBucket is required in chart values" .Values.aws.sessionRecordingBucket }}
+    continuous_backups: {{ required "aws.backups is required in chart values" .Values.aws.backups }}
+  {{- if .Values.aws.dynamoAutoScaling }}
+    auto_scaling: true
+    billing_mode: provisioned
+    read_min_capacity: {{ required "aws.readMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMinCapacity }}
+    read_max_capacity: {{ required "aws.readMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMaxCapacity }}
+    read_target_value: {{ required "aws.readTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.readTargetValue }}
+    write_min_capacity: {{ required "aws.writeMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMinCapacity }}
+    write_max_capacity: {{ required "aws.writeMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMaxCapacity }}
+    write_target_value: {{ required "aws.writeTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.writeTargetValue }}
+  {{- else }}
+    auto_scaling: false
+  {{- end }}
+  {{- if .Values.aws.accessMonitoring.enabled }}
+    {{- if not .Values.aws.athenaURL }}
+      {{- fail "AccessMonitoring requires an Athena Event backend" }}
+    {{- end }}
+auth_service:
+  access_monitoring:
+    enabled: true
+    report_results: {{ .Values.aws.accessMonitoring.reportResults | quote }}
+    role_arn: {{ .Values.aws.accessMonitoring.roleARN | quote }}
+    workgroup: {{ .Values.aws.accessMonitoring.workgroup | quote }}
+  {{- end }}
+{{- end -}}
+
+{{- define "teleport-cluster.auth.config.aws.audit" -}}
+  {{- if and .Values.aws.auditLogTable (not .Values.aws.athenaURL) -}}
+- 'dynamodb://{{.Values.aws.auditLogTable}}'
+  {{- else if and (not .Values.aws.auditLogTable) .Values.aws.athenaURL -}}
+- {{ .Values.aws.athenaURL | quote }}
+  {{- else if and .Values.aws.auditLogTable .Values.aws.athenaURL -}}
+    {{- if eq .Values.aws.auditLogPrimaryBackend "dynamo" -}}
+- 'dynamodb://{{.Values.aws.auditLogTable}}'
+- {{ .Values.aws.athenaURL | quote }}
+    {{- else if eq .Values.aws.auditLogPrimaryBackend "athena" -}}
+- {{ .Values.aws.athenaURL | quote }}
+- 'dynamodb://{{.Values.aws.auditLogTable}}'
+    {{- else -}}
+      {{- fail "Both Dynamo and Athena audit backends are enabled. You must specify the primary backend by setting `aws.auditLogPrimaryBackend` to either 'dynamo' or 'athena'." -}}
+    {{- end -}}
+  {{- else -}}
+    {{- fail "You need an audit backend. In AWS mode, you must set at least one of `aws.auditLogTable` (Dynamo) and `aws.athenaURL` (Athena)." -}}
+  {{- end -}}
+  {{- if .Values.aws.auditLogMirrorOnStdout }}
+- 'stdout://'
+  {{- end -}}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/_config.azure.tpl b/teleport-cluster-17.4.9/templates/auth/_config.azure.tpl
new file mode 100644
index 0000000..6bdabd0
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/_config.azure.tpl
@@ -0,0 +1,38 @@
+{{/* Helper to build the database connection string, adds paraneters if needed */}}
+{{- define "teleport-cluster.auth.config.azure.conn_string.query" }}
+  {{- if .Values.azure.databasePoolMaxConnections -}}
+    {{- printf "sslmode=verify-full&pool_max_conns=%v" .Values.azure.databasePoolMaxConnections -}}
+  {{- else -}}
+    sslmode=verify-full
+  {{- end -}}
+{{- end -}}
+
+{{- define "teleport-cluster.auth.config.azure" -}}
+{{ include "teleport-cluster.auth.config.common" . }}
+  storage:
+    type: postgresql
+    auth_mode: azure
+    conn_string: {{ urlJoin (dict
+      "scheme" "postgresql"
+      "userinfo" .Values.azure.databaseUser
+      "host" .Values.azure.databaseHost
+      "path" .Values.azure.backendDatabase
+      "query" (include "teleport-cluster.auth.config.azure.conn_string.query" .)
+    ) | toYaml }}
+    audit_sessions_uri: {{ urlJoin (dict
+      "scheme" "azblob"
+      "host" .Values.azure.sessionRecordingStorageAccount
+    ) | toYaml }}
+    audit_events_uri:
+      - {{ urlJoin (dict
+          "scheme" "postgresql"
+          "userinfo" .Values.azure.databaseUser
+          "host" .Values.azure.databaseHost
+          "path" .Values.azure.auditLogDatabase
+          "query" "sslmode=verify-full"
+          "fragment" "auth_mode=azure"
+        ) | toYaml }}
+{{- if .Values.azure.auditLogMirrorOnStdout }}
+      - "stdout://"
+{{- end }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/_config.common.tpl b/teleport-cluster-17.4.9/templates/auth/_config.common.tpl
new file mode 100644
index 0000000..4f93a00
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/_config.common.tpl
@@ -0,0 +1,81 @@
+{{- define "teleport-cluster.auth.config.common" -}}
+{{- $authentication := mustMergeOverwrite .Values.authentication (default dict .Values.authenticationSecondFactor) -}}
+{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}}
+version: v3
+kubernetes_service:
+  enabled: true
+  listen_addr: 0.0.0.0:3026
+  public_addr: "{{ include "teleport-cluster.auth.serviceFQDN" . }}:3026"
+{{- if .Values.kubeClusterName }}
+  kube_cluster_name: {{ .Values.kubeClusterName }}
+{{- else }}
+  kube_cluster_name: {{ .Values.clusterName }}
+{{- end }}
+{{- if .Values.labels }}
+  labels: {{- toYaml .Values.labels | nindent 8 }}
+{{- end }}
+proxy_service:
+  enabled: false
+ssh_service:
+  enabled: false
+auth_service:
+  enabled: true
+  cluster_name: {{ required "clusterName is required in chart values" .Values.clusterName }}
+{{- if .Values.enterprise }}
+  license_file: '/var/lib/license/license.pem'
+{{- end }}
+  authentication:
+    type: "{{ required "authentication.type is required in chart values" (coalesce .Values.authenticationType $authentication.type) }}"
+    local_auth: {{ $authentication.localAuth }}
+{{- if $authentication.passwordless }}
+    passwordless: {{ $authentication.passwordless }}
+{{- end }}
+{{- if $authentication.connectorName }}
+    connector_name: "{{ $authentication.connectorName }}"
+{{- end }}
+{{- if $authentication.lockingMode }}
+    locking_mode: "{{ $authentication.lockingMode }}"
+{{- end }}
+{{- $hasWebauthnMFA := false }}
+{{/* secondFactor takes precedence for backward compatibility, but new chart releases
+should have second_factor unset and privilege second_factors instead.
+Sadly, it is not possible to do a conversion between second_factor and second_factors
+because of the "off" value. */}}
+{{- if $authentication.secondFactor }}
+    second_factor: {{ $authentication.secondFactor | squote }}
+    {{- if has $authentication.secondFactor (list "webauthn" "on" "optional") }}
+      {{- $hasWebauthnMFA = true }}
+    {{- end }}
+{{- else }}
+    second_factors: {{- toYaml $authentication.secondFactors | nindent 6 }}
+    {{- if has "webauthn" $authentication.secondFactors }}
+      {{- $hasWebauthnMFA = true }}
+    {{- end }}
+{{- end }}
+{{- if $hasWebauthnMFA }}
+    webauthn:
+      rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }}
+      {{- if $authentication.webauthn }}
+        {{- if $authentication.webauthn.attestationAllowedCas }}
+      attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }}
+        {{- end }}
+        {{- if $authentication.webauthn.attestationDeniedCas }}
+      attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }}
+        {{- end }}
+      {{- end }}
+{{- end }}
+{{- if .Values.sessionRecording }}
+  session_recording: {{ .Values.sessionRecording | squote }}
+{{- end }}
+{{- if .Values.proxyListenerMode }}
+  proxy_listener_mode: {{ .Values.proxyListenerMode }}
+{{- end }}
+teleport:
+  auth_server: 127.0.0.1:3025
+  log:
+    severity: {{ $logLevel }}
+    output: {{ .Values.log.output }}
+    format:
+      output: {{ .Values.log.format }}
+      extra_fields: {{ .Values.log.extraFields | toJson }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/_config.gcp.tpl b/teleport-cluster-17.4.9/templates/auth/_config.gcp.tpl
new file mode 100644
index 0000000..f55743b
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/_config.gcp.tpl
@@ -0,0 +1,16 @@
+{{- define "teleport-cluster.auth.config.gcp" -}}
+{{ include "teleport-cluster.auth.config.common" . }}
+  storage:
+    type: firestore
+    project_id: {{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}
+    collection_name: {{ required "gcp.backendTable is required in chart values" .Values.gcp.backendTable }}
+    {{- if .Values.gcp.credentialSecretName }}
+    credentials_path: /etc/teleport-secrets/gcp-credentials.json
+    {{- end }}
+    {{- if .Values.gcp.auditLogMirrorOnStdout }}
+    audit_events_uri: ['firestore://{{ required "gcp.auditLogTable is required in chart values" .Values.gcp.auditLogTable }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}', 'stdout://']
+    {{- else }}
+    audit_events_uri: ['firestore://{{ required "gcp.auditLogTable is required in chart values" .Values.gcp.auditLogTable }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}']
+    {{- end }}
+    audit_sessions_uri: "gs://{{ required "gcp.sessionRecordingBucket is required in chart values" .Values.gcp.sessionRecordingBucket }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}"
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/_config.scratch.tpl b/teleport-cluster-17.4.9/templates/auth/_config.scratch.tpl
new file mode 100644
index 0000000..36c3264
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/_config.scratch.tpl
@@ -0,0 +1,12 @@
+{{- define "teleport-cluster.auth.config.scratch" -}}
+proxy_service:
+  enabled: false
+ssh_service:
+  enabled: false
+auth_service:
+  enabled: true
+{{- end -}}
+
+{{- define "teleport-cluster.auth.config.custom" -}}
+{{ fail "'custom' mode has been removed with chart v12 because of the proxy/auth split breaking change, see https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-v12/" }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/_config.standalone.tpl b/teleport-cluster-17.4.9/templates/auth/_config.standalone.tpl
new file mode 100644
index 0000000..db5ff58
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/_config.standalone.tpl
@@ -0,0 +1,3 @@
+{{- define "teleport-cluster.auth.config.standalone" -}}
+{{ include "teleport-cluster.auth.config.common" . }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/clusterrole.yaml b/teleport-cluster-17.4.9/templates/auth/clusterrole.yaml
new file mode 100644
index 0000000..a1b77ad
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/clusterrole.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.rbac.create -}}
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.clusterRole }}
+    {{- toYaml $auth.extraLabels.clusterRole | nindent 4 }}
+    {{- end }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - users
+  - groups
+  - serviceaccounts
+  verbs:
+  - impersonate
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - "authorization.k8s.io"
+  resources:
+  - selfsubjectaccessreviews
+  verbs:
+  - create
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/clusterrolebinding.yaml b/teleport-cluster-17.4.9/templates/auth/clusterrolebinding.yaml
new file mode 100644
index 0000000..97867d1
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/clusterrolebinding.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.rbac.create -}}
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Release.Name }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.clusterRoleBinding }}
+    {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }}
+    {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+# This ClusterRoleBinding allows the auth service-account to validate Kubernetes tokens
+# This is required for proxies to join using their Kubernetes tokens
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Namespace}}-{{ .Release.Name }}-auth
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.clusterRoleBinding }}
+    {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }}
+    {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/auth/config.yaml b/teleport-cluster-17.4.9/templates/auth/config.yaml
new file mode 100644
index 0000000..303052e
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/config.yaml
@@ -0,0 +1,175 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.config }}
+    {{- toYaml $auth.extraLabels.config | nindent 4 }}
+    {{- end }}
+{{- if $auth.annotations.config }}
+  annotations: {{- toYaml $auth.annotations.config | nindent 4 }}
+{{- end }}
+data:
+{{- if or $auth.createProxyToken .Values.operator.enabled }}
+  apply-on-startup.yaml: |2
+    {{- if $auth.createProxyToken }}
+    ---
+    kind: token
+    version: v2
+    metadata:
+      name: {{ .Release.Name }}-proxy
+      expires: "2050-01-01T00:00:00Z"
+    spec:
+      roles: [Proxy]
+      join_method: kubernetes
+      kubernetes:
+        allow:
+          - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}"
+    {{- end }}
+    {{- if .Values.operator.enabled }}
+    ---
+    kind: role
+    metadata:
+      description: Automatically generated role for bot operator
+      labels:
+        teleport.internal/bot: operator
+      name: bot-operator
+    spec:
+      allow:
+        impersonate:
+          roles:
+            - operator
+        rules:
+          - resources:
+              - cert_authority
+            verbs:
+              - readnosecrets
+      deny: {}
+    version: v7
+    ---
+    kind: user
+    metadata:
+      labels:
+        teleport.internal/bot: operator
+      name: bot-operator
+    spec:
+      roles:
+        - bot-operator
+    version: v2
+    ---
+    kind: role
+    metadata:
+      name: operator
+    spec:
+      allow:
+        rules:
+          - resources:
+              - role
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - user
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - auth_connector
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - login_rule
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - token
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - okta_import_rule
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - access_list
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - node
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - trusted_cluster
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - bot
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - workload_identity
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+      deny: {}
+    version: v7
+    ---
+    kind: token
+    version: v2
+    metadata:
+      name: "{{ .Values.operator.token }}"
+    spec:
+      roles: [Bot]
+      join_method: kubernetes
+      bot_name: operator
+      kubernetes:
+        allow:
+          - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.auth.operatorServiceAccountName" . }}"
+  {{- end }}
+{{- end }}
+  teleport.yaml: |2
+    {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}}
diff --git a/teleport-cluster-17.4.9/templates/auth/deployment.yaml b/teleport-cluster-17.4.9/templates/auth/deployment.yaml
new file mode 100644
index 0000000..5f03f38
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/deployment.yaml
@@ -0,0 +1,320 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- $replicated := gt (int $auth.highAvailability.replicaCount) 1 -}}
+{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $auth.disableTopologySpreadConstraints) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    app: {{ .Release.Name }}
+    {{- if $auth.extraLabels.deployment }}
+    {{- toYaml $auth.extraLabels.deployment | nindent 4 }}
+    {{- end }}
+{{- if $auth.annotations.deployment }}
+  annotations: {{- toYaml $auth.annotations.deployment | nindent 4 }}
+{{- end }}
+spec:
+  replicas: {{ $auth.highAvailability.replicaCount }}
+{{- if and $replicated $auth.highAvailability.minReadySeconds }}
+  minReadySeconds: {{ $auth.highAvailability.minReadySeconds }}
+{{- end }}
+  strategy:
+{{- if $replicated }}
+    # some backends support a maximum amount of auth pods (e.g. DynamoDB),
+    # we don't want to exceed this during a rollout.
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+{{- else }}
+    # using a single replica can be because of a non-replicable storage or when applying upgrade migrations.
+    # In those cases, we don't want a rolling update.
+    type: Recreate
+{{- end }}
+  selector:
+    matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        # ConfigMap checksum, to recreate the pod on config changes.
+        checksum/config: {{ include (print $.Template.BasePath "/auth/config.yaml") . | sha256sum }}
+{{- if $auth.annotations.pod }}
+  {{- toYaml $auth.annotations.pod | nindent 8 }}
+{{- end }}
+      labels:
+        {{- include "teleport-cluster.auth.labels" . | nindent 8 }}
+        app: {{ .Release.Name }}
+        {{- if $auth.extraLabels.pod }}
+        {{- toYaml $auth.extraLabels.pod | nindent 8 }}
+        {{- end }}
+{{- if eq $auth.chartMode "azure"}}
+        azure.workload.identity/use: "true"
+{{- end }}
+    spec:
+{{- if $auth.nodeSelector }}
+      nodeSelector: {{- toYaml $auth.nodeSelector | nindent 8 }}
+{{- end }}
+{{- if $topologySpreadConstraints }}
+  {{- if $auth.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- toYaml $auth.topologySpreadConstraints | nindent 8 }}
+  {{- else }}
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }}
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }}
+  {{- end }}
+{{- end }}
+      affinity:
+{{- if $auth.affinity }}
+  {{- if $auth.highAvailability.requireAntiAffinity }}
+    {{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }}
+  {{- end }}
+  {{- toYaml $auth.affinity | nindent 8 }}
+{{- else }}
+        podAntiAffinity:
+  {{- if $auth.highAvailability.requireAntiAffinity }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/instance
+                    operator: In
+                    values:
+                      - {{ .Release.Name }}
+                  - key: app.kubernetes.io/component
+                    operator: In
+                    values:
+                      - auth
+              topologyKey: "kubernetes.io/hostname"
+  {{- else if $replicated }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 50
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: app.kubernetes.io/instance
+                      operator: In
+                      values:
+                        - {{ .Release.Name }}
+                    - key: app.kubernetes.io/component
+                      operator: In
+                      values:
+                        - auth
+                topologyKey: "kubernetes.io/hostname"
+  {{- end }}
+{{- end }}
+{{- if $auth.tolerations }}
+      tolerations: {{- toYaml $auth.tolerations | nindent 6 }}
+{{- end }}
+{{- if $auth.imagePullSecrets }}
+      imagePullSecrets:
+  {{- toYaml $auth.imagePullSecrets | nindent 6 }}
+{{- end }}
+{{- if $auth.initContainers }}
+      initContainers:
+  {{- range $initContainer := $auth.initContainers }}
+    {{- if and (not $initContainer.resources) $auth.resources }}
+      {{- $_ := set $initContainer "resources" $auth.resources }}
+    {{- end }}
+    {{- list $initContainer | toYaml | nindent 8 }}
+    {{- /* Note: this will break if the user sets volumeMounts to its initContainer */}}
+          volumeMounts:
+    {{- if $auth.enterprise }}
+          - mountPath: /var/lib/license
+            name: "license"
+            readOnly: true
+    {{- end }}
+    {{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
+          - mountPath: /etc/teleport-secrets
+            name: "gcp-credentials"
+            readOnly: true
+    {{- end }}
+          - mountPath: /etc/teleport
+            name: "config"
+            readOnly: true
+          - mountPath: /var/lib/teleport
+            name: "data"
+    {{- if $projectedServiceAccountToken }}
+          - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: auth-serviceaccount-token
+            readOnly: true
+    {{- end }}
+    {{- if $auth.extraVolumeMounts }}
+      {{- toYaml $auth.extraVolumeMounts | nindent 10 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+      containers:
+      - name: "teleport"
+        image: '{{ if $auth.enterprise }}{{ $auth.enterpriseImage }}{{ else }}{{ $auth.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
+        imagePullPolicy: {{ $auth.imagePullPolicy }}
+        {{- if or $auth.extraEnv $auth.tls.existingCASecretName }}
+        env:
+        {{- if (gt (len $auth.extraEnv) 0) }}
+          {{- toYaml $auth.extraEnv | nindent 8 }}
+        {{- end }}
+        {{- if $auth.tls.existingCASecretName }}
+        - name: SSL_CERT_FILE
+          value: /etc/teleport-tls-ca/ca.pem
+        {{- end }}
+        {{- end }}
+        args:
+        - "--diag-addr=0.0.0.0:3000"
+        {{- if $auth.insecureSkipProxyTLSVerify }}
+        - "--insecure"
+        {{- end }}
+        {{- if $auth.createProxyToken }}
+        - "--apply-on-startup=/etc/teleport/apply-on-startup.yaml"
+        {{- end }}
+        {{- if $auth.extraArgs }}
+          {{- toYaml $auth.extraArgs | nindent 8 }}
+        {{- end }}
+        ports:
+        - name: diag
+          containerPort: 3000
+          protocol: TCP
+        - name: auth
+          containerPort: 3025
+          protocol: TCP
+        - name: kube
+          containerPort: 3026
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: diag
+          initialDelaySeconds: 5 # wait 5s for agent to start
+          periodSeconds: 5 # poll health every 5s
+          failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
+          timeoutSeconds: {{ $auth.probeTimeoutSeconds }}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: diag
+          initialDelaySeconds: {{ $auth.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ $auth.readinessProbe.periodSeconds }}
+          failureThreshold: {{$auth.readinessProbe.failureThreshold}}
+          successThreshold: {{$auth.readinessProbe.successThreshold}}
+          timeoutSeconds: {{ $auth.probeTimeoutSeconds }}
+        lifecycle:
+          # waiting during preStop ensures no new request will hit the Terminating pod
+          # on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)
+          preStop:
+            exec:
+              command:
+                - teleport
+                - wait
+                - duration
+                - 30s
+{{- if $auth.postStart.command }}
+          postStart:
+            exec:
+              command: {{ toYaml $auth.postStart.command | nindent 14 }}
+{{- end }}
+{{- if $auth.resources }}
+        resources:
+  {{- toYaml $auth.resources | nindent 10 }}
+{{- end }}
+{{- if $auth.securityContext }}
+        securityContext: {{- toYaml $auth.securityContext | nindent 10 }}
+{{- end }}
+        volumeMounts:
+{{- if $auth.enterprise }}
+        - mountPath: /var/lib/license
+          name: "license"
+          readOnly: true
+{{- end }}
+{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
+        - mountPath: /etc/teleport-secrets
+          name: "gcp-credentials"
+          readOnly: true
+{{- end }}
+{{- if $auth.tls.existingCASecretName }}
+        - mountPath: /etc/teleport-tls-ca
+          name: "teleport-tls-ca"
+          readOnly: true
+{{- end }}
+        - mountPath: /etc/teleport
+          name: "config"
+          readOnly: true
+        - mountPath: /var/lib/teleport
+          name: "data"
+{{- if $projectedServiceAccountToken }}
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: auth-serviceaccount-token
+          readOnly: true
+{{- end }}
+{{- if $auth.extraVolumeMounts }}
+  {{- toYaml $auth.extraVolumeMounts | nindent 8 }}
+{{- end }}
+{{- if $auth.extraContainers }}
+  {{- toYaml $auth.extraContainers | nindent 6 }}
+{{- end }}
+{{- if $projectedServiceAccountToken }}
+      automountServiceAccountToken: false
+{{- end }}
+      volumes:
+{{- if $projectedServiceAccountToken }}
+      # This projected token volume mimics the `automountServiceAccountToken`
+      # behaviour but defaults to a 1h TTL instead of 1y.
+      - name: auth-serviceaccount-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                path: token
+            - configMap:
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                name: kube-root-ca.crt
+            - downwardAPI:
+                items:
+                  - path: "namespace"
+                    fieldRef:
+                      fieldPath: metadata.namespace
+{{- end }}
+{{- if $auth.enterprise }}
+      - name: license
+        secret:
+          secretName: {{ $auth.licenseSecretName | quote }}
+{{- end }}
+{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
+      - name: gcp-credentials
+        secret:
+          secretName: {{ $auth.gcp.credentialSecretName | quote }}
+{{- end }}
+{{- if $auth.tls.existingCASecretName }}
+      - name: teleport-tls-ca
+        secret:
+          secretName: {{ $auth.tls.existingCASecretName }}
+{{- end }}
+      - name: "config"
+        configMap:
+          name: {{ .Release.Name }}-auth
+      - name: "data"
+        {{- if and ($auth.persistence.enabled) ( and (not (eq $auth.chartMode "gcp")) (not (eq $auth.chartMode "aws")) (not (eq $auth.chartMode "azure"))) }}
+        persistentVolumeClaim:
+          claimName: {{ if $auth.persistence.existingClaimName }}{{ $auth.persistence.existingClaimName }}{{ else }}{{ .Release.Name }}{{ end }}
+        {{- else }}
+        emptyDir: {}
+        {{- end }}
+{{- if $auth.extraVolumes }}
+  {{- toYaml $auth.extraVolumes | nindent 6 }}
+{{- end }}
+{{- if $auth.priorityClassName }}
+      priorityClassName: {{ $auth.priorityClassName }}
+{{- end }}
+{{- if $auth.podSecurityContext }}
+      securityContext: {{- toYaml $auth.podSecurityContext | nindent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "teleport-cluster.auth.serviceAccountName" . }}
+      terminationGracePeriodSeconds: {{ $auth.terminationGracePeriodSeconds }}
diff --git a/teleport-cluster-17.4.9/templates/auth/pdb.yaml b/teleport-cluster-17.4.9/templates/auth/pdb.yaml
new file mode 100644
index 0000000..02983f7
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/pdb.yaml
@@ -0,0 +1,21 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- if $auth.highAvailability.podDisruptionBudget.enabled }}
+{{- if .Capabilities.APIVersions.Has "policy/v1" }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ .Release.Name }}-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.podDisruptionBudget }}
+    {{- toYaml $auth.extraLabels.podDisruptionBudget | nindent 4 }}
+    {{- end }}
+spec:
+  minAvailable: {{ $auth.highAvailability.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/auth/predeploy_config.yaml b/teleport-cluster-17.4.9/templates/auth/predeploy_config.yaml
new file mode 100644
index 0000000..e866df4
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/predeploy_config.yaml
@@ -0,0 +1,35 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- if $auth.validateConfigOnDeploy }}
+{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-auth-test
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.config }}
+    {{- toYaml $auth.extraLabels.config | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+data:
+{{- if $auth.createProxyToken }}
+  apply-on-startup.yaml: |2
+    kind: token
+    version: v2
+    metadata:
+      name: {{ .Release.Name }}-proxy
+      expires: "3000-01-01T00:00:00Z"
+    spec:
+      roles: [Proxy]
+      join_method: kubernetes
+      kubernetes:
+        allow:
+          - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}"
+{{- end }}
+  teleport.yaml: |2
+    {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/auth/predeploy_job.yaml b/teleport-cluster-17.4.9/templates/auth/predeploy_job.yaml
new file mode 100644
index 0000000..c557c71
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/predeploy_job.yaml
@@ -0,0 +1,114 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- if $auth.validateConfigOnDeploy }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-auth-test
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.job }}
+    {{- toYaml $auth.extraLabels.job | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+        {{- include "teleport-cluster.auth.labels" . | nindent 8 }}
+        {{- if $auth.extraLabels.jobPod }}
+        {{- toYaml $auth.extraLabels.jobPod | nindent 8 }}
+        {{- end }}
+    spec:
+{{- if $auth.affinity }}
+      affinity: {{- toYaml $auth.affinity | nindent 8 }}
+{{- end }}
+{{- if $auth.tolerations }}
+      tolerations: {{- toYaml $auth.tolerations | nindent 6 }}
+{{- end }}
+{{- if $auth.imagePullSecrets }}
+      imagePullSecrets:
+  {{- toYaml $auth.imagePullSecrets | nindent 6 }}
+{{- end }}
+      restartPolicy: Never
+      containers:
+      - name: "teleport-config-check"
+        image: '{{ if $auth.enterprise }}{{ $auth.enterpriseImage }}{{ else }}{{ $auth.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
+        imagePullPolicy: {{ $auth.imagePullPolicy }}
+{{- if $auth.resources }}
+        resources:
+  {{- toYaml $auth.resources | nindent 10 }}
+{{- end }}
+{{- if or $auth.extraEnv $auth.tls.existingCASecretName }}
+        env:
+  {{- if (gt (len $auth.extraEnv) 0) }}
+    {{- toYaml $auth.extraEnv | nindent 8 }}
+  {{- end }}
+  {{- if $auth.tls.existingCASecretName }}
+        - name: SSL_CERT_FILE
+          value: /etc/teleport-tls-ca/ca.pem
+  {{- end }}
+{{- end }}
+        command:
+          - "teleport"
+          - "configure"
+        args:
+          - "--test"
+          - "/etc/teleport/teleport.yaml"
+{{- if .Values.securityContext }}
+        securityContext: {{- toYaml .Values.securityContext | nindent 10 }}
+{{- end }}
+        volumeMounts:
+{{- if .Values.enterprise }}
+        - mountPath: /var/lib/license
+          name: "license"
+          readOnly: true
+{{- end }}
+{{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }}
+        - mountPath: /etc/teleport-secrets
+          name: "gcp-credentials"
+          readOnly: true
+{{- end }}
+{{- if .Values.tls.existingCASecretName }}
+        - mountPath: /etc/teleport-tls-ca
+          name: "teleport-tls-ca"
+          readOnly: true
+{{- end }}
+        - mountPath: /etc/teleport
+          name: "config"
+          readOnly: true
+        - mountPath: /var/lib/teleport
+          name: "data"
+{{- if .Values.extraVolumeMounts }}
+  {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
+{{- end }}
+      volumes:
+{{- if .Values.enterprise }}
+      - name: license
+        secret:
+          secretName: {{ .Values.licenseSecretName | quote }}
+{{- end }}
+{{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }}
+      - name: gcp-credentials
+        secret:
+          secretName: {{ .Values.gcp.credentialSecretName | quote }}
+{{- end }}
+{{- if .Values.tls.existingCASecretName }}
+      - name: teleport-tls-ca
+        secret:
+          secretName: {{ .Values.tls.existingCASecretName }}
+{{- end }}
+      - name: "config"
+        configMap:
+          name: {{ .Release.Name }}-auth-test
+      - name: "data"
+        emptyDir: {}
+{{- if .Values.extraVolumes }}
+  {{- toYaml .Values.extraVolumes | nindent 6 }}
+{{- end }}
+      serviceAccountName: {{ include "teleport-cluster.auth.hookServiceAccountName" . }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/auth/predeploy_serviceaccount.yaml b/teleport-cluster-17.4.9/templates/auth/predeploy_serviceaccount.yaml
new file mode 100644
index 0000000..893078f
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/predeploy_serviceaccount.yaml
@@ -0,0 +1,34 @@
+# this is a carbon copy of the regular serviceAccount object which is only used to run pre-deploy jobs
+# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the
+# regular serviceAccount is created with the same name and exists for the lifetime of the release.
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- if $auth.validateConfigOnDeploy }}
+{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+{{- if $auth.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "teleport-cluster.auth.hookServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.serviceAccount }}
+    {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  {{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
+    {{- if $auth.annotations.serviceAccount }}
+      {{- toYaml $auth.annotations.serviceAccount | nindent 4 }}
+    {{- end }}
+    {{- if $auth.azure.clientID }}
+    azure.workload.identity/client-id: "{{ $auth.azure.clientID }}"
+    {{- end }}
+  {{- end -}}
+{{- if $projectedServiceAccountToken }}
+automountServiceAccountToken: false
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/auth/pvc.yaml b/teleport-cluster-17.4.9/templates/auth/pvc.yaml
new file mode 100644
index 0000000..8d2c07c
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/pvc.yaml
@@ -0,0 +1,28 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- if $auth.persistence.enabled }}
+  {{/* Disable persistence for cloud modes */}}
+  {{- if and (not (eq $auth.chartMode "aws")) (not (eq $auth.chartMode "gcp")) (not (eq $auth.chartMode "azure")) }}
+    {{/* No need to create a PVC if we reuse an existing claim */}}
+    {{- if not $auth.persistence.existingClaimName }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.persistentVolumeClaim }}
+    {{- toYaml $auth.extraLabels.persistentVolumeClaim | nindent 4 }}
+    {{- end }}
+spec:
+  accessModes:
+  - ReadWriteOnce
+  {{- if $auth.persistence.storageClassName }}
+  storageClassName: {{ $auth.persistence.storageClassName }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ required "persistence.volumeSize is required in chart values" $auth.persistence.volumeSize }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/auth/service-previous-version.yaml b/teleport-cluster-17.4.9/templates/auth/service-previous-version.yaml
new file mode 100644
index 0000000..9f17d27
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/service-previous-version.yaml
@@ -0,0 +1,40 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "teleport-cluster.auth.previousVersionServiceName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.service }}
+    {{- toYaml $auth.extraLabels.service | nindent 4 }}
+    {{- end }}
+spec:
+  # This is a headless service. Resolving it will return the list of all auth pods running the previous major version
+  # Proxies should not connect to auth pods from the previous major version
+  # Proxy rollout should be held until this headLessService does not match pods anymore.
+  clusterIP: "None"
+  # Publishing not ready addresses ensures that unhealthy or terminating pods are still accounted for
+  publishNotReadyAddresses: true
+  selector:
+    {{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}
+    teleport.dev/majorVersion: {{ include "teleport-cluster.previousMajorVersion" . | quote }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "teleport-cluster.auth.currentVersionServiceName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.service }}
+    {{- toYaml $auth.extraLabels.service | nindent 4 }}
+    {{- end }}
+spec:
+  # This is a headless service. Resolving it will return the list of all auth pods running the current major version
+  clusterIP: "None"
+  # Publishing not ready addresses ensures that unhealthy or terminating pods are still accounted for
+  publishNotReadyAddresses: true
+  selector:
+    {{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}
+    teleport.dev/majorVersion: {{ include "teleport-cluster.majorVersion" . | quote }}
diff --git a/teleport-cluster-17.4.9/templates/auth/service.yaml b/teleport-cluster-17.4.9/templates/auth/service.yaml
new file mode 100644
index 0000000..6e45b48
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/service.yaml
@@ -0,0 +1,25 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "teleport-cluster.auth.serviceName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.service }}
+    {{- toYaml $auth.extraLabels.service | nindent 4 }}
+    {{- end }}
+{{- if $auth.annotations.service }}
+  annotations: {{- toYaml $auth.annotations.service | nindent 4 }}
+{{- end }}
+spec:
+  ports:
+  - name: auth
+    port: 3025
+    targetPort: 3025
+    protocol: TCP
+  - name: kube
+    port: 3026
+    targetPort: 3026
+    protocol: TCP
+  selector: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}
diff --git a/teleport-cluster-17.4.9/templates/auth/serviceaccount.yaml b/teleport-cluster-17.4.9/templates/auth/serviceaccount.yaml
new file mode 100644
index 0000000..d060ea8
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/auth/serviceaccount.yaml
@@ -0,0 +1,26 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
+{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+{{- if $auth.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "teleport-cluster.auth.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.serviceAccount }}
+    {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
+    {{- end }}
+  {{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
+  annotations:
+    {{- if $auth.annotations.serviceAccount }}
+      {{- toYaml $auth.annotations.serviceAccount | nindent 4 }}
+    {{- end }}
+    {{- if $auth.azure.clientID }}
+    azure.workload.identity/client-id: "{{ $auth.azure.clientID }}"
+    {{- end }}
+  {{- end -}}
+{{- if $projectedServiceAccountToken }}
+automountServiceAccountToken: false
+{{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/podmonitor.yaml b/teleport-cluster-17.4.9/templates/podmonitor.yaml
new file mode 100644
index 0000000..7201cae
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/podmonitor.yaml
@@ -0,0 +1,31 @@
+{{- if.Values.podMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.labels" . | nindent 4 }}
+  {{- with .Values.podMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  jobLabel: {{ .Release.Name }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels: {{- include "teleport-cluster.selectorLabels" . | nindent 6 }}
+  podMetricsEndpoints:
+    - port: diag
+      path: /metrics
+      {{- with .Values.podMonitor.interval }}
+      interval: {{ . | quote }}
+      {{- end }}
+  podTargetLabels:
+    - "app.kubernetes.io/name"
+    - "app.kubernetes.io/instance"
+    - "app.kubernetes.io/component"
+    - "app.kubernetes.io/version"
+    - "teleport.dev/majorVersion"
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/_config.aws.tpl b/teleport-cluster-17.4.9/templates/proxy/_config.aws.tpl
new file mode 100644
index 0000000..3e4d97a
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/_config.aws.tpl
@@ -0,0 +1,3 @@
+{{- define "teleport-cluster.proxy.config.aws" -}}
+{{ include "teleport-cluster.proxy.config.common" . }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/proxy/_config.azure.tpl b/teleport-cluster-17.4.9/templates/proxy/_config.azure.tpl
new file mode 100644
index 0000000..96ccbc7
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/_config.azure.tpl
@@ -0,0 +1,3 @@
+{{- define "teleport-cluster.proxy.config.azure" -}}
+{{ include "teleport-cluster.proxy.config.common" . }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/proxy/_config.common.tpl b/teleport-cluster-17.4.9/templates/proxy/_config.common.tpl
new file mode 100644
index 0000000..32dd85c
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/_config.common.tpl
@@ -0,0 +1,79 @@
+{{- define "teleport-cluster.proxy.config.common" -}}
+{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}}
+version: v3
+teleport:
+  join_params:
+    method: kubernetes
+    token_name: "{{.Release.Name}}-proxy"
+  auth_server: "{{ include "teleport-cluster.auth.serviceFQDN" . }}:3025"
+  log:
+    severity: {{ $logLevel }}
+    output: {{ .Values.log.output }}
+    format:
+      output: {{ .Values.log.format }}
+      extra_fields: {{ .Values.log.extraFields | toJson }}
+ssh_service:
+  enabled: false
+auth_service:
+  enabled: false
+proxy_service:
+  enabled: true
+{{- if .Values.publicAddr }}
+  public_addr: {{- toYaml .Values.publicAddr | nindent 8 }}
+{{- else }}
+  public_addr: '{{ required "clusterName is required in chart values" .Values.clusterName }}:443'
+{{- end }}
+{{- if ne .Values.proxyListenerMode "multiplex" }}
+  listen_addr: 0.0.0.0:3023
+  {{- if .Values.sshPublicAddr }}
+  ssh_public_addr: {{- toYaml .Values.sshPublicAddr | nindent 8 }}
+  {{- end }}
+  tunnel_listen_addr: 0.0.0.0:3024
+  {{- if .Values.tunnelPublicAddr }}
+  tunnel_public_addr: {{- toYaml .Values.tunnelPublicAddr | nindent 8 }}
+  {{- end }}
+  kube_listen_addr: 0.0.0.0:3026
+  {{- if .Values.kubePublicAddr }}
+  kube_public_addr: {{- toYaml .Values.kubePublicAddr | nindent 8 }}
+  {{- end }}
+  mysql_listen_addr: 0.0.0.0:3036
+  {{- if .Values.mysqlPublicAddr }}
+  mysql_public_addr: {{- toYaml .Values.mysqlPublicAddr | nindent 8 }}
+  {{- end }}
+  {{- if .Values.separatePostgresListener }}
+  postgres_listen_addr: 0.0.0.0:5432
+    {{- if .Values.postgresPublicAddr }}
+  postgres_public_addr: {{- toYaml .Values.postgresPublicAddr | nindent 8 }}
+    {{- else }}
+  postgres_public_addr: {{ .Values.clusterName }}:5432
+    {{- end }}
+  {{- end }}
+  {{- if .Values.separateMongoListener }}
+  mongo_listen_addr: 0.0.0.0:27017
+    {{- if .Values.mongoPublicAddr }}
+  mongo_public_addr: {{- toYaml .Values.mongoPublicAddr | nindent 8 }}
+    {{- else }}
+  mongo_public_addr: {{ .Values.clusterName }}:27017
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- if or .Values.highAvailability.certManager.enabled .Values.tls.existingSecretName }}
+  https_keypairs:
+  - key_file: /etc/teleport-tls/tls.key
+    cert_file: /etc/teleport-tls/tls.crt
+  https_keypairs_reload_interval: 12h
+{{- else if .Values.acme }}
+  acme:
+    enabled: {{ .Values.acme }}
+    email: {{ required "acmeEmail is required in chart values" .Values.acmeEmail }}
+  {{- if .Values.acmeURI }}
+    uri: {{ .Values.acmeURI }}
+  {{- end }}
+{{- end }}
+{{- if .Values.proxyProtocol }}
+  proxy_protocol: {{ .Values.proxyProtocol | quote }}
+{{- end }}
+{{- if and .Values.ingress.enabled (semverCompare ">= 14.0.0-0" (include "teleport-cluster.version" .)) }}
+  trust_x_forwarded_for: true
+{{- end }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/proxy/_config.gcp.tpl b/teleport-cluster-17.4.9/templates/proxy/_config.gcp.tpl
new file mode 100644
index 0000000..cf9c79d
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/_config.gcp.tpl
@@ -0,0 +1,3 @@
+{{- define "teleport-cluster.proxy.config.gcp" -}}
+{{ include "teleport-cluster.proxy.config.common" . }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/proxy/_config.scratch.tpl b/teleport-cluster-17.4.9/templates/proxy/_config.scratch.tpl
new file mode 100644
index 0000000..0efddce
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/_config.scratch.tpl
@@ -0,0 +1,12 @@
+{{- define "teleport-cluster.proxy.config.scratch" -}}
+ssh_service:
+  enabled: false
+auth_service:
+  enabled: false
+proxy_service:
+  enabled: true
+{{- end -}}
+
+{{- define "teleport-cluster.proxy.config.custom" -}}
+{{ fail "'custom' mode has been removed with chart v12 because of the proxy/auth split breaking change, see https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-v12/" }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/proxy/_config.standalone.tpl b/teleport-cluster-17.4.9/templates/proxy/_config.standalone.tpl
new file mode 100644
index 0000000..7355813
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/_config.standalone.tpl
@@ -0,0 +1,3 @@
+{{- define "teleport-cluster.proxy.config.standalone" -}}
+{{ include "teleport-cluster.proxy.config.common" . }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/templates/proxy/certificate.yaml b/teleport-cluster-17.4.9/templates/proxy/certificate.yaml
new file mode 100644
index 0000000..7693722
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/certificate.yaml
@@ -0,0 +1,49 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- if $proxy.highAvailability.certManager.enabled -}}
+  {{- /* Append clusterName and wildcard version to list of dnsNames on certificate request (original functionality) */ -}}
+  {{- $domainList := list (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName) -}}
+  {{- $domainList := append $domainList (printf "*.%s" (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName)) -}}
+  {{- /* If the config option is enabled and at least one publicAddr is set, append all public addresses to the list of dnsNames */ -}}
+  {{- if and $proxy.highAvailability.certManager.addPublicAddrs (gt (len .Values.publicAddr) 0) -}}
+    {{- /* Trim ports from all public addresses if present */ -}}
+    {{- range .Values.publicAddr -}}
+      {{- $address := . -}}
+      {{- if (contains ":" $address) -}}
+        {{- $split := split ":" $address -}}
+        {{- $address = $split._0 -}}
+      {{- end -}}
+      {{- $domainList = append (mustWithout $domainList .) $address -}}
+    {{- end -}}
+  {{- end -}}
+  {{- /* Finally, remove any duplicate entries from the list of domains */ -}}
+  {{- $domainList := mustUniq $domainList -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+spec:
+  secretName: teleport-tls
+  {{- if $proxy.highAvailability.certManager.addCommonName }}
+  commonName: {{ quote $proxy.clusterName }}
+  {{- end }}
+  dnsNames:
+  {{- range $domainList }}
+  - {{ quote . }}
+  {{- end }}
+  issuerRef:
+    name: {{ required "highAvailability.certManager.issuerName is required in chart values" $proxy.highAvailability.certManager.issuerName }}
+    kind: {{ required "highAvailability.certManager.issuerKind is required in chart values" $proxy.highAvailability.certManager.issuerKind }}
+    group: {{ required "highAvailability.certManager.issuerGroup is required in chart values" $proxy.highAvailability.certManager.issuerGroup }}
+  {{- if or $proxy.annotations.certSecret $proxy.extraLabels.certSecret }}
+  secretTemplate:
+    {{- with $proxy.annotations.certSecret }}
+    annotations: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with $proxy.extraLabels.certSecret }}
+    labels: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/config.yaml b/teleport-cluster-17.4.9/templates/proxy/config.yaml
new file mode 100644
index 0000000..9154ef0
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/config.yaml
@@ -0,0 +1,21 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- $configTemplate := printf "teleport-cluster.proxy.config.%s" $proxy.chartMode -}}
+{{- if (contains ":" $proxy.clusterName) -}}
+  {{- fail "clusterName must not contain a colon, you can override the cluster's public address with publicAddr" -}}
+{{- end -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.config }}
+    {{- toYaml $proxy.extraLabels.config | nindent 4 }}
+    {{- end }}
+{{- if $proxy.annotations.config }}
+  annotations: {{- toYaml $proxy.annotations.config | nindent 4 }}
+{{- end }}
+data:
+  teleport.yaml: |2
+    {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $proxy.teleportConfig | toYaml | nindent 4 -}}
diff --git a/teleport-cluster-17.4.9/templates/proxy/deployment.yaml b/teleport-cluster-17.4.9/templates/proxy/deployment.yaml
new file mode 100644
index 0000000..0fd3e03
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/deployment.yaml
@@ -0,0 +1,351 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}}
+{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $proxy.disableTopologySpreadConstraints) }}
+# Deployment is {{ if not $replicable }}not {{end}}replicable
+{{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
+{{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }}
+{{- end }}
+{{- if and $proxy.acme $proxy.tls.existingSecretName }}
+{{- fail "Cannot set both acme.enabled and tls.existingSecretName, choose one or the other" }}
+{{- end }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.deployment }}
+    {{- toYaml $proxy.extraLabels.deployment | nindent 4 }}
+    {{- end }}
+{{- if $proxy.annotations.deployment }}
+  annotations: {{- toYaml $proxy.annotations.deployment | nindent 4 }}
+{{- end }}
+spec:
+{{- /*
+  If proxies cannot be replicated we use a single replica.
+  By default we want to upgrade all users to at least 2 replicas, if they had a higher replica count we take it.
+  If a user wants to force a single proxy, they can use the `proxy` specific override.
+
+  $proxySpecificHA is a hack to avoid .Values.proxy.highAvailability to be nil, which would cause a fail when
+  accessing .Values.proxy.highAvailability.replicaCount.
+*/}}
+{{- if $replicable }}
+  {{- $proxySpecificHA := default (dict) .Values.proxy.highAvailability }}
+  {{- if $proxySpecificHA.replicaCount }}
+  replicas: {{ $proxySpecificHA.replicaCount }}
+  {{- else }}
+  replicas: {{ max .Values.highAvailability.replicaCount 2 }}
+  {{- end }}
+  {{- if $proxy.highAvailability.minReadySeconds }}
+  minReadySeconds: {{ $proxy.highAvailability.minReadySeconds }}
+  {{- end }}
+{{- else }}
+  replicas: 1
+{{- end }}
+  selector:
+    matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        # ConfigMap checksum, to recreate the pod on config changes.
+        checksum/config: {{ include (print $.Template.BasePath "/proxy/config.yaml") . | sha256sum }}
+{{- if $proxy.annotations.pod }}
+  {{- toYaml $proxy.annotations.pod | nindent 8 }}
+{{- end }}
+      labels:
+        {{- include "teleport-cluster.proxy.labels" . | nindent 8 }}
+        {{- if $proxy.extraLabels.pod }}
+        {{- toYaml $proxy.extraLabels.pod | nindent 8 }}
+        {{- end }}
+    spec:
+{{- if $proxy.nodeSelector }}
+      nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }}
+{{- end }}
+{{- if $topologySpreadConstraints }}
+  {{- if $proxy.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- toYaml $proxy.topologySpreadConstraints | nindent 8 }}
+  {{- else }}
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }}
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }}
+  {{- end }}
+{{- end }}
+      affinity:
+{{- if $proxy.affinity }}
+  {{- if $proxy.highAvailability.requireAntiAffinity }}
+    {{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }}
+  {{- end }}
+  {{- toYaml $proxy.affinity | nindent 8 }}
+{{- else }}
+        podAntiAffinity:
+  {{- if $proxy.highAvailability.requireAntiAffinity }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app.kubernetes.io/instance
+                operator: In
+                values:
+                  - {{ .Release.Name }}
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                - proxy
+            topologyKey: "kubernetes.io/hostname"
+  {{- else if gt (int $proxy.highAvailability.replicaCount) 1 }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 50
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                    - {{ .Release.Name }}
+                - key: app.kubernetes.io/component
+                  operator: In
+                  values:
+                    - proxy
+              topologyKey: "kubernetes.io/hostname"
+  {{- end }}
+{{- end }}
+{{- if $proxy.tolerations }}
+      tolerations: {{- toYaml $proxy.tolerations | nindent 6 }}
+{{- end }}
+{{- if $proxy.imagePullSecrets }}
+      imagePullSecrets:
+  {{- toYaml $proxy.imagePullSecrets | nindent 6 }}
+{{- end }}
+      initContainers:
+        # wait-auth-update is responsible for holding off the proxy rollout until all auths are running the
+        # next major version in case of major upgrade.
+        - name: wait-auth-update
+          image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
+          command:
+            - teleport
+            - wait
+            - no-resolve
+            - '{{ include "teleport-cluster.auth.previousVersionServiceName" . }}.{{ .Release.Namespace }}.svc.{{ include "teleport-cluster.clusterDomain" . }}'
+# propagating through the limits from the main resources section would double the requested amounts
+# and may prevent scheduling on the cluster. as such, we hardcode small limits for this tiny container.
+{{- if $proxy.resources }}
+          resources:
+            requests:
+              cpu: 0.1
+              memory: 256Mi
+            limits:
+              cpu: 1
+              memory: 512Mi
+{{- end }}
+{{- if $proxy.securityContext }}
+          securityContext: {{- toYaml $proxy.securityContext | nindent 12 }}
+{{- end }}
+{{- if $proxy.initContainers }}
+  {{- range $initContainer := $proxy.initContainers }}
+    {{- if and (not $initContainer.resources) $proxy.resources }}
+      {{- $_ := set $initContainer "resources" $proxy.resources }}
+    {{- end }}
+    {{- list $initContainer | toYaml | nindent 8 }}
+    {{- /* Note: this will break if the user sets volumeMounts to its initContainer */}}
+          volumeMounts:
+    {{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
+          - mountPath: /etc/teleport-tls
+            name: "teleport-tls"
+            readOnly: true
+    {{- end }}
+          - mountPath: /etc/teleport
+            name: "config"
+            readOnly: true
+          - mountPath: /var/lib/teleport
+            name: "data"
+    {{- if $proxy.extraVolumeMounts }}
+      {{- toYaml $proxy.extraVolumeMounts | nindent 10 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+      containers:
+      - name: "teleport"
+        image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
+        imagePullPolicy: {{ $proxy.imagePullPolicy }}
+        {{- if or $proxy.extraEnv $proxy.tls.existingCASecretName }}
+        env:
+        {{- if (gt (len $proxy.extraEnv) 0) }}
+          {{- toYaml $proxy.extraEnv | nindent 8 }}
+        {{- end }}
+        {{- if $proxy.tls.existingCASecretName }}
+        - name: SSL_CERT_FILE
+          value: /etc/teleport-tls-ca/ca.pem
+        {{- end }}
+        {{- end }}
+        args:
+        - "--diag-addr=0.0.0.0:3000"
+        {{- if $proxy.insecureSkipProxyTLSVerify }}
+        - "--insecure"
+        {{- end }}
+        {{- if $proxy.extraArgs }}
+          {{- toYaml $proxy.extraArgs | nindent 8 }}
+        {{- end }}
+        ports:
+        - name: tls
+          containerPort: 3080
+          protocol: TCP
+        {{- if $proxy.enterprise }}
+        - name: proxypeering
+          containerPort: 3021
+          protocol: TCP
+        {{- end }}
+        {{- if ne $proxy.proxyListenerMode "multiplex" }}
+        - name: sshproxy
+          containerPort: 3023
+          protocol: TCP
+        - name: sshtun
+          containerPort: 3024
+          protocol: TCP
+        - name: kube
+          containerPort: 3026
+          protocol: TCP
+        - name: mysql
+          containerPort: 3036
+          protocol: TCP
+        {{- if $proxy.separatePostgresListener }}
+        - name: postgres
+          containerPort: 5432
+          protocol: TCP
+        {{- end }}
+        {{- if $proxy.separateMongoListener }}
+        - name: mongo
+          containerPort: 27017
+          protocol: TCP
+        {{- end }}
+        {{- end }}
+        - name: diag
+          containerPort: 3000
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: diag
+          initialDelaySeconds: 5 # wait 5s for agent to start
+          periodSeconds: 5 # poll health every 5s
+          failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
+          timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: diag
+          initialDelaySeconds: {{ $proxy.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ $proxy.readinessProbe.periodSeconds }}
+          failureThreshold: {{$proxy.readinessProbe.failureThreshold}}
+          successThreshold: {{$proxy.readinessProbe.successThreshold}}
+          timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
+        lifecycle:
+          # waiting during preStop ensures no new request will hit the Terminating pod
+          # on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)
+          preStop:
+            exec:
+              command:
+                - teleport
+                - wait
+                - duration
+                - 30s
+{{- if $proxy.postStart.command }}
+          postStart:
+            exec:
+              command: {{ toYaml $proxy.postStart.command | nindent 14 }}
+{{- end }}
+{{- if $proxy.resources }}
+        resources:
+  {{- toYaml $proxy.resources | nindent 10 }}
+{{- end }}
+{{- if $proxy.securityContext }}
+        securityContext: {{- toYaml $proxy.securityContext | nindent 10 }}
+{{- end }}
+        volumeMounts:
+{{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
+        - mountPath: /etc/teleport-tls
+          name: "teleport-tls"
+          readOnly: true
+{{- end }}
+{{- if $proxy.tls.existingCASecretName }}
+        - mountPath: /etc/teleport-tls-ca
+          name: "teleport-tls-ca"
+          readOnly: true
+{{- end }}
+        - mountPath: /etc/teleport
+          name: "config"
+          readOnly: true
+        - mountPath: /var/lib/teleport
+          name: "data"
+{{- if $projectedServiceAccountToken }}
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: proxy-serviceaccount-token
+          readOnly: true
+{{- end }}
+{{- if $proxy.extraVolumeMounts }}
+  {{- toYaml $proxy.extraVolumeMounts | nindent 8 }}
+{{- end }}
+{{- if $proxy.extraContainers }}
+  {{- toYaml $proxy.extraContainers | nindent 6 }}
+{{- end }}
+{{- if $projectedServiceAccountToken }}
+      automountServiceAccountToken: false
+{{- end }}
+      volumes:
+{{- if $projectedServiceAccountToken }}
+      # This projected token volume mimics the `automountServiceAccountToken`
+      # behaviour but defaults to a 1h TTL instead of 1y.
+      - name: proxy-serviceaccount-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                path: token
+            - configMap:
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                name: kube-root-ca.crt
+            - downwardAPI:
+                items:
+                  - path: "namespace"
+                    fieldRef:
+                      fieldPath: metadata.namespace
+{{- end }}
+{{- if $proxy.highAvailability.certManager.enabled }}
+      - name: teleport-tls
+        secret:
+          secretName: teleport-tls
+{{- else if $proxy.tls.existingSecretName }}
+      - name: teleport-tls
+        secret:
+          secretName: {{ $proxy.tls.existingSecretName }}
+{{- end }}
+{{- if $proxy.tls.existingCASecretName }}
+      - name: teleport-tls-ca
+        secret:
+          secretName: {{ $proxy.tls.existingCASecretName }}
+{{- end }}
+      - name: "config"
+        configMap:
+          name: {{ .Release.Name }}-proxy
+      - name: "data"
+        emptyDir: {}
+{{- if $proxy.extraVolumes }}
+  {{- toYaml $proxy.extraVolumes | nindent 6 }}
+{{- end }}
+{{- if $proxy.priorityClassName }}
+      priorityClassName: {{ $proxy.priorityClassName }}
+{{- end }}
+{{- if $proxy.podSecurityContext }}
+      securityContext: {{- toYaml $proxy.podSecurityContext | nindent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
+      terminationGracePeriodSeconds: {{ $proxy.terminationGracePeriodSeconds }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/ingress.yaml b/teleport-cluster-17.4.9/templates/proxy/ingress.yaml
new file mode 100644
index 0000000..3b4900f
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/ingress.yaml
@@ -0,0 +1,63 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- if .Values.ingress.enabled -}}
+  {{- if (not (eq .Values.proxyListenerMode "multiplex")) -}}
+    {{- fail "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/" -}}
+  {{- end -}}
+  {{- if not .Values.ingress.useExisting }}
+    {{- $publicAddr := coalesce .Values.publicAddr (list .Values.clusterName) -}}
+    {{- /* Trim ports from all public addresses if present */ -}}
+    {{- range $publicAddr -}}
+      {{- $address := . -}}
+      {{- if (contains ":" $address) -}}
+        {{- $split := split ":" $address -}}
+        {{- $address = $split._0 -}}
+        {{- $publicAddr = append (mustWithout $publicAddr .) $address -}}
+      {{- end -}}
+      {{- $wildcard := printf "*.%s" $address -}}
+      {{- /* Add wildcard versions of all public addresses to ingress, unless 1) suppressed or 2) wildcard version already exists */ -}}
+      {{- if and (not $.Values.ingress.suppressAutomaticWildcards) (not (hasPrefix "*." $address)) (not (has $wildcard $publicAddr)) -}}
+        {{- $publicAddr = append $publicAddr (printf "*.%s" $address) -}}
+      {{- end -}}
+    {{- end -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.ingress }}
+    {{- toYaml $proxy.extraLabels.ingress | nindent 4 }}
+    {{- end }}
+  {{- if $proxy.annotations.ingress }}
+  annotations: {{- toYaml $proxy.annotations.ingress | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with $proxy.ingress.spec }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+  tls:
+  - hosts:
+  {{- range $publicAddr }}
+    - {{ quote . }}
+  {{- end }}
+  {{- if $proxy.highAvailability.certManager.enabled }}
+    secretName: teleport-tls
+  {{- else if $proxy.tls.existingSecretName }}
+    secretName: {{ $proxy.tls.existingSecretName }}
+  {{- end }}
+  rules:
+   {{- range $publicAddr }}
+  - host: {{ quote . }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ $.Release.Name }}
+            port:
+              number: 443
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/teleport-cluster/templates/proxy/lb-service.yml b/teleport-cluster-17.4.9/templates/proxy/lb-service.yml
similarity index 100%
rename from teleport-cluster/templates/proxy/lb-service.yml
rename to teleport-cluster-17.4.9/templates/proxy/lb-service.yml
diff --git a/teleport-cluster-17.4.9/templates/proxy/pdb.yaml b/teleport-cluster-17.4.9/templates/proxy/pdb.yaml
new file mode 100644
index 0000000..2d19843
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/pdb.yaml
@@ -0,0 +1,21 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- if $proxy.highAvailability.podDisruptionBudget.enabled }}
+{{- if .Capabilities.APIVersions.Has "policy/v1" }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ .Release.Name }}-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.podDisruptionBudget }}
+    {{- toYaml $proxy.extraLabels.podDisruptionBudget | nindent 4 }}
+    {{- end }}
+spec:
+  minAvailable: {{ $proxy.highAvailability.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/predeploy_config.yaml b/teleport-cluster-17.4.9/templates/proxy/predeploy_config.yaml
new file mode 100644
index 0000000..4ef166a
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/predeploy_config.yaml
@@ -0,0 +1,21 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- if $proxy.validateConfigOnDeploy }}
+{{- $configTemplate := printf "teleport-cluster.proxy.config.%s" $proxy.chartMode -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-proxy-test
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.config }}
+    {{- toYaml $proxy.extraLabels.config | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+data:
+  teleport.yaml: |2
+    {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $proxy.teleportConfig | toYaml | nindent 4 -}}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/predeploy_job.yaml b/teleport-cluster-17.4.9/templates/proxy/predeploy_job.yaml
new file mode 100644
index 0000000..4484d9c
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/predeploy_job.yaml
@@ -0,0 +1,110 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- if $proxy.validateConfigOnDeploy }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-proxy-test
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.job }}
+    {{- toYaml $proxy.extraLabels.job | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+        {{- include "teleport-cluster.proxy.labels" . | nindent 8 }}
+        {{- if $proxy.extraLabels.jobPod }}
+        {{- toYaml $proxy.extraLabels.jobPod | nindent 8 }}
+        {{- end }}
+    spec:
+{{- if $proxy.affinity }}
+      affinity: {{- toYaml $proxy.affinity | nindent 8 }}
+{{- end }}
+{{- if $proxy.tolerations }}
+      tolerations: {{- toYaml $proxy.tolerations | nindent 6 }}
+{{- end }}
+{{- if $proxy.imagePullSecrets }}
+      imagePullSecrets:
+  {{- toYaml $proxy.imagePullSecrets | nindent 6 }}
+{{- end }}
+      restartPolicy: Never
+      containers:
+      - name: "teleport"
+        image: '{{ if $proxy.enterprise }}{{ $proxy.enterpriseImage }}{{ else }}{{ $proxy.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
+        imagePullPolicy: {{ $proxy.imagePullPolicy }}
+{{- if $proxy.resources }}
+        resources:
+  {{- toYaml $proxy.resources | nindent 10 }}
+{{- end }}
+{{- if or $proxy.extraEnv $proxy.tls.existingCASecretName }}
+        env:
+  {{- if (gt (len $proxy.extraEnv) 0) }}
+    {{- toYaml $proxy.extraEnv | nindent 8 }}
+  {{- end }}
+  {{- if $proxy.tls.existingCASecretName }}
+        - name: SSL_CERT_FILE
+          value: /etc/teleport-tls-ca/ca.pem
+  {{- end }}
+{{- end }}
+        command:
+          - "teleport"
+          - "configure"
+        args:
+          - "--test"
+          - "/etc/teleport/teleport.yaml"
+{{- if $proxy.securityContext }}
+        securityContext: {{- toYaml $proxy.securityContext | nindent 10 }}
+{{- end }}
+        volumeMounts:
+{{- if or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
+        - mountPath: /etc/teleport-tls
+          name: "teleport-tls"
+          readOnly: true
+{{- end }}
+{{- if $proxy.tls.existingCASecretName }}
+        - mountPath: /etc/teleport-tls-ca
+          name: "teleport-tls-ca"
+          readOnly: true
+{{- end }}
+        - mountPath: /etc/teleport
+          name: "config"
+          readOnly: true
+        - mountPath: /var/lib/teleport
+          name: "data"
+{{- if $proxy.extraVolumeMounts }}
+  {{- toYaml $proxy.extraVolumeMounts | nindent 8 }}
+{{- end }}
+      volumes:
+{{- if $proxy.highAvailability.certManager.enabled }}
+      - name: teleport-tls
+        secret:
+          secretName: teleport-tls
+          # this avoids deadlock during initial setup
+          optional: true
+{{- else if $proxy.tls.existingSecretName }}
+      - name: teleport-tls
+        secret:
+          secretName: {{ $proxy.tls.existingSecretName }}
+{{- end }}
+{{- if $proxy.tls.existingCASecretName }}
+      - name: teleport-tls-ca
+        secret:
+          secretName: {{ $proxy.tls.existingCASecretName }}
+{{- end }}
+      - name: "config"
+        configMap:
+          name: {{ .Release.Name }}-proxy-test
+      - name: "data"
+        emptyDir: {}
+{{- if $proxy.extraVolumes }}
+  {{- toYaml $proxy.extraVolumes | nindent 6 }}
+{{- end }}
+      serviceAccountName: {{ include "teleport-cluster.proxy.hookServiceAccountName" . }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/predeploy_serviceaccount.yaml b/teleport-cluster-17.4.9/templates/proxy/predeploy_serviceaccount.yaml
new file mode 100644
index 0000000..6c5b9a4
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/predeploy_serviceaccount.yaml
@@ -0,0 +1,29 @@
+# this is a carbon copy of the regular serviceAccount object which is only used to run pre-deploy jobs
+# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the
+# regular serviceAccount is created with the same name and exists for the lifetime of the release.
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+{{- if $proxy.validateConfigOnDeploy }}
+{{- if $proxy.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "teleport-cluster.proxy.hookServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.serviceAccount }}
+    {{- toYaml $proxy.extraLabels.serviceAccount | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- if $proxy.annotations.serviceAccount }}
+  {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }}
+{{- end -}}
+{{- if $projectedServiceAccountToken }}
+automountServiceAccountToken: false
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/service.yaml b/teleport-cluster-17.4.9/templates/proxy/service.yaml
new file mode 100644
index 0000000..4b453e5
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/service.yaml
@@ -0,0 +1,74 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- $backendProtocol := ternary "ssl" "tcp" (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-ssl-cert") -}}
+{{- /* Fail early if proxy service type is set to LoadBalancer when ingress.enabled=true */ -}}
+{{- if and $proxy.ingress.enabled (eq $proxy.service.type "LoadBalancer") -}}
+  {{- fail "proxy.service.type must not be LoadBalancer when using an ingress - any load balancer should be provisioned by your ingress controller. Set proxy.service.type=ClusterIP instead" -}}
+{{- end -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.service }}
+    {{- toYaml $proxy.extraLabels.service | nindent 4 }}
+    {{- end }}
+  {{- if (or ($proxy.annotations.service) (eq $proxy.chartMode "aws")) }}
+  annotations:
+    {{- if and (eq $proxy.chartMode "aws") (not $proxy.ingress.enabled) }}
+      {{- if not (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-backend-protocol")}}
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: {{ $backendProtocol }}
+      {{- end }}
+      {{- if not (or (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled") (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-attributes"))}}
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+      {{- end }}
+      {{- if not (hasKey $proxy.annotations.service "service.beta.kubernetes.io/aws-load-balancer-type")}}
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+      {{- end }}
+    {{- end }}
+    {{- if $proxy.annotations.service }}
+      {{- toYaml $proxy.annotations.service | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  type: {{ default "LoadBalancer" $proxy.service.type }}
+{{- with $proxy.service.spec }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+  ports:
+  - name: tls
+    port: 443
+    targetPort: 3080
+    protocol: TCP
+{{- if ne $proxy.proxyListenerMode "multiplex" }}
+  - name: sshproxy
+    port: 3023
+    targetPort: 3023
+    protocol: TCP
+  - name: k8s
+    port: 3026
+    targetPort: 3026
+    protocol: TCP
+  - name: sshtun
+    port: 3024
+    targetPort: 3024
+    protocol: TCP
+  - name: mysql
+    port: 3036
+    targetPort: 3036
+    protocol: TCP
+  {{- if $proxy.separatePostgresListener }}
+  - name: postgres
+    port: 5432
+    targetPort: 5432
+    protocol: TCP
+  {{- end }}
+  {{- if $proxy.separateMongoListener }}
+  - name: mongo
+    port: 27017
+    targetPort: 27017
+    protocol: TCP
+  {{- end }}
+{{- end }}
+  selector: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 4 }}
diff --git a/teleport-cluster-17.4.9/templates/proxy/serviceaccount.yaml b/teleport-cluster-17.4.9/templates/proxy/serviceaccount.yaml
new file mode 100644
index 0000000..4e26c23
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/proxy/serviceaccount.yaml
@@ -0,0 +1,20 @@
+{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
+{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+{{- if $proxy.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
+    {{- if $proxy.extraLabels.serviceAccount }}
+    {{- toYaml $proxy.extraLabels.serviceAccount | nindent 4 }}
+    {{- end }}
+{{- if $proxy.annotations.serviceAccount }}
+  annotations: {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }}
+{{- end -}}
+{{- if $projectedServiceAccountToken }}
+automountServiceAccountToken: false
+{{- end }}
+{{- end }}
diff --git a/teleport-cluster-17.4.9/templates/psp.yaml b/teleport-cluster-17.4.9/templates/psp.yaml
new file mode 100644
index 0000000..8abd2d7
--- /dev/null
+++ b/teleport-cluster-17.4.9/templates/psp.yaml
@@ -0,0 +1,68 @@
+{{/* PSPs are deprecated in 1.22 and removed in 1.25. However Helm doesn't handle their removal properly in 1.25
+     We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this
+     only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt.
+     Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}}
+{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Release.Name }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+  - ALL
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+    # Forbid adding the root group.
+    - min: 1
+      max: 65535
+  runAsUser:
+    rule: MustRunAsNonRoot
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+    # Forbid adding the root group.
+    - min: 1
+      max: 65535
+  readOnlyRootFilesystem: true
+  volumes:
+  - '*'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-psp
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ .Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-psp
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-psp
+subjects:
+- kind: ServiceAccount
+  name: {{ .Release.Name }}
+{{- end -}}
diff --git a/teleport-cluster-17.4.9/tests/README.md b/teleport-cluster-17.4.9/tests/README.md
new file mode 100644
index 0000000..d81e659
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/README.md
@@ -0,0 +1,23 @@
+## Unit tests for Helm charts
+
+Helm chart unit tests run here using the [helm-unittest](https://github.com/quintush/helm-unittest/) Helm plugin.
+
+*Note: there are multiple forks for the helm-unittest plugin.
+They are not compatible and don't provide the same featureset (e.g. including templates from sub-directories).
+Our tests rely on features and bugfixes that are only available on the quintush fork
+(which seems to be the most maintained at the time of writing)*
+
+If you get a snapshot error during your testing, you should verify that your changes intended to alter the output, then run
+this command from the root of your Teleport checkout to update the snapshots:
+
+```bash
+make -C build.assets test-helm-update-snapshots
+```
+
+After this, re-run the tests to make sure everything is fine:
+
+```bash
+make -C build.assets test-helm
+```
+
+Commit the updated snapshots along with your changes.
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/auth_clusterrole_test.yaml.snap
new file mode 100644
index 0000000..2e1442a
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/auth_clusterrole_test.yaml.snap
@@ -0,0 +1,35 @@
+adds operator permissions to ClusterRole:
+  1: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      labels:
+        app.kubernetes.io/component: auth
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: teleport-cluster
+        app.kubernetes.io/version: 17.4.9
+        helm.sh/chart: teleport-cluster-17.4.9
+        teleport.dev/majorVersion: "17"
+      name: RELEASE-NAME
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - users
+      - groups
+      - serviceaccounts
+      verbs:
+      - impersonate
+    - apiGroups:
+      - ""
+      resources:
+      - pods
+      verbs:
+      - get
+    - apiGroups:
+      - authorization.k8s.io
+      resources:
+      - selfsubjectaccessreviews
+      verbs:
+      - create
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/auth_config_test.yaml.snap
new file mode 100644
index 0000000..f95406d
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/auth_config_test.yaml.snap
@@ -0,0 +1,2189 @@
+adds a proxy token by default:
+  1: |
+    |
+      ---
+      kind: token
+      version: v2
+      metadata:
+        name: RELEASE-NAME-proxy
+        expires: "2050-01-01T00:00:00Z"
+      spec:
+        roles: [Proxy]
+        join_method: kubernetes
+        kubernetes:
+          allow:
+            - service_account: "NAMESPACE:RELEASE-NAME-proxy"
+configures access monitoring when its values are set:
+  1: |
+    |-
+      auth_service:
+        access_monitoring:
+          enabled: true
+          report_results: s3://example-athena-long-term/report_results
+          role_arn: arn:aws:iam::123456789012:role/example_AccessMonitoringRole
+          workgroup: example_access_monitoring_workgroup
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: false
+          continuous_backups: false
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+      version: v3
+keeps the second factor type even when it's "off":
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factor: "off"
+          type: local
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+keeps the session_recording type even when it's "off":
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+        session_recording: "off"
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for acme-off.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-cluster-name
+        cluster_name: test-cluster-name
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-cluster-name
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for acme-on.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-acme-cluster
+        cluster_name: test-acme-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-acme-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for acme-uri-staging.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-acme-cluster
+        cluster_name: test-acme-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-acme-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-connector-name.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          connector_name: okta
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-disable-local.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: false
+          second_factor: "off"
+          type: github
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-locking-mode.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          locking_mode: strict
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-passwordless.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          connector_name: passwordless
+          local_auth: true
+          second_factor: webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-secondfactors-sso.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - sso
+          type: local
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-secondfactors-webauthn.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - sso
+          - webauthn
+          type: local
+          webauthn:
+            attestation_allowed_cas:
+            - /etc/ssl/certs/ca-certificates.crt
+            attestation_denied_cas:
+            - /etc/ssl/certs/ca-certificates.crt
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-type-legacy.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: github
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-type.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: github
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-webauthn-legacy.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factor: "on"
+          type: local
+          webauthn:
+            attestation_allowed_cas:
+            - /etc/ssl/certs/ca-certificates.crt
+            attestation_denied_cas:
+            - /etc/ssl/certs/ca-certificates.crt
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for auth-webauthn.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factor: "on"
+          type: local
+          webauthn:
+            attestation_allowed_cas:
+            - /etc/ssl/certs/ca-certificates.crt
+            attestation_denied_cas:
+            - /etc/ssl/certs/ca-certificates.crt
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for aws-dynamodb-autoscaling.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - dynamodb://test-dynamodb-auditlog-table
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: true
+          billing_mode: provisioned
+          continuous_backups: false
+          read_max_capacity: 100
+          read_min_capacity: 5
+          read_target_value: 50
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+          write_max_capacity: 100
+          write_min_capacity: 5
+          write_target_value: 50
+      version: v3
+matches snapshot for aws-ha-acme.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        labels:
+          env: aws
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - dynamodb://test-dynamodb-auditlog-table
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: false
+          continuous_backups: false
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+      version: v3
+matches snapshot for aws-ha-antiaffinity.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        labels:
+          env: aws
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - dynamodb://test-dynamodb-auditlog-table
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: false
+          continuous_backups: false
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+      version: v3
+matches snapshot for aws-ha-log.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        labels:
+          env: aws
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: DEBUG
+        storage:
+          audit_events_uri:
+          - dynamodb://test-dynamodb-auditlog-table
+          - stdout://
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: false
+          continuous_backups: false
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+      version: v3
+matches snapshot for aws-ha.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        labels:
+          env: aws
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - dynamodb://test-dynamodb-auditlog-table
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: false
+          continuous_backups: false
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+      version: v3
+matches snapshot for aws.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        labels:
+          env: aws
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - dynamodb://test-dynamodb-auditlog-table
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: false
+          continuous_backups: false
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+      version: v3
+matches snapshot for azure.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-azure-cluster
+        cluster_name: test-azure-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-azure-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - postgresql://teleport@mypostgresinstance.postgres.database.azure.com/teleport_audit?sslmode=verify-full#auth_mode=azure
+          - stdout://
+          audit_sessions_uri: azblob://mystorageaccount.blob.core.windows.net
+          auth_mode: azure
+          conn_string: postgresql://teleport@mypostgresinstance.postgres.database.azure.com/teleport_backend?sslmode=verify-full&pool_max_conns=100
+          type: postgresql
+      version: v3
+matches snapshot for azure.yaml without pool_max_conn:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-azure-cluster
+        cluster_name: test-azure-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-azure-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - postgresql://teleport@mypostgresinstance.postgres.database.azure.com/teleport_audit?sslmode=verify-full#auth_mode=azure
+          - stdout://
+          audit_sessions_uri: azblob://mystorageaccount.blob.core.windows.net
+          auth_mode: azure
+          conn_string: postgresql://teleport@mypostgresinstance.postgres.database.azure.com/teleport_backend?sslmode=verify-full
+          type: postgresql
+      version: v3
+matches snapshot for existing-tls-secret-with-ca.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-cluster-name
+        cluster_name: test-cluster-name
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-cluster-name
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for existing-tls-secret.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-cluster-name
+        cluster_name: test-cluster-name
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-cluster-name
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for gcp-ha-acme.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-gcp-cluster
+        cluster_name: test-gcp-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-gcp-cluster
+        labels:
+          env: gcp
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - firestore://test-teleport-firestore-auditlog-collection?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          audit_sessions_uri: gs://test-gcp-session-storage-bucket?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          collection_name: test-teleport-firestore-storage-collection
+          credentials_path: /etc/teleport-secrets/gcp-credentials.json
+          project_id: gcpproj-123456
+          type: firestore
+      version: v3
+matches snapshot for gcp-ha-antiaffinity.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-gcp-cluster
+        cluster_name: test-gcp-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-gcp-cluster
+        labels:
+          env: gcp
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - firestore://test-teleport-firestore-auditlog-collection?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          audit_sessions_uri: gs://test-gcp-session-storage-bucket?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          collection_name: test-teleport-firestore-storage-collection
+          credentials_path: /etc/teleport-secrets/gcp-credentials.json
+          project_id: gcpproj-123456
+          type: firestore
+      version: v3
+matches snapshot for gcp-ha-log.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-gcp-cluster
+        cluster_name: test-gcp-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-gcp-cluster
+        labels:
+          env: gcp
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: DEBUG
+        storage:
+          audit_events_uri:
+          - firestore://test-teleport-firestore-auditlog-collection?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          - stdout://
+          audit_sessions_uri: gs://test-gcp-session-storage-bucket?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          collection_name: test-teleport-firestore-storage-collection
+          credentials_path: /etc/teleport-secrets/gcp-credentials.json
+          project_id: gcpproj-123456
+          type: firestore
+      version: v3
+matches snapshot for gcp.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-gcp-cluster
+        cluster_name: test-gcp-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-gcp-cluster
+        labels:
+          env: gcp
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - firestore://test-teleport-firestore-auditlog-collection?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          audit_sessions_uri: gs://test-gcp-session-storage-bucket?projectID=gcpproj-123456&credentialsPath=/etc/teleport-secrets/gcp-credentials.json
+          collection_name: test-teleport-firestore-storage-collection
+          credentials_path: /etc/teleport-secrets/gcp-credentials.json
+          project_id: gcpproj-123456
+          type: firestore
+      version: v3
+matches snapshot for initcontainers.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for kube-cluster-name.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-kube-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for log-basic.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-log-cluster
+        cluster_name: test-log-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-log-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: json
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for log-extra.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-log-cluster
+        cluster_name: test-log-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-log-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - level
+            - timestamp
+            - component
+            - caller
+            output: json
+          output: /var/lib/teleport/test.log
+          severity: DEBUG
+      version: v3
+matches snapshot for log-legacy.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-log-cluster
+        cluster_name: test-log-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-log-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: DEBUG
+      version: v3
+matches snapshot for priority-class-name.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for proxy-listener-mode-multiplex.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-proxy-listener-mode
+        cluster_name: test-proxy-listener-mode
+        enabled: true
+        proxy_listener_mode: multiplex
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-proxy-listener-mode
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for proxy-listener-mode-separate.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-proxy-listener-mode
+        cluster_name: test-proxy-listener-mode
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-proxy-listener-mode
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for public-addresses.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for separate-mongo-listener.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for separate-postgres-listener.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for service.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for session-recording.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+        session_recording: node-sync
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for standalone-customsize.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-standalone-cluster
+        cluster_name: test-standalone-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-standalone-cluster
+        labels:
+          env: standalone
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for standalone-existingpvc.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-standalone-cluster
+        cluster_name: test-standalone-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-standalone-cluster
+        labels:
+          env: standalone
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for tolerations.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-aws-cluster
+        cluster_name: test-aws-cluster
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-aws-cluster
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - dynamodb://test-dynamodb-auditlog-table
+          audit_sessions_uri: s3://test-s3-session-storage-bucket
+          auto_scaling: false
+          continuous_backups: false
+          region: us-west-2
+          table_name: test-dynamodb-backend-table
+          type: dynamodb
+      version: v3
+matches snapshot for version-override.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: test-cluster-name
+        cluster_name: test-cluster-name
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: test-cluster-name
+        labels:
+          env: test
+          version: 5.2.1
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for volumes.yaml:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: helm-lint
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot when both secondFactor and secondFactors are set.:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factor: "off"
+          type: local
+        cluster_name: helm-lint
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: helm-lint
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+sets clusterDomain on Configmap:
+  1: |
+    apiVersion: v1
+    data:
+      apply-on-startup.yaml: |
+        ---
+        kind: token
+        version: v2
+        metadata:
+          name: RELEASE-NAME-proxy
+          expires: "2050-01-01T00:00:00Z"
+        spec:
+          roles: [Proxy]
+          join_method: kubernetes
+          kubernetes:
+            allow:
+              - service_account: "NAMESPACE:RELEASE-NAME-proxy"
+      teleport.yaml: |-
+        auth_service:
+          authentication:
+            local_auth: true
+            second_factors:
+            - otp
+            - webauthn
+            type: local
+            webauthn:
+              rp_id: teleport.example.com
+          cluster_name: teleport.example.com
+          enabled: true
+          proxy_listener_mode: separate
+        kubernetes_service:
+          enabled: true
+          kube_cluster_name: teleport.example.com
+          listen_addr: 0.0.0.0:3026
+          public_addr: RELEASE-NAME-auth.NAMESPACE.svc.test.com:3026
+        proxy_service:
+          enabled: false
+        ssh_service:
+          enabled: false
+        teleport:
+          auth_server: 127.0.0.1:3025
+          log:
+            format:
+              extra_fields:
+              - timestamp
+              - level
+              - component
+              - caller
+              output: text
+            output: stderr
+            severity: INFO
+        version: v3
+    kind: ConfigMap
+    metadata:
+      labels:
+        app.kubernetes.io/component: auth
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: teleport-cluster
+        app.kubernetes.io/version: 17.4.9
+        helm.sh/chart: teleport-cluster-17.4.9
+        teleport.dev/majorVersion: "17"
+      name: RELEASE-NAME-auth
+      namespace: NAMESPACE
+uses athena as primary backend when configured:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: teleport.example.com
+        cluster_name: teleport.example.com
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: teleport.example.com
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name
+          - dynamodb://my-dynamodb-table
+          audit_sessions_uri: s3://asd
+          auto_scaling: false
+          continuous_backups: false
+          region: asd
+          table_name: asd
+          type: dynamodb
+      version: v3
+uses athena, dynamo, and stdout when everything is on:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: teleport.example.com
+        cluster_name: teleport.example.com
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: teleport.example.com
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name
+          - dynamodb://my-dynamodb-table
+          - stdout://
+          audit_sessions_uri: s3://asd
+          auto_scaling: false
+          continuous_backups: false
+          region: asd
+          table_name: asd
+          type: dynamodb
+      version: v3
+uses dynamo as primary backend when configured:
+  1: |
+    |-
+      auth_service:
+        authentication:
+          local_auth: true
+          second_factors:
+          - otp
+          - webauthn
+          type: local
+          webauthn:
+            rp_id: teleport.example.com
+        cluster_name: teleport.example.com
+        enabled: true
+        proxy_listener_mode: separate
+      kubernetes_service:
+        enabled: true
+        kube_cluster_name: teleport.example.com
+        listen_addr: 0.0.0.0:3026
+        public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
+      proxy_service:
+        enabled: false
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: 127.0.0.1:3025
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+        storage:
+          audit_events_uri:
+          - dynamodb://my-dynamodb-table
+          - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name
+          audit_sessions_uri: s3://asd
+          auto_scaling: false
+          continuous_backups: false
+          region: asd
+          table_name: asd
+          type: dynamodb
+      version: v3
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/auth_deployment_test.yaml.snap
new file mode 100644
index 0000000..b794f09
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/auth_deployment_test.yaml.snap
@@ -0,0 +1,582 @@
+? should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName
+  is set and persistence.enabled is false
+: 1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      - containerPort: 3025
+        name: auth
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: auth-serviceaccount-token
+        readOnly: true
+    serviceAccountName: RELEASE-NAME
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: auth-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-auth
+      name: config
+    - emptyDir: {}
+      name: data
+should provision initContainer correctly when set in values:
+  1: |
+    - args:
+      - echo test
+      image: alpine
+      name: teleport-init
+      resources:
+        limits:
+          cpu: 2
+          memory: 4Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: auth-serviceaccount-token
+        readOnly: true
+    - args:
+      - echo test2
+      image: alpine
+      name: teleport-init2
+      resources:
+        limits:
+          cpu: 2
+          memory: 4Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: auth-serviceaccount-token
+        readOnly: true
+should set affinity when set in values:
+  1: |
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: gravitational.io/dedicated
+            operator: In
+            values:
+            - teleport
+should set imagePullSecrets when set in values:
+  1: |
+    - name: myRegistryKeySecretName
+should set nodeSelector when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      - containerPort: 3025
+        name: auth
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: auth-serviceaccount-token
+        readOnly: true
+    nodeSelector:
+      environment: security
+      role: bastion
+    serviceAccountName: RELEASE-NAME
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: auth-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-auth
+      name: config
+    - name: data
+      persistentVolumeClaim:
+        claimName: RELEASE-NAME
+should set required affinity when highAvailability.requireAntiAffinity is set:
+  1: |
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app.kubernetes.io/instance
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: app.kubernetes.io/component
+            operator: In
+            values:
+            - auth
+        topologyKey: kubernetes.io/hostname
+should set resources when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      - containerPort: 3025
+        name: auth
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      resources:
+        limits:
+          cpu: 2
+          memory: 4Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: auth-serviceaccount-token
+        readOnly: true
+    serviceAccountName: RELEASE-NAME
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: auth-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-auth
+      name: config
+    - name: data
+      persistentVolumeClaim:
+        claimName: RELEASE-NAME
+should set securityContext when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      - containerPort: 3025
+        name: auth
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      securityContext:
+        allowPrivilegeEscalation: false
+        privileged: false
+        readOnlyRootFilesystem: false
+        runAsGroup: 99
+        runAsNonRoot: true
+        runAsUser: 99
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: auth-serviceaccount-token
+        readOnly: true
+    serviceAccountName: RELEASE-NAME
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: auth-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-auth
+      name: config
+    - name: data
+      persistentVolumeClaim:
+        claimName: RELEASE-NAME
+should set tolerations when set in values:
+  1: |
+    - effect: NoExecute
+      key: dedicated
+      operator: Equal
+      value: teleport
+    - effect: NoSchedule
+      key: dedicated
+      operator: Equal
+      value: teleport
+should use OSS image and not mount license when enterprise is not set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
+      image: public.ecr.aws/gravitational/teleport-distroless:12.2.1
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      - containerPort: 3025
+        name: auth
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: auth-serviceaccount-token
+        readOnly: true
+    serviceAccountName: RELEASE-NAME
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: auth
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: auth-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-auth
+      name: config
+    - name: data
+      persistentVolumeClaim:
+        claimName: RELEASE-NAME
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/ingress_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/ingress_test.yaml.snap
new file mode 100644
index 0000000..f8a7288
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/ingress_test.yaml.snap
@@ -0,0 +1,55 @@
+does not add additional wildcard publicAddrs when Ingress is enabled and a publicAddr already contains a wildcard:
+  1: |
+    - hosts:
+      - helm-lint.example.com
+      - '*.helm-lint.example.com'
+      - helm-lint-second-domain.example.com
+      - '*.helm-lint-second-domain.example.com'
+does not set a wildcard of clusterName as a hostname when Ingress is enabled and ingress.suppressAutomaticWildcards is true:
+  1: |
+    - hosts:
+      - teleport.example.com
+? does not set a wildcard of publicAddr as a hostname when Ingress is enabled, publicAddr
+  is set and ingress.suppressAutomaticWildcards is true
+: 1: |
+    - hosts:
+      - helm-lint.example.com
+does not set tls.secretName by default:
+  1: |
+    - hosts:
+      - teleport.example.com
+      - '*.teleport.example.com'
+exposes all publicAddrs and wildcard publicAddrs as hostnames when Ingress is enabled and multiple publicAddrs are set:
+  1: |
+    - hosts:
+      - helm-lint.example.com
+      - helm-lint-second-domain.example.com
+      - '*.helm-lint.example.com'
+      - '*.helm-lint-second-domain.example.com'
+sets the clusterName and wildcard of clusterName as hostnames when Ingress is enabled:
+  1: |
+    - hosts:
+      - teleport.example.com
+      - '*.teleport.example.com'
+sets the publicAddr and wildcard of publicAddr as hostnames when Ingress is enabled and publicAddr is set:
+  1: |
+    - hosts:
+      - helm-lint.example.com
+      - '*.helm-lint.example.com'
+sets tls.secretName the value of tls.existingSecretName when set:
+  1: |
+    - hosts:
+      - teleport.example.com
+      - '*.teleport.example.com'
+      secretName: helm-lint-tls-secret
+sets tls.secretName when cert-manager is enabled:
+  1: |
+    - hosts:
+      - teleport.example.com
+      - '*.teleport.example.com'
+      secretName: teleport-tls
+trims ports from publicAddr and uses it as the hostname when Ingress is enabled and publicAddr is set:
+  1: |
+    - hosts:
+      - helm-lint.example.com
+      - '*.helm-lint.example.com'
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/predeploy_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/predeploy_test.yaml.snap
new file mode 100644
index 0000000..288859d
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/predeploy_test.yaml.snap
@@ -0,0 +1,6 @@
+should set imagePullSecrets on auth predeploy job when set in values:
+  1: |
+    - name: myRegistryKeySecretName
+should set imagePullSecrets on proxy predeploy job when set in values:
+  1: |
+    - name: myRegistryKeySecretName
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/proxy_certificate_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_certificate_test.yaml.snap
new file mode 100644
index 0000000..ff19c7f
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_certificate_test.yaml.snap
@@ -0,0 +1,68 @@
+? should not request a certificate for cluster name and publicAddrs when cert-manager
+  is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-manager.yaml)
+: 1: |
+    - test-cluster
+    - '*.test-cluster'
+  2: |
+    group: custom.cert-manager.io
+    kind: CustomClusterIssuer
+    name: custom
+? should not request a certificate for cluster name and publicAddrs when cert-manager
+  is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-secret.yaml)
+: 1: |
+    - test-cluster
+    - '*.test-cluster'
+  2: |
+    group: cert-manager.io
+    kind: Issuer
+    name: letsencrypt
+? should request a certificate for cluster name and publicAddrs when cert-manager
+  is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-manager.yaml)
+: 1: |
+    - test-cluster
+    - '*.test-cluster'
+    - teleport.test.com
+    - teleport.shared-services.old-domain.com
+  2: |
+    group: custom.cert-manager.io
+    kind: CustomClusterIssuer
+    name: custom
+? should request a certificate for cluster name and publicAddrs when cert-manager
+  is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-secret.yaml)
+: 1: |
+    - test-cluster
+    - '*.test-cluster'
+    - teleport.test.com
+    - teleport.shared-services.old-domain.com
+  2: |
+    group: cert-manager.io
+    kind: Issuer
+    name: letsencrypt
+? should request a certificate for cluster name and publicAddrs when cert-manager
+  is enabled and proxy.highAvailability.certManager.addPublicAddrs is set, removing
+  duplicates
+: 1: |
+    - test-cluster
+    - '*.test-cluster'
+    - teleport.test.com
+    - teleport.shared-services.old-domain.com
+  2: |
+    group: custom.cert-manager.io
+    kind: CustomClusterIssuer
+    name: custom
+should request a certificate for cluster name when cert-manager is enabled (cert-manager.yaml):
+  1: |
+    - test-cluster
+    - '*.test-cluster'
+  2: |
+    group: custom.cert-manager.io
+    kind: CustomClusterIssuer
+    name: custom
+should request a certificate for cluster name when cert-manager is enabled (cert-secret.yaml):
+  1: |
+    - test-cluster
+    - '*.test-cluster'
+  2: |
+    group: cert-manager.io
+    kind: Issuer
+    name: letsencrypt
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_config_test.yaml.snap
new file mode 100644
index 0000000..ea0f9a9
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_config_test.yaml.snap
@@ -0,0 +1,574 @@
+generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: helm-test.example.com:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        public_addr: helm-test.example.com:443
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: helm-test.example.com:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+generates a config with a clusterName containing a regular string:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: helm-test.example.com:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+generates a config with proxy_service.trust_x_forwarded_for=true when version = 14.0.0-rc.1 and ingress.enabled=true:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        public_addr: helm-test.example.com:443
+        trust_x_forwarded_for: true
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        public_addr: helm-test.example.com:443
+        trust_x_forwarded_for: true
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for acme-on.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        acme:
+          email: test@email.com
+          enabled: true
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: test-acme-cluster:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for acme-uri-staging.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        acme:
+          email: test@email.com
+          enabled: true
+          uri: https://acme-staging-v02.api.letsencrypt.org/directory
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: test-acme-cluster:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for aws-ha-acme.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        https_keypairs:
+        - cert_file: /etc/teleport-tls/tls.crt
+          key_file: /etc/teleport-tls/tls.key
+        https_keypairs_reload_interval: 12h
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: test-aws-cluster:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for existing-tls-secret.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        https_keypairs:
+        - cert_file: /etc/teleport-tls/tls.crt
+          key_file: /etc/teleport-tls/tls.key
+        https_keypairs_reload_interval: 12h
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: test-cluster-name:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for log-basic.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: test-log-cluster:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: json
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for log-extra.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: test-log-cluster:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - level
+            - timestamp
+            - component
+            - caller
+            output: json
+          output: /var/lib/teleport/test.log
+          severity: DEBUG
+      version: v3
+matches snapshot for proxy-listener-mode-multiplex.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        public_addr: test-proxy-listener-mode:443
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for proxy-listener-mode-separate.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: test-proxy-listener-mode:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for public-addresses.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        kube_public_addr:
+        - loadbalancer.example.com:3026
+        listen_addr: 0.0.0.0:3023
+        mongo_listen_addr: 0.0.0.0:27017
+        mongo_public_addr:
+        - loadbalancer.example.com:27017
+        mysql_listen_addr: 0.0.0.0:3036
+        mysql_public_addr:
+        - loadbalancer.example.com:3036
+        postgres_listen_addr: 0.0.0.0:5432
+        postgres_public_addr:
+        - loadbalancer.example.com:5432
+        public_addr:
+        - loadbalancer.example.com:443
+        ssh_public_addr:
+        - loadbalancer.example.com:3023
+        tunnel_listen_addr: 0.0.0.0:3024
+        tunnel_public_addr:
+        - loadbalancer.example.com:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for separate-mongo-listener.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mongo_listen_addr: 0.0.0.0:27017
+        mongo_public_addr: helm-lint:27017
+        mysql_listen_addr: 0.0.0.0:3036
+        public_addr: helm-lint:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+matches snapshot for separate-postgres-listener.yaml:
+  1: |
+    |-
+      auth_service:
+        enabled: false
+      proxy_service:
+        enabled: true
+        kube_listen_addr: 0.0.0.0:3026
+        listen_addr: 0.0.0.0:3023
+        mysql_listen_addr: 0.0.0.0:3036
+        postgres_listen_addr: 0.0.0.0:5432
+        postgres_public_addr: helm-lint:5432
+        public_addr: helm-lint:443
+        tunnel_listen_addr: 0.0.0.0:3024
+      ssh_service:
+        enabled: false
+      teleport:
+        auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025
+        join_params:
+          method: kubernetes
+          token_name: RELEASE-NAME-proxy
+        log:
+          format:
+            extra_fields:
+            - timestamp
+            - level
+            - component
+            - caller
+            output: text
+          output: stderr
+          severity: INFO
+      version: v3
+sets clusterDomain on Configmap:
+  1: |
+    apiVersion: v1
+    data:
+      teleport.yaml: |-
+        auth_service:
+          enabled: false
+        proxy_service:
+          enabled: true
+          kube_listen_addr: 0.0.0.0:3026
+          listen_addr: 0.0.0.0:3023
+          mysql_listen_addr: 0.0.0.0:3036
+          public_addr: teleport.example.com:443
+          tunnel_listen_addr: 0.0.0.0:3024
+        ssh_service:
+          enabled: false
+        teleport:
+          auth_server: RELEASE-NAME-auth.NAMESPACE.svc.test.com:3025
+          join_params:
+            method: kubernetes
+            token_name: RELEASE-NAME-proxy
+          log:
+            format:
+              extra_fields:
+              - timestamp
+              - level
+              - component
+              - caller
+              output: text
+            output: stderr
+            severity: INFO
+        version: v3
+    kind: ConfigMap
+    metadata:
+      labels:
+        app.kubernetes.io/component: proxy
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: teleport-cluster
+        app.kubernetes.io/version: 17.4.9
+        helm.sh/chart: teleport-cluster-17.4.9
+        teleport.dev/majorVersion: "17"
+      name: RELEASE-NAME-proxy
+      namespace: NAMESPACE
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_deployment_test.yaml.snap
new file mode 100644
index 0000000..26c8cfa
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_deployment_test.yaml.snap
@@ -0,0 +1,857 @@
+sets clusterDomain on Deployment Pods:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      annotations:
+        kubernetes.io/deployment: test-annotation
+        kubernetes.io/deployment-different: 3
+      labels:
+        app.kubernetes.io/component: proxy
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: teleport-cluster
+        app.kubernetes.io/version: 17.4.9
+        helm.sh/chart: teleport-cluster-17.4.9
+        teleport.dev/majorVersion: "17"
+      name: RELEASE-NAME-proxy
+      namespace: NAMESPACE
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      template:
+        metadata:
+          annotations:
+            checksum/config: da6155f69a526a5b92d4fa09d4b6658536bfab0d3e5435e2e898b77c1a30dbff
+            kubernetes.io/pod: test-annotation
+            kubernetes.io/pod-different: 4
+          labels:
+            app.kubernetes.io/component: proxy
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/managed-by: Helm
+            app.kubernetes.io/name: teleport-cluster
+            app.kubernetes.io/version: 17.4.9
+            helm.sh/chart: teleport-cluster-17.4.9
+            teleport.dev/majorVersion: "17"
+        spec:
+          affinity:
+            podAntiAffinity: null
+          automountServiceAccountToken: false
+          containers:
+          - args:
+            - --diag-addr=0.0.0.0:3000
+            image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+            imagePullPolicy: IfNotPresent
+            lifecycle:
+              preStop:
+                exec:
+                  command:
+                  - teleport
+                  - wait
+                  - duration
+                  - 30s
+            livenessProbe:
+              failureThreshold: 6
+              httpGet:
+                path: /healthz
+                port: diag
+              initialDelaySeconds: 5
+              periodSeconds: 5
+              timeoutSeconds: 5
+            name: teleport
+            ports:
+            - containerPort: 3080
+              name: tls
+              protocol: TCP
+            - containerPort: 3023
+              name: sshproxy
+              protocol: TCP
+            - containerPort: 3024
+              name: sshtun
+              protocol: TCP
+            - containerPort: 3026
+              name: kube
+              protocol: TCP
+            - containerPort: 3036
+              name: mysql
+              protocol: TCP
+            - containerPort: 3000
+              name: diag
+              protocol: TCP
+            readinessProbe:
+              failureThreshold: 12
+              httpGet:
+                path: /readyz
+                port: diag
+              initialDelaySeconds: 5
+              periodSeconds: 5
+              successThreshold: 1
+              timeoutSeconds: 5
+            volumeMounts:
+            - mountPath: /etc/teleport
+              name: config
+              readOnly: true
+            - mountPath: /var/lib/teleport
+              name: data
+            - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+              name: proxy-serviceaccount-token
+              readOnly: true
+          initContainers:
+          - command:
+            - teleport
+            - wait
+            - no-resolve
+            - RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com
+            image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+            name: wait-auth-update
+          serviceAccountName: RELEASE-NAME-proxy
+          terminationGracePeriodSeconds: 60
+          topologySpreadConstraints:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/component: proxy
+                app.kubernetes.io/instance: RELEASE-NAME
+                app.kubernetes.io/name: teleport-cluster
+            maxSkew: 1
+            topologyKey: kubernetes.io/hostname
+            whenUnsatisfiable: ScheduleAnyway
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/component: proxy
+                app.kubernetes.io/instance: RELEASE-NAME
+                app.kubernetes.io/name: teleport-cluster
+            maxSkew: 1
+            topologyKey: topology.kubernetes.io/zone
+            whenUnsatisfiable: ScheduleAnyway
+          volumes:
+          - name: proxy-serviceaccount-token
+            projected:
+              sources:
+              - serviceAccountToken:
+                  path: token
+              - configMap:
+                  items:
+                  - key: ca.crt
+                    path: ca.crt
+                  name: kube-root-ca.crt
+              - downwardAPI:
+                  items:
+                  - fieldRef:
+                      fieldPath: metadata.namespace
+                    path: namespace
+          - configMap:
+              name: RELEASE-NAME-proxy
+            name: config
+          - emptyDir: {}
+            name: data
+should provision initContainer correctly when set in values:
+  1: |
+    - command:
+      - teleport
+      - wait
+      - no-resolve
+      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      name: wait-auth-update
+      resources:
+        limits:
+          cpu: 1
+          memory: 512Mi
+        requests:
+          cpu: 0.1
+          memory: 256Mi
+    - args:
+      - echo test
+      image: alpine
+      name: teleport-init
+      resources:
+        limits:
+          cpu: 2
+          memory: 4Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+    - args:
+      - echo test2
+      image: alpine
+      name: teleport-init2
+      resources:
+        limits:
+          cpu: 2
+          memory: 4Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+should set affinity when set in values:
+  1: |
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: gravitational.io/dedicated
+            operator: In
+            values:
+            - teleport
+should set imagePullSecrets when set in values:
+  1: |
+    - name: myRegistryKeySecretName
+should set nodeSelector when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3080
+        name: tls
+        protocol: TCP
+      - containerPort: 3023
+        name: sshproxy
+        protocol: TCP
+      - containerPort: 3024
+        name: sshtun
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      - containerPort: 3036
+        name: mysql
+        protocol: TCP
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: proxy-serviceaccount-token
+        readOnly: true
+    initContainers:
+    - command:
+      - teleport
+      - wait
+      - no-resolve
+      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      name: wait-auth-update
+    nodeSelector:
+      environment: security
+      role: bastion
+    serviceAccountName: RELEASE-NAME-proxy
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: proxy-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-proxy
+      name: config
+    - emptyDir: {}
+      name: data
+should set required affinity when highAvailability.requireAntiAffinity is set:
+  1: |
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app.kubernetes.io/instance
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: app.kubernetes.io/component
+            operator: In
+            values:
+            - proxy
+        topologyKey: kubernetes.io/hostname
+should set resources for wait-auth-update initContainer when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3080
+        name: tls
+        protocol: TCP
+      - containerPort: 3023
+        name: sshproxy
+        protocol: TCP
+      - containerPort: 3024
+        name: sshtun
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      - containerPort: 3036
+        name: mysql
+        protocol: TCP
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      resources:
+        limits:
+          cpu: 2
+          memory: 4Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: proxy-serviceaccount-token
+        readOnly: true
+    initContainers:
+    - command:
+      - teleport
+      - wait
+      - no-resolve
+      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      name: wait-auth-update
+      resources:
+        limits:
+          cpu: 1
+          memory: 512Mi
+        requests:
+          cpu: 0.1
+          memory: 256Mi
+    serviceAccountName: RELEASE-NAME-proxy
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: proxy-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-proxy
+      name: config
+    - emptyDir: {}
+      name: data
+should set resources when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3080
+        name: tls
+        protocol: TCP
+      - containerPort: 3023
+        name: sshproxy
+        protocol: TCP
+      - containerPort: 3024
+        name: sshtun
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      - containerPort: 3036
+        name: mysql
+        protocol: TCP
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      resources:
+        limits:
+          cpu: 2
+          memory: 4Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: proxy-serviceaccount-token
+        readOnly: true
+    initContainers:
+    - command:
+      - teleport
+      - wait
+      - no-resolve
+      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      name: wait-auth-update
+      resources:
+        limits:
+          cpu: 1
+          memory: 512Mi
+        requests:
+          cpu: 0.1
+          memory: 256Mi
+    serviceAccountName: RELEASE-NAME-proxy
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: proxy-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-proxy
+      name: config
+    - emptyDir: {}
+      name: data
+should set securityContext for initContainers when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3080
+        name: tls
+        protocol: TCP
+      - containerPort: 3023
+        name: sshproxy
+        protocol: TCP
+      - containerPort: 3024
+        name: sshtun
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      - containerPort: 3036
+        name: mysql
+        protocol: TCP
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      securityContext:
+        allowPrivilegeEscalation: false
+        privileged: false
+        readOnlyRootFilesystem: false
+        runAsGroup: 99
+        runAsNonRoot: true
+        runAsUser: 99
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: proxy-serviceaccount-token
+        readOnly: true
+    initContainers:
+    - command:
+      - teleport
+      - wait
+      - no-resolve
+      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      name: wait-auth-update
+      securityContext:
+        allowPrivilegeEscalation: false
+        privileged: false
+        readOnlyRootFilesystem: false
+        runAsGroup: 99
+        runAsNonRoot: true
+        runAsUser: 99
+    serviceAccountName: RELEASE-NAME-proxy
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: proxy-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-proxy
+      name: config
+    - emptyDir: {}
+      name: data
+should set securityContext when set in values:
+  1: |
+    affinity:
+      podAntiAffinity: null
+    automountServiceAccountToken: false
+    containers:
+    - args:
+      - --diag-addr=0.0.0.0:3000
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      imagePullPolicy: IfNotPresent
+      lifecycle:
+        preStop:
+          exec:
+            command:
+            - teleport
+            - wait
+            - duration
+            - 30s
+      livenessProbe:
+        failureThreshold: 6
+        httpGet:
+          path: /healthz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 5
+      name: teleport
+      ports:
+      - containerPort: 3080
+        name: tls
+        protocol: TCP
+      - containerPort: 3023
+        name: sshproxy
+        protocol: TCP
+      - containerPort: 3024
+        name: sshtun
+        protocol: TCP
+      - containerPort: 3026
+        name: kube
+        protocol: TCP
+      - containerPort: 3036
+        name: mysql
+        protocol: TCP
+      - containerPort: 3000
+        name: diag
+        protocol: TCP
+      readinessProbe:
+        failureThreshold: 12
+        httpGet:
+          path: /readyz
+          port: diag
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
+      securityContext:
+        allowPrivilegeEscalation: false
+        privileged: false
+        readOnlyRootFilesystem: false
+        runAsGroup: 99
+        runAsNonRoot: true
+        runAsUser: 99
+      volumeMounts:
+      - mountPath: /etc/teleport
+        name: config
+        readOnly: true
+      - mountPath: /var/lib/teleport
+        name: data
+      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+        name: proxy-serviceaccount-token
+        readOnly: true
+    initContainers:
+    - command:
+      - teleport
+      - wait
+      - no-resolve
+      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      name: wait-auth-update
+      securityContext:
+        allowPrivilegeEscalation: false
+        privileged: false
+        readOnlyRootFilesystem: false
+        runAsGroup: 99
+        runAsNonRoot: true
+        runAsUser: 99
+    serviceAccountName: RELEASE-NAME-proxy
+    terminationGracePeriodSeconds: 60
+    topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/component: proxy
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: teleport-cluster
+      maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: ScheduleAnyway
+    volumes:
+    - name: proxy-serviceaccount-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+        - configMap:
+            items:
+            - key: ca.crt
+              path: ca.crt
+            name: kube-root-ca.crt
+        - downwardAPI:
+            items:
+            - fieldRef:
+                fieldPath: metadata.namespace
+              path: namespace
+    - configMap:
+        name: RELEASE-NAME-proxy
+      name: config
+    - emptyDir: {}
+      name: data
+should set tolerations when set in values:
+  1: |
+    - effect: NoExecute
+      key: dedicated
+      operator: Equal
+      value: teleport
+    - effect: NoSchedule
+      key: dedicated
+      operator: Equal
+      value: teleport
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/proxy_service_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_service_test.yaml.snap
new file mode 100644
index 0000000..a10b5e5
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/proxy_service_test.yaml.snap
@@ -0,0 +1,68 @@
+does not expose separate listener ports by default when ingress.enabled=true:
+  1: |
+    - name: tls
+      port: 443
+      protocol: TCP
+      targetPort: 3080
+does not expose separate listener ports when running in separate mode and ingress.enabled=true:
+  1: |
+    - name: tls
+      port: 443
+      protocol: TCP
+      targetPort: 3080
+exposes a single port when running in multiplex mode:
+  1: |
+    - name: tls
+      port: 443
+      protocol: TCP
+      targetPort: 3080
+exposes a single port when running in multiplex mode and ingress.enabled=true:
+  1: |
+    - name: tls
+      port: 443
+      protocol: TCP
+      targetPort: 3080
+exposes separate listener ports by default:
+  1: |
+    - name: tls
+      port: 443
+      protocol: TCP
+      targetPort: 3080
+    - name: sshproxy
+      port: 3023
+      protocol: TCP
+      targetPort: 3023
+    - name: k8s
+      port: 3026
+      protocol: TCP
+      targetPort: 3026
+    - name: sshtun
+      port: 3024
+      protocol: TCP
+      targetPort: 3024
+    - name: mysql
+      port: 3036
+      protocol: TCP
+      targetPort: 3036
+exposes separate listener ports when running in separate mode:
+  1: |
+    - name: tls
+      port: 443
+      protocol: TCP
+      targetPort: 3080
+    - name: sshproxy
+      port: 3023
+      protocol: TCP
+      targetPort: 3023
+    - name: k8s
+      port: 3026
+      protocol: TCP
+      targetPort: 3026
+    - name: sshtun
+      port: 3024
+      protocol: TCP
+      targetPort: 3024
+    - name: mysql
+      port: 3036
+      protocol: TCP
+      targetPort: 3036
diff --git a/teleport-cluster-17.4.9/tests/__snapshot__/psp_test.yaml.snap b/teleport-cluster-17.4.9/tests/__snapshot__/psp_test.yaml.snap
new file mode 100644
index 0000000..d950054
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/__snapshot__/psp_test.yaml.snap
@@ -0,0 +1,62 @@
+creates a PodSecurityPolicy when enabled in values and supported:
+  1: |
+    apiVersion: policy/v1beta1
+    kind: PodSecurityPolicy
+    metadata:
+      annotations:
+        seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
+        seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+      name: RELEASE-NAME
+    spec:
+      allowPrivilegeEscalation: false
+      fsGroup:
+        ranges:
+        - max: 65535
+          min: 1
+        rule: MustRunAs
+      hostIPC: false
+      hostNetwork: false
+      hostPID: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      requiredDropCapabilities:
+      - ALL
+      runAsUser:
+        rule: MustRunAsNonRoot
+      seLinux:
+        rule: RunAsAny
+      supplementalGroups:
+        ranges:
+        - max: 65535
+          min: 1
+        rule: MustRunAs
+      volumes:
+      - '*'
+  2: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: RELEASE-NAME-psp
+      namespace: NAMESPACE
+    rules:
+    - apiGroups:
+      - policy
+      resourceNames:
+      - RELEASE-NAME
+      resources:
+      - podsecuritypolicies
+      verbs:
+      - use
+  3: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: RELEASE-NAME-psp
+      namespace: NAMESPACE
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: RELEASE-NAME-psp
+    subjects:
+    - kind: ServiceAccount
+      name: RELEASE-NAME
diff --git a/teleport-cluster-17.4.9/tests/auth_clusterrole_test.yaml b/teleport-cluster-17.4.9/tests/auth_clusterrole_test.yaml
new file mode 100644
index 0000000..a3ab5d8
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/auth_clusterrole_test.yaml
@@ -0,0 +1,36 @@
+suite: Auth ClusterRole
+templates:
+  - auth/clusterrole.yaml
+tests:
+  - it: creates a ClusterRole
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ClusterRole
+  - it: adds operator permissions to ClusterRole
+    values:
+      - ../.lint/operator.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ClusterRole
+      - matchSnapshot: {}
+  - it: sets extraLabels on ClusterRole
+    set:
+      extraLabels:
+        clusterRole:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          clusterRole:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/auth_clusterrolebinding_test.yaml b/teleport-cluster-17.4.9/tests/auth_clusterrolebinding_test.yaml
new file mode 100644
index 0000000..2ac15aa
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/auth_clusterrolebinding_test.yaml
@@ -0,0 +1,38 @@
+suite: Auth ClusterRoleBinding
+templates:
+  - auth/clusterrolebinding.yaml
+tests:
+  - it: creates a ClusterRoleBinding
+    asserts:
+      - hasDocuments:
+          count: 2
+      - isKind:
+          of: ClusterRoleBinding
+  - it: uses the provided serviceAccount name
+    values:
+      - ../.lint/service-account.yaml
+    asserts:
+      - contains:
+          path: subjects
+          any: true
+          content:
+            kind: ServiceAccount
+            name: "helm-lint"
+
+  - it: sets extraLabels on ClusterRoleBindings
+    set:
+      extraLabels:
+        clusterRoleBinding:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          clusterRoleBinding:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/auth_config_test.yaml b/teleport-cluster-17.4.9/tests/auth_config_test.yaml
new file mode 100644
index 0000000..2712745
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/auth_config_test.yaml
@@ -0,0 +1,736 @@
+suite: ConfigMap
+templates:
+  - auth/config.yaml
+tests:
+  - it: matches snapshot for acme-off.yaml
+    values:
+      - ../.lint/acme-off.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for acme-on.yaml
+    values:
+      - ../.lint/acme-on.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for acme-uri-staging.yaml
+    values:
+      - ../.lint/acme-on.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: wears annotations (annotations.yaml)
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.annotations.kubernetes\.io/config
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/config-different
+          value: 2
+
+  - it: matches snapshot for auth-connector-name.yaml
+    values:
+      - ../.lint/auth-connector-name.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-disable-local.yaml
+    values:
+      - ../.lint/auth-disable-local.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-locking-mode.yaml
+    values:
+      - ../.lint/auth-locking-mode.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-passwordless.yaml
+    values:
+      - ../.lint/auth-passwordless.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-type.yaml
+    values:
+      - ../.lint/auth-type.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-type-legacy.yaml
+    values:
+      - ../.lint/auth-type-legacy.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-webauthn.yaml
+    values:
+      - ../.lint/auth-webauthn.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-webauthn-legacy.yaml
+    values:
+      - ../.lint/auth-webauthn-legacy.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for aws.yaml
+    values:
+      - ../.lint/aws.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for aws-dynamodb-autoscaling.yaml
+    values:
+      - ../.lint/aws-dynamodb-autoscaling.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for aws-ha.yaml
+    values:
+      - ../.lint/aws-ha.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for aws-ha-acme.yaml
+    values:
+      - ../.lint/aws-ha-acme.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for aws-ha-antiaffinity.yaml
+    values:
+      - ../.lint/aws-ha-antiaffinity.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for aws-ha-log.yaml
+    values:
+      - ../.lint/aws-ha-log.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for existing-tls-secret.yaml
+    values:
+      - ../.lint/existing-tls-secret.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for existing-tls-secret-with-ca.yaml
+    values:
+      - ../.lint/existing-tls-secret-with-ca.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for gcp-ha-acme.yaml
+    values:
+      - ../.lint/gcp-ha-acme.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for gcp-ha-antiaffinity.yaml
+    values:
+      - ../.lint/gcp-ha-antiaffinity.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for gcp-ha-log.yaml
+    values:
+      - ../.lint/gcp-ha-log.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for gcp.yaml
+    values:
+      - ../.lint/gcp.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for initcontainers.yaml
+    values:
+      - ../.lint/initcontainers.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for kube-cluster-name.yaml
+    values:
+      - ../.lint/kube-cluster-name.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for log-basic.yaml
+    values:
+      - ../.lint/log-basic.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for log-extra.yaml
+    values:
+      - ../.lint/log-extra.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for log-legacy.yaml
+    values:
+      - ../.lint/log-legacy.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for priority-class-name.yaml
+    values:
+      - ../.lint/priority-class-name.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for proxy-listener-mode-multiplex.yaml
+    values:
+      - ../.lint/proxy-listener-mode-multiplex.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for proxy-listener-mode-separate.yaml
+    values:
+      - ../.lint/proxy-listener-mode-separate.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for service.yaml
+    values:
+      - ../.lint/service.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for separate-mongo-listener.yaml
+    values:
+      - ../.lint/separate-mongo-listener.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for separate-postgres-listener.yaml
+    values:
+      - ../.lint/separate-postgres-listener.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for public-addresses.yaml
+    values:
+      - ../.lint/public-addresses.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for session-recording.yaml
+    values:
+      - ../.lint/session-recording.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for standalone-customsize.yaml
+    values:
+      - ../.lint/standalone-customsize.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for standalone-existingpvc.yaml
+    values:
+      - ../.lint/standalone-existingpvc.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for tolerations.yaml
+    values:
+      - ../.lint/tolerations.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for version-override.yaml
+    values:
+      - ../.lint/version-override.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for volumes.yaml
+    values:
+      - ../.lint/volumes.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: adds a proxy token by default
+    set:
+      clusterName: teleport.example.com
+    asserts:
+      - notEqual:
+          path: data.apply-on-startup\.yaml
+          value: null
+      - matchSnapshot:
+          path: data.apply-on-startup\.yaml
+
+  - it: matches snapshot for azure.yaml
+    values:
+      - ../.lint/azure.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for azure.yaml without pool_max_conn
+    values:
+      - ../.lint/azure.yaml
+    set:
+      azure:
+        databasePoolMaxConnections: 0
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: sets "provisioned" billing mode when autoscaling is enabled
+    values:
+      - ../.lint/aws-dynamodb-autoscaling.yaml
+    asserts:
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: 'billing_mode: provisioned'
+
+  - it: fails when no audit backend is configured
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+    asserts:
+      - failedTemplate:
+          errorMessage: "You need an audit backend. In AWS mode, you must set at least one of `aws.auditLogTable` (Dynamo) and `aws.athenaURL` (Athena)."
+
+  - it: configures dynamo when dynamo is set
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        auditLogTable: my-dynamodb-table
+    asserts:
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: '- dynamodb://my-dynamodb-table'
+
+  - it: configures athena when athenaURL is set
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+    asserts:
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: '- athena://db.table'
+
+  - it: configures dynamo and stdout when dynamo is set and mirroring is on
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        auditLogTable: my-dynamodb-table
+        auditLogMirrorOnStdout: true
+    asserts:
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: '- dynamodb://my-dynamodb-table'
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: '- stdout://'
+
+  - it: fails when both athena and dynamo are set but no order is specified
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        auditLogTable: my-dynamodb-table
+        athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+    asserts:
+      - failedTemplate:
+          errorMessage: "Both Dynamo and Athena audit backends are enabled. You must specify the primary backend by setting `aws.auditLogPrimaryBackend` to either 'dynamo' or 'athena'."
+
+  - it: uses athena as primary backend when configured
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        auditLogTable: my-dynamodb-table
+        athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+        auditLogPrimaryBackend: "athena"
+    asserts:
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: uses dynamo as primary backend when configured
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        auditLogTable: my-dynamodb-table
+        athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+        auditLogPrimaryBackend: "dynamo"
+    asserts:
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: uses athena, dynamo, and stdout when everything is on
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        auditLogTable: my-dynamodb-table
+        athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
+        auditLogPrimaryBackend: "athena"
+        auditLogMirrorOnStdout: true
+    asserts:
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: keeps the second factor type even when it's "off"
+    set:
+      clusterName: helm-lint
+      authentication:
+        secondFactor: 'off'
+    asserts:
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: fails if access monitoring is enabled without athena
+    set:
+      chartMode: aws
+      clusterName: "teleport.example.com"
+      aws:
+        region: asd
+        backendTable: asd
+        sessionRecordingBucket: asd
+        auditLogTable: my-dynamodb-table
+        accessMonitoring:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "AccessMonitoring requires an Athena Event backend"
+
+  - it: configures access monitoring when its values are set
+    values:
+      - ../.lint/aws-access-monitoring.yaml
+    asserts:
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: sets extraLabels on Configmap
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        config:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          config:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: keeps the session_recording type even when it's "off"
+    set:
+      clusterName: helm-lint
+      sessionRecording: 'off'
+    asserts:
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: sets clusterDomain on Configmap
+    set:
+      clusterName: teleport.example.com
+      global:
+        clusterDomain: test.com
+    asserts:
+      - matchSnapshot: {}
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: 'svc.test.com:3026'
+
+  - it: matches snapshot for auth-secondfactors-webauthn.yaml
+    values:
+      - ../.lint/auth-secondfactors-webauthn.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for auth-secondfactors-sso.yaml
+    values:
+      - ../.lint/auth-secondfactors-sso.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot when both secondFactor and secondFactors are set.
+    set:
+      clusterName: helm-lint
+      authentication:
+        secondFactor: "off"
+        secondFactors: ["otp", "webauthn"]
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
diff --git a/teleport-cluster-17.4.9/tests/auth_deployment_test.yaml b/teleport-cluster-17.4.9/tests/auth_deployment_test.yaml
new file mode 100644
index 0000000..0b36bd5
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/auth_deployment_test.yaml
@@ -0,0 +1,1023 @@
+suite: Auth Deployment
+templates:
+  - auth/deployment.yaml
+  - auth/config.yaml
+tests:
+  - it: sets Deployment annotations when specified
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment-different
+          value: 3
+
+  - it: sets Pod annotations when specified
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod
+          value: test-annotation
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod-different
+          value: 4
+
+  - it: should not have more than one replica in standalone mode
+    template: auth/deployment.yaml
+    set:
+      chartMode: standalone
+      clusterName: helm-lint.example.com
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 1
+
+  - it: should have multiple replicas when replicaCount is set
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      clusterName: helm-lint.example.com
+      highAvailability:
+        replicaCount: 3
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 3
+
+  - it: should set affinity when set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: gravitational.io/dedicated
+                    operator: In
+                    values:
+                      - teleport
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.affinity
+      - matchSnapshot:
+          path: spec.template.spec.affinity
+
+  - it: should set nodeSelector when set in values
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      clusterName: helm-lint.example.com
+      nodeSelector:
+        role: bastion
+        environment: security
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.nodeSelector
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should set required affinity when highAvailability.requireAntiAffinity is set
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/aws-ha-antiaffinity.yaml
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.affinity
+      - isNotNull:
+          path: spec.template.spec.affinity.podAntiAffinity
+      - isNotNull:
+          path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
+      - matchSnapshot:
+          path: spec.template.spec.affinity
+
+  - it: should set tolerations when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/tolerations.yaml
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.tolerations
+      - matchSnapshot:
+          path: spec.template.spec.tolerations
+
+  - it: should set resources when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/resources.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 2Gi
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should set podSecurityContext when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/pod-security-context.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 99
+      - equal:
+          path: spec.template.spec.securityContext.fsGroupChangePolicy
+          value: OnRootMismatch
+      - equal:
+          path: spec.template.spec.securityContext.runAsGroup
+          value: 99
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          value: 99
+
+  - it: should not set podSecurityContext when is empty object (default value)
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/pod-security-context-empty.yaml
+    asserts:
+      - isNull:
+          path: spec.template.spec.securityContext
+
+  - it: should set securityContext when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/security-context.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.privileged
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsGroup
+          value: 99
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsUser
+          value: 99
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should not set securityContext when is empty object (default value)
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/security-context-empty.yaml
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  # we can't use the dynamic chart version or appVersion as a variable in the tests,
+  # so we override it manually and check that gets set instead
+  # this saves us having to update the test every time we cut a new release
+  - it: should use enterprise image and mount license when enterprise is set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      enterprise: true
+      teleportVersionOverride: 12.2.1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/lib/license
+            name: "license"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: license
+            secret:
+              secretName: license
+
+  - it: should use enterprise image and mount license with custom secret name when enterprise is set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      enterprise: true
+      licenseSecretName: enterprise-license
+      teleportVersionOverride: 12.2.1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/lib/license
+            name: "license"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: license
+            secret:
+              secretName: enterprise-license
+
+  - it: should use OSS image and not mount license when enterprise is not set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+      teleportVersionOverride: 12.2.1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/lib/license
+            name: "license"
+            readOnly: true
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: license
+            secret:
+              secretName: license
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should mount GCP credentials in GCP mode
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/gcp-ha.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-secrets
+            name: "gcp-credentials"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: gcp-credentials
+            secret:
+              secretName: teleport-gcp-credentials
+
+  - it: should not mount secret when credentialSecretName is blank in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/gcp-ha-workload.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-secrets
+            name: "gcp-credentials"
+            readOnly: true
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: gcp-credentials
+            secret:
+              secretName: teleport-gcp-credentials
+
+  - it: should mount GCP credentials for initContainer in GCP mode
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/gcp-ha.yaml
+      - ../.lint/initcontainers.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-secrets
+            name: "gcp-credentials"
+            readOnly: true
+
+  - it: should mount ConfigMap containing Teleport config
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport
+            name: "config"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: config
+            configMap:
+              name: RELEASE-NAME-auth
+
+  - it: should mount extraVolumes and extraVolumeMounts on container and initContainers
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/volumes.yaml
+      - ../.lint/initcontainers.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /path/to/mount
+            name: my-mount
+      - contains:
+          path: spec.template.spec.initContainers[0].volumeMounts
+          content:
+            mountPath: /path/to/mount
+            name: my-mount
+      - contains:
+          path: spec.template.spec.initContainers[1].volumeMounts
+          content:
+            mountPath: /path/to/mount
+            name: my-mount
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: my-mount
+            secret:
+              secretName: mySecret
+
+  - it: should set imagePullPolicy when set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      imagePullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+
+  - it: should have only one container when no `extraContainers` is set in values
+    template: auth/deployment.yaml
+    set:
+      extraContainers: []
+      clusterName: helm-lint.example.com
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.containers[0]
+      - isNull:
+          path: spec.template.spec.containers[1]
+
+  - it: should add one more container when `extraContainers` is set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/extra-containers.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1]
+          value:
+            name: nscenter
+            command:
+              - /bin/bash
+              - -c
+              - sleep infinity & wait
+            image: praqma/network-multitool
+            imagePullPolicy: IfNotPresent
+            securityContext:
+              privileged: true
+              runAsNonRoot: false
+
+  - it: should set environment when extraEnv set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/extra-env.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SOME_ENVIRONMENT_VARIABLE
+            value: "some-value"
+
+  - it: should set imagePullSecrets when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/imagepullsecrets.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: myRegistryKeySecretName
+      - matchSnapshot:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should provision initContainer correctly when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/initcontainers.yaml
+      - ../.lint/resources.yaml
+      - ../.lint/extra-env.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[0].args
+          content: "echo test"
+      - equal:
+          path: spec.template.spec.initContainers[0].name
+          value: "teleport-init"
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: "alpine"
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.requests.memory
+          value: 2Gi
+      - contains:
+          path: spec.template.spec.initContainers[1].args
+          content: "echo test2"
+      - equal:
+          path: spec.template.spec.initContainers[1].name
+          value: "teleport-init2"
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: "alpine"
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.requests.memory
+          value: 2Gi
+      - matchSnapshot:
+          path: spec.template.spec.initContainers
+
+  - it: should add insecureSkipProxyTLSVerify to args when set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      insecureSkipProxyTLSVerify: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--insecure"
+
+  - it: should expose diag port
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: diag
+            containerPort: 3000
+            protocol: TCP
+
+  - it: should expose auth port
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: auth
+            containerPort: 3025
+            protocol: TCP
+
+  - it: should expose kube port
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: kube
+            containerPort: 3026
+            protocol: TCP
+
+  - it: should set postStart command if set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      postStart:
+        command: ["/bin/echo", "test"]
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
+          value: ["/bin/echo", "test"]
+
+  - it: should add PersistentVolumeClaim as volume when in standalone mode and persistence.enabled is true
+    template: auth/deployment.yaml
+    set:
+      chartMode: standalone
+      clusterName: helm-lint.example.com
+      persistence:
+        enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: RELEASE-NAME
+
+  - it: should not add PersistentVolumeClaim as volume when in standalone mode and persistence.enabled is false
+    template: auth/deployment.yaml
+    set:
+      chartMode: standalone
+      clusterName: helm-lint.example.com
+      persistence:
+        enabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: RELEASE-NAME
+
+  - it: should add PersistentVolumeClaim as volume when in scratch mode and persistence.enabled is true
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      clusterName: helm-lint.example.com
+      persistence:
+        enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: RELEASE-NAME
+
+  - it: should not add PersistentVolumeClaim as volume when in scratch mode and persistence.enabled is false
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      clusterName: helm-lint.example.com
+      persistence:
+        enabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: RELEASE-NAME
+
+  - it: should add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set and persistence.enabled is true
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/standalone-existingpvc.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: teleport-storage
+
+  - it: should not add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set but persistence.enabled is false
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/standalone-existingpvc.yaml
+    set:
+      persistence:
+        enabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: teleport-storage
+
+  - it: should add named PersistentVolumeClaim as volume when in scratch mode and persistence.existingClaimName is set
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/standalone-existingpvc.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: teleport-storage
+
+  - it: should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName is set and persistence.enabled is false
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/standalone-existingpvc.yaml
+    set:
+      persistence:
+        enabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            persistentVolumeClaim:
+              claimName: teleport-storage
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should add emptyDir for data in AWS mode
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/aws-ha.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            emptyDir: {}
+
+  - it: should add emptyDir for data in GCP mode
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/gcp-ha.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            emptyDir: {}
+
+  - it: should set priorityClassName when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/priority-class-name.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.priorityClassName
+          value: system-cluster-critical
+
+  - it: should set probeTimeoutSeconds when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/probe-timeout-seconds.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
+          value: 5
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+          value: 5
+
+  - it: should mount tls.existingCASecretName and set environment when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/existing-tls-secret-with-ca.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls-ca
+            secret:
+              secretName: helm-lint-existing-tls-secret-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls-ca
+            name: teleport-tls-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSL_CERT_FILE
+            value: /etc/teleport-tls-ca/ca.pem
+
+  - it: should mount tls.existingCASecretName and set extra environment when set in values
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/existing-tls-secret-with-ca.yaml
+      - ../.lint/extra-env.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls-ca
+            secret:
+              secretName: helm-lint-existing-tls-secret-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls-ca
+            name: teleport-tls-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSL_CERT_FILE
+            value: /etc/teleport-tls-ca/ca.pem
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SOME_ENVIRONMENT_VARIABLE
+            value: some-value
+
+  - it: should set minReadySeconds when replicaCount > 1
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      highAvailability:
+        minReadySeconds: 60
+        replicaCount: 3
+    asserts:
+      - equal:
+          path: spec.minReadySeconds
+          value: 60
+
+  - it: should not set minReadySeconds when replicaCount = 1
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      highAvailability:
+        minReadySeconds: 60
+        replicaCount: 1
+    asserts:
+      - equal:
+          path: spec.minReadySeconds
+          value: null
+
+  - it: should use Recreate strategy when replicaCount = 1
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      highAvailability:
+        replicaCount: 1
+    asserts:
+      - equal:
+          path: spec.strategy.type
+          value: Recreate
+
+  - it: should not set strategy when replicaCount > 1
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      highAvailability:
+        replicaCount: 2
+    asserts:
+      - equal:
+          path: spec.strategy.type
+          value: RollingUpdate
+
+  - it: should not perform surge rolling updates when replicaCount > 1
+    template: auth/deployment.yaml
+    set:
+      chartMode: scratch
+      highAvailability:
+        replicaCount: 2
+    asserts:
+      - equal:
+          path: spec.strategy.rollingUpdate.maxSurge
+          value: 0
+      - equal:
+          path: spec.strategy.rollingUpdate.maxUnavailable
+          value: 1
+
+  - it: mounts regular tokens on older Kubernetes versions
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 18
+    asserts:
+      - notEqual:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: auth-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - path: "namespace"
+                        fieldRef:
+                          fieldPath: metadata.namespace
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: auth-serviceaccount-token
+            readOnly: true
+
+  - it: mounts tokens through projected volumes on newer Kubernetes versions
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 21
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: auth-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - path: "namespace"
+                        fieldRef:
+                          fieldPath: metadata.namespace
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: auth-serviceaccount-token
+            readOnly: true
+
+  - it: should add the azure workload identity label to auth pods in azure mode
+    template: auth/deployment.yaml
+    set:
+      chartMode: azure
+      clusterName: teleport.example.com
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels.azure\.workload\.identity/use
+          value: "true"
+
+  - it: sets extraLabels on Deployment
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        deployment:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          deployment:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: sets extraLabels on Deployment Pods
+    template: auth/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        pod:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          pod:
+            baz: overridden
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels.foo
+          value: bar
+      - equal:
+          path: spec.template.metadata.labels.baz
+          value: overridden
+
+  - it: sets readinessProbe values on Deployment Pods
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+      readinessProbe:
+        initialDelaySeconds: 9
+        periodSeconds: 10
+        failureThreshold: 11
+        successThreshold: 12
+      auth:
+        # we test an auth-specific override
+        readinessProbe:
+          initialDelaySeconds: 13
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+          value: 10
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+          value: 11
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.successThreshold
+          value: 12
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+          value: 13
+
+  - it: sets topology spread constraints by default
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints
+          value:
+            - maxSkew: 1
+              topologyKey: kubernetes.io/hostname
+              whenUnsatisfiable: ScheduleAnyway
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/component: auth
+                  app.kubernetes.io/instance: RELEASE-NAME
+                  app.kubernetes.io/name: teleport-cluster
+            - maxSkew: 1
+              topologyKey: topology.kubernetes.io/zone
+              whenUnsatisfiable: ScheduleAnyway
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/component: auth
+                  app.kubernetes.io/instance: RELEASE-NAME
+                  app.kubernetes.io/name: teleport-cluster
+
+  - it: removes topology spread constraints when disabled
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+      disableTopologySpreadConstraints: true
+    asserts:
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints
+
+  - it: removes topology spread constraints when running on antique kubernetes
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 17
+    asserts:
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints
+
+  - it: uses custom topology spread constraints when set
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint
+      topologySpreadConstraints:
+        - maxSkew: 2
+          topologyKey: foobar
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: baz
+    # helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test.
+    capabilities:
+      majorVersion: 1
+      minorVersion: 18
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints
+          value:
+            - maxSkew: 2
+              topologyKey: foobar
+              whenUnsatisfiable: ScheduleAnyway
+              labelSelector:
+                matchLabels:
+                  app: baz
diff --git a/teleport-cluster-17.4.9/tests/auth_pdb_test.yaml b/teleport-cluster-17.4.9/tests/auth_pdb_test.yaml
new file mode 100644
index 0000000..a424eeb
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/auth_pdb_test.yaml
@@ -0,0 +1,43 @@
+suite: Auth PodDisruptionBudget
+templates:
+  - auth/pdb.yaml
+tests:
+  - it: not should create a PDB when disabled in values
+    set:
+      highAvailability:
+        podDisruptionBudget:
+          enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: should create a PDB when enabled in values (pdb.yaml)
+    values:
+      - ../.lint/pdb.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - equal:
+          path: spec.minAvailable
+          value: 2
+
+  - it: sets extraLabels on PodDisruptionBudget
+    values:
+      - ../.lint/pdb.yaml
+    set:
+      extraLabels:
+        podDisruptionBudget:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          podDisruptionBudget:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/auth_pvc_test.yaml b/teleport-cluster-17.4.9/tests/auth_pvc_test.yaml
new file mode 100644
index 0000000..2742f22
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/auth_pvc_test.yaml
@@ -0,0 +1,106 @@
+suite: Auth PersistentVolumeClaim
+templates:
+  - auth/pvc.yaml
+tests:
+  - it: creates a PersistentVolumeClaim when chartMode=standalone with default size
+    set:
+      chartMode: standalone
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.resources.requests.storage
+          value: "10Gi"
+
+  - it: creates a PersistentVolumeClaim when chartMode=scratch
+    set:
+      chartMode: scratch
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PersistentVolumeClaim
+
+  - it: uses a custom size when set
+    values:
+      - ../.lint/standalone-customsize.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.resources.requests.storage
+          value: 50Gi
+
+  - it: uses a custom storage class when set
+    values:
+      - ../.lint/standalone-custom-storage-class.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.storageClassName
+          value: ebs-ssd
+
+  - it: does not create a PersistentVolumeClaim when chartMode=standalone and existingClaimName is not blank
+    set:
+      chartMode: standalone
+      persistence:
+        existingClaimName: test-claim
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: does not create a PersistentVolumeClaim when chartMode=scratch and existingClaimName is not blank
+    set:
+      chartMode: scratch
+      persistence:
+        existingClaimName: test-claim
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: does not create a PersistentVolumeClaim when chartMode=aws
+    set:
+      chartMode: aws
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: does not create a PersistentVolumeClaim when chartMode=gcp
+    set:
+      chartMode: gcp
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: does not create a PersistentVolumeClaim when chartMode=azure
+    set:
+      chartMode: azure
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: sets extraLabels on PersistentVolumeClaim
+    set:
+      chartMode: standalone
+      extraLabels:
+        persistentVolumeClaim:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          persistentVolumeClaim:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/auth_serviceaccount_test.yaml b/teleport-cluster-17.4.9/tests/auth_serviceaccount_test.yaml
new file mode 100644
index 0000000..2165131
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/auth_serviceaccount_test.yaml
@@ -0,0 +1,74 @@
+suite: Auth ServiceAccount
+templates:
+  - auth/serviceaccount.yaml
+tests:
+  - it: sets ServiceAccount annotations when specified
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: metadata.annotations.kubernetes\.io/serviceaccount
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/serviceaccount-different
+          value: 6
+
+  - it: changes ServiceAccount name when specified
+    values:
+      - ../.lint/service-account.yaml
+    asserts:
+      - equal:
+          path: metadata.name
+          value: "helm-lint"
+
+  - it: sets Azure client ID when set
+    set:
+      chartMode: azure
+      azure:
+        clientID: "1234"
+    asserts:
+      - equal:
+          path: metadata.annotations.azure\.workload\.identity/client-id
+          value: "1234"
+
+  - it: sets extraLabels on ServiceAccount
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        serviceAccount:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          serviceAccount:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: does not set automountServiceAccountToken if cluster version is <1.20
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 18
+    asserts:
+      - notEqual:
+          path: automountServiceAccountToken
+          value: false
+
+  - it: sets automountServiceAccountToken to false if cluster version is >=1.20
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 20
+    asserts:
+      - equal:
+          path: automountServiceAccountToken
+          value: false
diff --git a/teleport-cluster-17.4.9/tests/ingress_test.yaml b/teleport-cluster-17.4.9/tests/ingress_test.yaml
new file mode 100644
index 0000000..2486967
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/ingress_test.yaml
@@ -0,0 +1,568 @@
+suite: Proxy Ingress
+templates:
+  - proxy/ingress.yaml
+tests:
+  - it: does not create an Ingress by default
+    set:
+      clusterName: teleport.example.com
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates an Ingress when ingress.enabled=true and proxyListenerMode=multiplex
+    values:
+      - ../.lint/ingress.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Ingress
+
+  - it: does not create an Ingress when ingress.enabled=true, proxyListenerMode=multiplex but ingress.useExisting is true
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      ingress:
+        useExisting: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: fails to deploy an Ingress when ingress.enabled=true and proxyListenerMode is not set
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      proxyListenerMode: ""
+    asserts:
+      - failedTemplate:
+          errorMessage: "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/"
+
+  - it: fails to deploy an Ingress when ingress.enabled=true and proxyListenerMode=separate
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      proxyListenerMode: separate
+    asserts:
+      - failedTemplate:
+          errorMessage: "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/"
+
+  - it: wears annotations when set
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      annotations:
+        ingress:
+          test-annotation: test-annotation-value
+          another-annotation: some-other-value
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Ingress
+      - equal:
+          path: metadata.annotations.test-annotation
+          value: test-annotation-value
+      - equal:
+          path: metadata.annotations.another-annotation
+          value: some-other-value
+
+  - it: sets the clusterName and wildcard of clusterName as hostnames when Ingress is enabled
+    values:
+      - ../.lint/ingress.yaml
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "teleport.example.com"
+      - contains:
+          path: spec.tls
+          content:
+            hosts:
+              - "teleport.example.com"
+              - "*.teleport.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "teleport.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: "teleport.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - equal:
+          path: spec.rules[1].host
+          value: "*.teleport.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: "*.teleport.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: does not set a wildcard of clusterName as a hostname when Ingress is enabled and ingress.suppressAutomaticWildcards is true
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      ingress:
+        suppressAutomaticWildcards: true
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "teleport.example.com"
+      - contains:
+          path: spec.tls
+          content:
+            hosts:
+              - "teleport.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "teleport.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: "teleport.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - notContains:
+          path: spec.rules
+          content:
+            host: "*.teleport.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: sets the publicAddr and wildcard of publicAddr as hostnames when Ingress is enabled and publicAddr is set
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      publicAddr: ["helm-lint.example.com"]
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "helm-lint.example.com"
+      - contains:
+          path: spec.tls
+          content:
+            hosts:
+              - "helm-lint.example.com"
+              - "*.helm-lint.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: helm-lint.example.com
+      - contains:
+          path: spec.rules
+          content:
+            host: "helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - equal:
+          path: spec.rules[1].host
+          value: "*.helm-lint.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: "*.helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: does not set a wildcard of publicAddr as a hostname when Ingress is enabled, publicAddr is set and ingress.suppressAutomaticWildcards is true
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      publicAddr: ["helm-lint.example.com"]
+      ingress:
+        suppressAutomaticWildcards: true
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "helm-lint.example.com"
+      - contains:
+          path: spec.tls
+          content:
+            hosts:
+              - "helm-lint.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: helm-lint.example.com
+      - contains:
+          path: spec.rules
+          content:
+            host: "helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - notContains:
+          path: spec.rules
+          content:
+            host: "*.helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: trims ports from publicAddr and uses it as the hostname when Ingress is enabled and publicAddr is set
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      publicAddr: ["helm-lint.example.com:443"]
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "helm-lint.example.com"
+      - contains:
+          path: spec.tls
+          content:
+            hosts:
+              - "helm-lint.example.com"
+              - "*.helm-lint.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "helm-lint.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: helm-lint.example.com
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - equal:
+          path: spec.rules[1].host
+          value: "*.helm-lint.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: "*.helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: exposes all publicAddrs and wildcard publicAddrs as hostnames when Ingress is enabled and multiple publicAddrs are set
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      publicAddr: ["helm-lint.example.com", "helm-lint-second-domain.example.com"]
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "helm-lint.example.com"
+      - equal:
+          path: spec.tls[0].hosts[1]
+          value: "helm-lint-second-domain.example.com"
+      - contains:
+          path: spec.tls
+          content:
+            hosts:
+              - "helm-lint.example.com"
+              - "helm-lint-second-domain.example.com"
+              - "*.helm-lint.example.com"
+              - "*.helm-lint-second-domain.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "helm-lint.example.com"
+      - equal:
+          path: spec.rules[1].host
+          value: "helm-lint-second-domain.example.com"
+      - equal:
+          path: spec.rules[2].host
+          value: "*.helm-lint.example.com"
+      - equal:
+          path: spec.rules[3].host
+          value: "*.helm-lint-second-domain.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: "helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - contains:
+          path: spec.rules
+          content:
+            host: "helm-lint-second-domain.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - contains:
+          path: spec.rules
+          content:
+            host: "*.helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - contains:
+          path: spec.rules
+          content:
+            host: "*.helm-lint-second-domain.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - matchSnapshot:
+          path: spec.tls
+
+  # this is a very contrived example which wouldn't even work in reality
+  # it's just to test the logic in the hostname generation code
+  - it: does not add additional wildcard publicAddrs when Ingress is enabled and a publicAddr already contains a wildcard
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      publicAddr: ["helm-lint.example.com", "*.helm-lint.example.com", "helm-lint-second-domain.example.com:443"]
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: "helm-lint.example.com"
+      - equal:
+          path: spec.tls[0].hosts[1]
+          value: "*.helm-lint.example.com"
+      - equal:
+          path: spec.tls[0].hosts[2]
+          value: "helm-lint-second-domain.example.com"
+      - equal:
+          path: spec.tls[0].hosts[3]
+          value: "*.helm-lint-second-domain.example.com"
+      - contains:
+          path: spec.tls
+          content:
+            hosts:
+              - "helm-lint.example.com"
+              - "*.helm-lint.example.com"
+              - "helm-lint-second-domain.example.com"
+              - "*.helm-lint-second-domain.example.com"
+      - equal:
+          path: spec.rules[0].host
+          value: "helm-lint.example.com"
+      - equal:
+          path: spec.rules[1].host
+          value: "*.helm-lint.example.com"
+      - equal:
+          path: spec.rules[2].host
+          value: "helm-lint-second-domain.example.com"
+      - equal:
+          path: spec.rules[3].host
+          value: "*.helm-lint-second-domain.example.com"
+      - contains:
+          path: spec.rules
+          content:
+            host: "helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - contains:
+          path: spec.rules
+          content:
+            host: "*.helm-lint.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - contains:
+          path: spec.rules
+          content:
+            host: "helm-lint-second-domain.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - contains:
+          path: spec.rules
+          content:
+            host: "*.helm-lint-second-domain.example.com"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME
+                    port:
+                      number: 443
+                path: /
+                pathType: Prefix
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: sets spec when passed
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      ingress:
+        spec:
+          ingressClassName: nginx
+          otherSpecStuff: lint
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.ingressClassName
+          value: nginx
+      - equal:
+          path: spec.otherSpecStuff
+          value: lint
+
+  - it: does not set tls.secretName by default
+    values:
+      - ../.lint/ingress.yaml
+    asserts:
+      - isEmpty:
+          path: spec.tls[0].secretName
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: sets tls.secretName when cert-manager is enabled
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      highAvailability:
+        certManager:
+          enabled: true
+    asserts:
+      - equal:
+          path: spec.tls[0].secretName
+          value: teleport-tls
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: sets tls.secretName the value of tls.existingSecretName when set
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      tls:
+        existingSecretName: helm-lint-tls-secret
+    asserts:
+      - equal:
+          path: spec.tls[0].secretName
+          value: helm-lint-tls-secret
+      - matchSnapshot:
+          path: spec.tls
+
+  - it: sets extraLabels on Ingress
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      extraLabels:
+        ingress:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          ingress:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/podmonitor_test.yaml b/teleport-cluster-17.4.9/tests/podmonitor_test.yaml
new file mode 100644
index 0000000..ccdf692
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/podmonitor_test.yaml
@@ -0,0 +1,40 @@
+suite: PodMonitor
+templates:
+  - podmonitor.yaml
+tests:
+  - it: does not create a PodMonitor by default
+    set:
+      clusterName: test-kube-cluster-name
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a PodMonitor when enabled
+    set:
+      clusterName: test-kube-cluster-name
+      podMonitor:
+        enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodMonitor
+
+  - it: configures scrape interval if provided
+    set:
+      clusterName: test-kube-cluster-name
+      podMonitor:
+        enabled: true
+        interval: 2m
+    asserts:
+      - equal:
+          path: spec.podMetricsEndpoints[0].interval
+          value: 2m
+
+  - it: wears additional labels if provided
+    asserts:
+      - equal:
+          path: metadata.labels.prometheus
+          value: default
+    values:
+      - ../.lint/podmonitor.yaml
\ No newline at end of file
diff --git a/teleport-cluster-17.4.9/tests/predeploy_test.yaml b/teleport-cluster-17.4.9/tests/predeploy_test.yaml
new file mode 100644
index 0000000..7481cae
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/predeploy_test.yaml
@@ -0,0 +1,298 @@
+suite: Pre-Deploy Config Test Hooks
+templates:
+  - auth/predeploy_job.yaml
+  - auth/predeploy_config.yaml
+  - auth/predeploy_serviceaccount.yaml
+  - proxy/predeploy_job.yaml
+  - proxy/predeploy_config.yaml
+  - proxy/predeploy_serviceaccount.yaml
+tests:
+  - it: Deploys the auth-test config
+    template: auth/predeploy_config.yaml
+    set:
+      clusterName: helm-lint
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: RELEASE-NAME-auth-test
+          namespace: NAMESPACE
+
+  - it: Deploys the proxy-test config
+    template: proxy/predeploy_config.yaml
+    set:
+      clusterName: helm-lint
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: RELEASE-NAME-proxy-test
+          namespace: NAMESPACE
+
+  - it: Deploys the auth-test job
+    template: auth/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+    asserts:
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+          name: RELEASE-NAME-auth-test
+          namespace: NAMESPACE
+
+  - it: Is executed as a pre-install and pre-upgrade hook
+    set:
+      clusterName: helm-lint
+    asserts:
+      - equal:
+          path: metadata.annotations.helm\.sh/hook
+          value: pre-install,pre-upgrade
+
+  - it: Does not render hooks when config validation is disabled
+    set:
+      clusterName: helm-lint
+      validateConfigOnDeploy: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should set resources on auth predeploy job when set in values
+    template: auth/predeploy_job.yaml
+    values:
+      - ../.lint/resources.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 2Gi
+  - it: should set resources on proxy predeploy job when set in values
+    template: proxy/predeploy_job.yaml
+    values:
+      - ../.lint/resources.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 2Gi
+
+  - it: should set imagePullSecrets on proxy predeploy job when set in values
+    template: proxy/predeploy_job.yaml
+    values:
+      - ../.lint/imagepullsecrets.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: myRegistryKeySecretName
+      - matchSnapshot:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should set imagePullSecrets on auth predeploy job when set in values
+    template: auth/predeploy_job.yaml
+    values:
+      - ../.lint/imagepullsecrets.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: myRegistryKeySecretName
+      - matchSnapshot:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should set extraLabels on auth predeploy job when set in values
+    template: auth/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      extraLabels:
+        job:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          job:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: should set extraLabels.jobPod on auth predeploy job when set in values
+    template: auth/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      extraLabels:
+        jobPod:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          jobPod:
+            baz: overridden
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels.foo
+          value: bar
+      - equal:
+          path: spec.template.metadata.labels.baz
+          value: overridden
+
+  - it: should set extraLabels on auth predeploy config when set in values
+    template: auth/predeploy_config.yaml
+    set:
+      clusterName: helm-lint
+      extraLabels:
+        config:
+          foo: bar
+          baz: override-me
+      auth:
+        extraLabels:
+          config:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: should set extraLabels on proxy predeploy job when set in values
+    template: proxy/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      extraLabels:
+        job:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          job:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: should set extraLabels.jobPod on proxy predeploy job when set in values
+    template: proxy/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      extraLabels:
+        jobPod:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          jobPod:
+            baz: overridden
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels.foo
+          value: bar
+      - equal:
+          path: spec.template.metadata.labels.baz
+          value: overridden
+
+  - it: should set extraLabels on proxy predeploy config when set in values
+    template: proxy/predeploy_config.yaml
+    set:
+      clusterName: helm-lint
+      extraLabels:
+        config:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          config:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: should use default serviceAccount name suffixed with -hook for auth predeploy job SA when not set in values and we're creating SAs
+    template: auth/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: RELEASE-NAME-hook
+
+  - it: should use serviceAccount.name suffixed with -hook for auth predeploy job SA when set in values and we're creating SAs
+    template: auth/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      serviceAccount:
+        name: helm-test-sa
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: helm-test-sa-hook
+
+  - it: should use serviceAccount.name for auth predeploy job SA when set in values and we're not creating SAs
+    template: auth/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      serviceAccount:
+        name: helm-test-sa
+        create: false
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: helm-test-sa
+
+  - it: should use default serviceAccount name suffixed with -hook for proxy predeploy job SA when not set in values and we're creating SAs
+    template: proxy/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: RELEASE-NAME-proxy-hook
+
+  - it: should use serviceAccount.name suffixed with -hook for proxy predeploy job SA when set in values and we're creating SAs
+    template: proxy/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      serviceAccount:
+        name: helm-test-sa
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: helm-test-sa-proxy-hook
+
+  - it: should use serviceAccount.name for proxy predeploy job SA when set in values and we're not creating SAs
+    template: proxy/predeploy_job.yaml
+    set:
+      clusterName: helm-lint
+      serviceAccount:
+        name: helm-test-sa
+        create: false
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: helm-test-sa-proxy
diff --git a/teleport-cluster-17.4.9/tests/proxy_certificate_test.yaml b/teleport-cluster-17.4.9/tests/proxy_certificate_test.yaml
new file mode 100644
index 0000000..0d54f2f
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/proxy_certificate_test.yaml
@@ -0,0 +1,214 @@
+suite: Proxy Certificate
+templates:
+  - proxy/certificate.yaml
+tests:
+  - it: should request a certificate for cluster name when cert-manager is enabled (cert-manager.yaml)
+    values:
+      - ../.lint/cert-manager.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - matchSnapshot:
+          path: spec.dnsNames
+      - matchSnapshot:
+          path: spec.issuerRef
+      - equal:
+          path: spec.commonName
+          value: test-cluster
+
+  - it: should request a certificate for cluster name when cert-manager is enabled (cert-secret.yaml)
+    values:
+      - ../.lint/cert-secret.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - matchSnapshot:
+          path: spec.dnsNames
+      - matchSnapshot:
+          path: spec.issuerRef
+
+  - it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-manager.yaml)
+    values:
+      - ../.lint/cert-manager.yaml
+    set:
+      publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
+      highAvailability:
+        certManager:
+          addPublicAddrs: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - matchSnapshot:
+          path: spec.dnsNames
+      - matchSnapshot:
+          path: spec.issuerRef
+      - equal:
+          path: spec.commonName
+          value: test-cluster
+      - equal:
+          path: spec.dnsNames[0]
+          value: "test-cluster"
+      - equal:
+          path: spec.dnsNames[1]
+          value: "*.test-cluster"
+      - equal:
+          path: spec.dnsNames[2]
+          value: "teleport.test.com"
+      - equal:
+          path: spec.dnsNames[3]
+          value: "teleport.shared-services.old-domain.com"
+
+  - it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-manager.yaml)
+    values:
+      - ../.lint/cert-manager.yaml
+    set:
+      publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
+      highAvailability:
+        certManager:
+          addPublicAddrs: false
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - matchSnapshot:
+          path: spec.dnsNames
+      - matchSnapshot:
+          path: spec.issuerRef
+      - equal:
+          path: spec.commonName
+          value: test-cluster
+      - equal:
+          path: spec.dnsNames[0]
+          value: "test-cluster"
+      - equal:
+          path: spec.dnsNames[1]
+          value: "*.test-cluster"
+      - notEqual:
+          path: spec.dnsNames[2]
+          value: "teleport.test.com"
+      - notEqual:
+          path: spec.dnsNames[3]
+          value: "teleport.shared-services.old-domain.com"
+
+  - it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-secret.yaml)
+    values:
+      - ../.lint/cert-secret.yaml
+    set:
+      publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
+      highAvailability:
+        certManager:
+          addPublicAddrs: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - matchSnapshot:
+          path: spec.dnsNames
+      - matchSnapshot:
+          path: spec.issuerRef
+      - equal:
+          path: spec.dnsNames[0]
+          value: "test-cluster"
+      - equal:
+          path: spec.dnsNames[1]
+          value: "*.test-cluster"
+      - equal:
+          path: spec.dnsNames[2]
+          value: "teleport.test.com"
+      - equal:
+          path: spec.dnsNames[3]
+          value: "teleport.shared-services.old-domain.com"
+
+  - it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-secret.yaml)
+    values:
+      - ../.lint/cert-secret.yaml
+    set:
+      publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - matchSnapshot:
+          path: spec.dnsNames
+      - matchSnapshot:
+          path: spec.issuerRef
+      - notEqual:
+          path: spec.commonName
+          value: test-cluster
+      - equal:
+          path: spec.dnsNames[0]
+          value: "test-cluster"
+      - equal:
+          path: spec.dnsNames[1]
+          value: "*.test-cluster"
+      - notEqual:
+          path: spec.dnsNames[2]
+          value: "teleport.test.com"
+      - notEqual:
+          path: spec.dnsNames[3]
+          value: "teleport.shared-services.old-domain.com"
+
+  - it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set, removing duplicates
+    values:
+      - ../.lint/cert-manager.yaml
+    set:
+      publicAddr: ['test-cluster:443', 'teleport.test.com:443', 'teleport.shared-services.old-domain.com:443', 'teleport.test.com:443']
+      highAvailability:
+        certManager:
+          addPublicAddrs: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - matchSnapshot:
+          path: spec.dnsNames
+      - matchSnapshot:
+          path: spec.issuerRef
+      - equal:
+          path: spec.dnsNames[0]
+          value: "test-cluster"
+      - equal:
+          path: spec.dnsNames[1]
+          value: "*.test-cluster"
+      - notEqual:
+          path: spec.dnsNames[2]
+          value: "test-cluster"
+      - equal:
+          path: spec.dnsNames[2]
+          value: "teleport.test.com"
+      - equal:
+          path: spec.dnsNames[3]
+          value: "teleport.shared-services.old-domain.com"
+      - notEqual:
+          path: spec.dnsNames[4]
+          value: "teleport.test.com"
+
+  - it: sets extraLabels on Certificate Secret
+    values:
+      - ../.lint/cert-manager.yaml
+    set:
+      extraLabels:
+        certSecret:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          certSecret:
+            baz: overridden
+    asserts:
+      - equal:
+          path: spec.secretTemplate.labels.foo
+          value: bar
+      - equal:
+          path: spec.secretTemplate.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/proxy_config_test.yaml b/teleport-cluster-17.4.9/tests/proxy_config_test.yaml
new file mode 100644
index 0000000..4c411fd
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/proxy_config_test.yaml
@@ -0,0 +1,289 @@
+suite: ConfigMap
+templates:
+  - proxy/config.yaml
+tests:
+  - it: matches snapshot for log-basic.yaml
+    values:
+      - ../.lint/log-basic.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for log-extra.yaml
+    values:
+      - ../.lint/log-extra.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for public-addresses.yaml
+    values:
+      - ../.lint/public-addresses.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: wears annotations (annotations.yaml)
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.annotations.kubernetes\.io/config
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/config-different
+          value: 2
+
+  - it: matches snapshot for proxy-listener-mode-multiplex.yaml
+    values:
+      - ../.lint/proxy-listener-mode-multiplex.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for proxy-listener-mode-separate.yaml
+    values:
+      - ../.lint/proxy-listener-mode-separate.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for separate-mongo-listener.yaml
+    values:
+      - ../.lint/separate-mongo-listener.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for separate-postgres-listener.yaml
+    values:
+      - ../.lint/separate-postgres-listener.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for aws-ha-acme.yaml
+    values:
+      - ../.lint/aws-ha-acme.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for existing-tls-secret.yaml
+    values:
+      - ../.lint/existing-tls-secret.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for acme-on.yaml
+    values:
+      - ../.lint/acme-on.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: matches snapshot for acme-uri-staging.yaml
+    values:
+      - ../.lint/acme-uri-staging.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: generates a config with a clusterName containing a regular string
+    set:
+      clusterName: "helm-test.example.com"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: fails when clusterName contains a regular string and a colon
+    set:
+      clusterName: "helm-test:cluster-1"
+    asserts:
+      - failedTemplate:
+          errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr"
+
+  - it: fails when clusterName contains a port
+    set:
+      clusterName: "helm-test.example.com:443"
+    asserts:
+      - failedTemplate:
+          errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr"
+
+  - it: generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true
+    chart:
+      version: 14.0.0
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      clusterName: "helm-test.example.com"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: generates a config with proxy_service.trust_x_forwarded_for=true when version = 14.0.0-rc.1 and ingress.enabled=true
+    chart:
+      version: "14.0.0-rc.1"
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      clusterName: "helm-test.example.com"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set
+    chart:
+      version: 14.0.0
+    set:
+      clusterName: "helm-test.example.com"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true
+    chart:
+      version: 13.1.5
+    values:
+      - ../.lint/ingress.yaml
+    set:
+      clusterName: "helm-test.example.com"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+
+  - it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set
+    chart:
+      version: 14.0.0
+    set:
+      clusterName: "helm-test.example.com"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - matchSnapshot:
+          path: data.teleport\.yaml
+  - it: sets "proxy_protocol" to "on"
+    set:
+      proxyProtocol: "on"
+      clusterName: teleport.example.com
+    asserts:
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: 'proxy_protocol: "on"'
+  - it: sets "proxy_protocol" to "off"
+    set:
+      proxyProtocol: "off"
+      clusterName: teleport.example.com
+    asserts:
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: 'proxy_protocol: "off"'
+  - it: does not set "proxy_protocol"
+    set:
+      clusterName: teleport.example.com
+    asserts:
+      - notMatchRegex:
+          path: data.teleport\.yaml
+          pattern: 'proxy_protocol:'
+
+  - it: sets extraLabels on Configmap
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        config:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          config:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: sets clusterDomain on Configmap
+    set:
+      clusterName: teleport.example.com
+      global:
+        clusterDomain: test.com
+    asserts:
+      - matchSnapshot: {}
+      - matchRegex:
+          path: data.teleport\.yaml
+          pattern: 'svc.test.com:3025'
\ No newline at end of file
diff --git a/teleport-cluster-17.4.9/tests/proxy_deployment_test.yaml b/teleport-cluster-17.4.9/tests/proxy_deployment_test.yaml
new file mode 100644
index 0000000..3be38c7
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/proxy_deployment_test.yaml
@@ -0,0 +1,1142 @@
+suite: Proxy Deployment
+templates:
+  - proxy/deployment.yaml
+  - proxy/config.yaml
+tests:
+  - it: sets Deployment annotations when specified
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment-different
+          value: 3
+
+  - it: sets Pod annotations when specified
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod
+          value: test-annotation
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod-different
+          value: 4
+
+  - it: should not have more than one replica if no certificate is passed
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 1
+
+  - it: should have multiple replicas by default when a certificate is passed through a secret
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      tls:
+        existingSecretName: my-certs
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 2
+
+  - it: should have multiple replicas by default when certManager is configured
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      highAvailability:
+        certManager:
+          enabled: true
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 2
+
+  - it: should have multiple replicas when global replicaCount is set and a certificate is passed
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      highAvailability:
+        replicaCount: 3
+        certManager:
+          enabled: true
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 3
+
+  - it: should have a single replica when proxy-specific replicaCount is set to 1 and a cert is passed
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      highAvailability:
+        certManager:
+          enabled: true
+      proxy:
+        highAvailability:
+          replicaCount: 1
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 1
+
+  - it: should have multiple replicas by default when an ingress is terminating TLS
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+      ingress:
+        enabled: true
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 2
+
+  - it: should set affinity when set in values
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      highAvailability:
+        replicaCount: 3
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: gravitational.io/dedicated
+                    operator: In
+                    values:
+                      - teleport
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.affinity
+      - matchSnapshot:
+          path: spec.template.spec.affinity
+
+  - it: should set required affinity when highAvailability.requireAntiAffinity is set
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/aws-ha-antiaffinity.yaml
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.affinity
+      - isNotNull:
+          path: spec.template.spec.affinity.podAntiAffinity
+      - isNotNull:
+          path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
+      - matchSnapshot:
+          path: spec.template.spec.affinity
+
+  - it: should set tolerations when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/tolerations.yaml
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.tolerations
+      - matchSnapshot:
+          path: spec.template.spec.tolerations
+
+  - it: should set resources when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/resources.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 2Gi
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should set podSecurityContext when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/pod-security-context.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 99
+      - equal:
+          path: spec.template.spec.securityContext.fsGroupChangePolicy
+          value: OnRootMismatch
+      - equal:
+          path: spec.template.spec.securityContext.runAsGroup
+          value: 99
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          value: 99
+
+  - it: should not set podSecurityContext when is empty object (default value)
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/pod-security-context-empty.yaml
+    asserts:
+      - isNull:
+          path: spec.template.spec.securityContext
+
+  - it: should set securityContext when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/security-context.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.privileged
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsGroup
+          value: 99
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsUser
+          value: 99
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should not set securityContext when is empty object (default value)
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/security-context-empty.yaml
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set securityContext for initContainers when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/security-context.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext.privileged
+          value: false
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext.readOnlyRootFilesystem
+          value: false
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext.runAsGroup
+          value: 99
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.initContainers[0].securityContext.runAsUser
+          value: 99
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should set resources for wait-auth-update initContainer when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/resources.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.requests.cpu
+          value: 0.1
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.requests.memory
+          value: 256Mi
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.limits.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.initContainers[0].resources.limits.memory
+          value: 512Mi
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: should not set securityContext for initContainers when is empty object (default value)
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/security-context-empty.yaml
+    asserts:
+      - isNull:
+          path: spec.template.spec.initContainers[0].securityContext
+
+  # we can't use the dynamic chart version or appVersion as a variable in the tests,
+  # so we override it manually and check that gets set instead
+  # this saves us having to update the test every time we cut a new release
+  - it: should use enterprise image when enterprise is set in values
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      enterprise: true
+      teleportVersionOverride: 12.2.1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
+
+  - it: should use OSS image when enterprise is not set in values
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+      teleportVersionOverride: 12.2.1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
+
+  - it: should mount TLS certs when cert-manager is enabled
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/gcp-ha-acme.yaml
+      - ../.lint/initcontainers.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls
+            name: "teleport-tls"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls
+            secret:
+              secretName: teleport-tls
+      - contains:
+          path: spec.template.spec.initContainers[1].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls
+            name: "teleport-tls"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.initContainers[2].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls
+            name: "teleport-tls"
+            readOnly: true
+
+  - it: should mount ConfigMap containing Teleport config
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport
+            name: "config"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: config
+            configMap:
+              name: RELEASE-NAME-proxy
+
+  - it: should mount extraVolumes and extraVolumeMounts on container and initContainers
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/volumes.yaml
+      - ../.lint/initcontainers.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /path/to/mount
+            name: my-mount
+      - contains:
+          path: spec.template.spec.initContainers[1].volumeMounts
+          content:
+            mountPath: /path/to/mount
+            name: my-mount
+      - contains:
+          path: spec.template.spec.initContainers[2].volumeMounts
+          content:
+            mountPath: /path/to/mount
+            name: my-mount
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: my-mount
+            secret:
+              secretName: mySecret
+
+  - it: should set imagePullPolicy when set in values
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      imagePullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+
+  - it: should have only one container when no `extraContainers` is set in values
+    template: proxy/deployment.yaml
+    set:
+      extraContainers: []
+      clusterName: helm-lint.example.com
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.containers[0]
+      - isNull:
+          path: spec.template.spec.containers[1]
+
+  - it: should add one more container when `extraContainers` is set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/extra-containers.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1]
+          value:
+            name: nscenter
+            command:
+              - /bin/bash
+              - -c
+              - sleep infinity & wait
+            image: praqma/network-multitool
+            imagePullPolicy: IfNotPresent
+            securityContext:
+              privileged: true
+              runAsNonRoot: false
+
+  - it: should set environment when extraEnv set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/extra-env.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SOME_ENVIRONMENT_VARIABLE
+            value: "some-value"
+
+  - it: should set imagePullSecrets when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/imagepullsecrets.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.imagePullSecrets[0].name
+          value: myRegistryKeySecretName
+      - matchSnapshot:
+          path: spec.template.spec.imagePullSecrets
+
+  - it: should provision initContainer correctly when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/initcontainers.yaml
+      - ../.lint/resources.yaml
+      - ../.lint/extra-env.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[1].args
+          content: "echo test"
+      - equal:
+          path: spec.template.spec.initContainers[1].name
+          value: "teleport-init"
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: "alpine"
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.initContainers[1].resources.requests.memory
+          value: 2Gi
+      - contains:
+          path: spec.template.spec.initContainers[2].args
+          content: "echo test2"
+      - equal:
+          path: spec.template.spec.initContainers[2].name
+          value: "teleport-init2"
+      - equal:
+          path: spec.template.spec.initContainers[2].image
+          value: "alpine"
+      - equal:
+          path: spec.template.spec.initContainers[2].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.initContainers[2].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.initContainers[2].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.initContainers[2].resources.requests.memory
+          value: 2Gi
+      - matchSnapshot:
+          path: spec.template.spec.initContainers
+
+  - it: should add insecureSkipProxyTLSVerify to args when set in values
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      insecureSkipProxyTLSVerify: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--insecure"
+
+  - it: should expose diag port
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: diag
+            containerPort: 3000
+            protocol: TCP
+
+  - it: should expose tls port
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: tls
+            containerPort: 3080
+            protocol: TCP
+
+  - it: should expose tls port when proxyListenerMode is multiplex
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: tls
+            containerPort: 3080
+            protocol: TCP
+
+  - it: should not expose proxy peering port by default
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: proxypeering
+            containerPort: 3021
+            protocol: TCP
+
+  - it: should expose proxy peering port when enterprise is true
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      enterprise: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: proxypeering
+            containerPort: 3021
+            protocol: TCP
+
+  - it: should expose sshproxy port by default
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: sshproxy
+            containerPort: 3023
+            protocol: TCP
+
+  - it: should not expose sshproxy port when proxyListenerMode is multiplex
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: sshproxy
+            containerPort: 3023
+            protocol: TCP
+
+  - it: should expose sshtun port by default
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: sshtun
+            containerPort: 3024
+            protocol: TCP
+
+  - it: should not expose sshtun port when proxyListenerMode is multiplex
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: sshtun
+            containerPort: 3024
+            protocol: TCP
+
+  - it: should expose k8s port by default
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: kube
+            containerPort: 3026
+            protocol: TCP
+
+  - it: should not expose k8s port when proxyListenerMode is multiplex
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: kube
+            containerPort: 3026
+            protocol: TCP
+
+  - it: should expose mysql port by default
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: mysql
+            containerPort: 3036
+            protocol: TCP
+
+  - it: should not expose mysql port when proxyListenerMode is multiplex
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: mysql
+            containerPort: 3036
+            protocol: TCP
+
+  - it: should expose postgres port when separate postgres listener is enabled
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      separatePostgresListener: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: postgres
+            containerPort: 5432
+            protocol: TCP
+
+  - it: should not expose postgres port when proxyListenerMode is multiplex and separate postgres listener is enabled
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+      separatePostgresListener: true
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: postgres
+            containerPort: 5432
+            protocol: TCP
+
+  - it: should expose mongo port when separate mongo listener is enabled
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      separateMongoListener: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: mongo
+            containerPort: 27017
+            protocol: TCP
+
+  - it: should not expose mongo port when when proxyListenerMode is multiplex and separate mongo listener is enabled
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      proxyListenerMode: multiplex
+      separateMongoListener: true
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: mongo
+            containerPort: 27017
+            protocol: TCP
+
+  - it: should set postStart command if set in values
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      postStart:
+        command: ["/bin/echo", "test"]
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
+          value: ["/bin/echo", "test"]
+
+  - it: should add and mount emptyDir for data
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/lib/teleport
+            name: data
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: data
+            emptyDir: {}
+
+  - it: should set priorityClassName when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/priority-class-name.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.priorityClassName
+          value: system-cluster-critical
+
+  - it: should set probeTimeoutSeconds when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/probe-timeout-seconds.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
+          value: 5
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+          value: 5
+
+  - it: should not mount TLS secrets when when highAvailability.certManager.enabled is false and tls.existingSecretName is not set
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint-test-cluster
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls
+            secret:
+              secretName: teleport-tls
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls
+            name: teleport-tls
+            readOnly: true
+
+  - it: should mount cert-manager TLS secret when highAvailability.certManager.enabled is true
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/cert-manager.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls
+            secret:
+              secretName: teleport-tls
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls
+            name: teleport-tls
+            readOnly: true
+
+  - it: should mount tls.existingSecretName when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/existing-tls-secret.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls
+            secret:
+              secretName: helm-lint-existing-tls-secret
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls
+            name: teleport-tls
+            readOnly: true
+
+  - it: should mount tls.existingCASecretName and set environment when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/existing-tls-secret-with-ca.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls-ca
+            secret:
+              secretName: helm-lint-existing-tls-secret-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls-ca
+            name: teleport-tls-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSL_CERT_FILE
+            value: /etc/teleport-tls-ca/ca.pem
+
+  - it: should mount tls.existingCASecretName and set extra environment when set in values
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/existing-tls-secret-with-ca.yaml
+      - ../.lint/extra-env.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls-ca
+            secret:
+              secretName: helm-lint-existing-tls-secret-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls-ca
+            name: teleport-tls-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSL_CERT_FILE
+            value: /etc/teleport-tls-ca/ca.pem
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SOME_ENVIRONMENT_VARIABLE
+            value: some-value
+
+  - it: should set minReadySeconds when replicaCount > 1
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+      highAvailability:
+        certManager:
+          enabled: true
+        replicaCount: 3
+        minReadySeconds: 60
+    asserts:
+      - equal:
+          path: spec.minReadySeconds
+          value: 60
+
+  - it: should not set minReadySeconds when replicaCount = 1
+    template: proxy/deployment.yaml
+    set:
+      chartMode: scratch
+      highAvailability:
+        minReadySeconds: 60
+        replicaCount: 1
+    asserts:
+      - equal:
+          path: spec.minReadySeconds
+          value: null
+
+  - it: should set nodeSelector when set in values
+    template: proxy/deployment.yaml
+    set:
+      chartMode: scratch
+      clusterName: helm-lint.example.com
+      nodeSelector:
+        role: bastion
+        environment: security
+    asserts:
+      - isNotNull:
+          path: spec.template.spec.nodeSelector
+      - matchSnapshot:
+          path: spec.template.spec
+
+  - it: mounts regular tokens on older Kubernetes versions
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 18
+    asserts:
+      - notEqual:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: proxy-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - path: "namespace"
+                        fieldRef:
+                          fieldPath: metadata.namespace
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: proxy-serviceaccount-token
+            readOnly: true
+
+  - it: mounts tokens through projected volumes on newer Kubernetes versions
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 21
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: proxy-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - path: "namespace"
+                        fieldRef:
+                          fieldPath: metadata.namespace
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: proxy-serviceaccount-token
+            readOnly: true
+
+  - it: sets extraLabels on Deployment
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        deployment:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          deployment:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: sets extraLabels on Deployment Pods
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        pod:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          pod:
+            baz: overridden
+    asserts:
+      - equal:
+          path: spec.template.metadata.labels.foo
+          value: bar
+      - equal:
+          path: spec.template.metadata.labels.baz
+          value: overridden
+
+  - it: sets clusterDomain on Deployment Pods
+    template: proxy/deployment.yaml
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      global:
+        clusterDomain: test.com
+    asserts:
+      - matchSnapshot: {}
+      - matchRegex:
+          path: spec.template.spec.initContainers[0].command[3]
+          pattern: ".svc.test.com$"
+
+  - it: sets readinessProbe values on Deployment Pods
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+      readinessProbe:
+        initialDelaySeconds: 9
+        periodSeconds: 10
+        failureThreshold: 11
+        successThreshold: 12
+      proxy:
+        # we test an auth-specific override
+        readinessProbe:
+          initialDelaySeconds: 13
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+          value: 10
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+          value: 11
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.successThreshold
+          value: 12
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+          value: 13
+
+  - it: sets topology spread constraints by default
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints
+          value:
+            - maxSkew: 1
+              topologyKey: kubernetes.io/hostname
+              whenUnsatisfiable: ScheduleAnyway
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/component: proxy
+                  app.kubernetes.io/instance: RELEASE-NAME
+                  app.kubernetes.io/name: teleport-cluster
+            - maxSkew: 1
+              topologyKey: topology.kubernetes.io/zone
+              whenUnsatisfiable: ScheduleAnyway
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/component: proxy
+                  app.kubernetes.io/instance: RELEASE-NAME
+                  app.kubernetes.io/name: teleport-cluster
+
+  - it: removes topology spread constraints when disabled
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+      disableTopologySpreadConstraints: true
+    asserts:
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints
+
+  - it: removes topology spread constraints when running on antique kubernetes
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 17
+    asserts:
+      - isEmpty:
+          path: spec.template.spec.topologySpreadConstraints
+
+  - it: uses custom topology spread constraints when set
+    template: proxy/deployment.yaml
+    set:
+      clusterName: helm-lint
+      topologySpreadConstraints:
+        - maxSkew: 2
+          topologyKey: foobar
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: baz
+    # helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test.
+    capabilities:
+      majorVersion: 1
+      minorVersion: 18
+    asserts:
+      - equal:
+          path: spec.template.spec.topologySpreadConstraints
+          value:
+            - maxSkew: 2
+              topologyKey: foobar
+              whenUnsatisfiable: ScheduleAnyway
+              labelSelector:
+                matchLabels:
+                  app: baz
diff --git a/teleport-cluster-17.4.9/tests/proxy_pdb_test.yaml b/teleport-cluster-17.4.9/tests/proxy_pdb_test.yaml
new file mode 100644
index 0000000..e324504
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/proxy_pdb_test.yaml
@@ -0,0 +1,43 @@
+suite: Proxy PodDisruptionBudget
+templates:
+  - proxy/pdb.yaml
+tests:
+  - it: not should create a PDB when disabled in values
+    set:
+      highAvailability:
+        podDisruptionBudget:
+          enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: should create a PDB when enabled in values (pdb.yaml)
+    values:
+      - ../.lint/pdb.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - equal:
+          path: spec.minAvailable
+          value: 2
+
+  - it: sets extraLabels on PodDisruptionBudget
+    values:
+      - ../.lint/pdb.yaml
+    set:
+      extraLabels:
+        podDisruptionBudget:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          podDisruptionBudget:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/proxy_service_test.yaml b/teleport-cluster-17.4.9/tests/proxy_service_test.yaml
new file mode 100644
index 0000000..2ef67c7
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/proxy_service_test.yaml
@@ -0,0 +1,401 @@
+suite: Proxy Service
+templates:
+  - proxy/service.yaml
+tests:
+  - it: uses a LoadBalancer by default
+    set:
+      clusterName: teleport.example.com
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: LoadBalancer
+
+  - it: uses a ClusterIP when service.type=ClusterIP
+    set:
+      clusterName: teleport.example.com
+      service:
+        type: ClusterIP
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: ClusterIP
+
+  - it: uses a ClusterIP when proxy.service.type=ClusterIP
+    set:
+      clusterName: teleport.example.com
+      service:
+        type: NodePort
+      proxy:
+        service:
+          type: ClusterIP
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: ClusterIP
+
+  - it: fails to deploy when ingress.enabled=true and proxy.service.type is set to LoadBalancer (default)
+    set:
+      clusterName: teleport.example.com
+      ingress:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "proxy.service.type must not be LoadBalancer when using an ingress - any load balancer should be provisioned by your ingress controller. Set proxy.service.type=ClusterIP instead"
+
+  - it: uses a ClusterIP when ingress.enabled=true and service.type=ClusterIP
+    set:
+      clusterName: teleport.example.com
+      ingress:
+        enabled: true
+      service:
+        type: ClusterIP
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: ClusterIP
+
+  - it: uses a ClusterIP when ingress.enabled=true and proxy.service.type=ClusterIP
+    set:
+      clusterName: teleport.example.com
+      ingress:
+        enabled: true
+      proxy:
+        service:
+          type: ClusterIP
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: ClusterIP
+
+  - it: uses a NodePort when ingress.enabled=true and proxy.service.type=NodePort
+    set:
+      clusterName: teleport.example.com
+      ingress:
+        enabled: true
+      proxy:
+        service:
+          type: NodePort
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: NodePort
+
+  - it: uses a NodePort when ingress.enabled=true and service.type=NodePort
+    set:
+      clusterName: teleport.example.com
+      ingress:
+        enabled: true
+      service:
+        type: NodePort
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: NodePort
+
+  - it: uses a NodePort when ingress.enabled=true and proxy.service.type is overridden
+    set:
+      clusterName: teleport.example.com
+      ingress:
+        enabled: true
+      proxy:
+        service:
+          type: NodePort
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: NodePort
+
+  - it: sets AWS annotations when chartMode=aws
+    set:
+      clusterName: teleport.example.com
+      chartMode: aws
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: spec.type
+          value: LoadBalancer
+      - equal:
+          path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-type
+          value: nlb
+      - equal:
+          path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
+          value: tcp
+      - equal:
+          path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled
+          value: "true"
+
+  - it: sets service annotations when specified
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: metadata.annotations.kubernetes\.io/service
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/service-different
+          value: 5
+
+  - it: adds a separate Postgres listener port when separatePostgresListener is true
+    values:
+      - ../.lint/separate-postgres-listener.yaml
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: postgres
+            port: 5432
+            targetPort: 5432
+            protocol: TCP
+
+  - it: does not add a separate Postgres listener port when separatePostgresListener is true and ingress.enabled=true
+    values:
+      - ../.lint/separate-postgres-listener.yaml
+    set:
+      ingress:
+        enabled: true
+      proxyListenerMode: multiplex
+      service:
+        type: ClusterIP
+    asserts:
+      - notContains:
+          path: spec.ports
+          content:
+            name: postgres
+            port: 5432
+            targetPort: 5432
+            protocol: TCP
+
+  - it: adds a separate Mongo listener port when separateMongoListener is true
+    values:
+      - ../.lint/separate-mongo-listener.yaml
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: mongo
+            port: 27017
+            targetPort: 27017
+            protocol: TCP
+
+  - it: does not add a separate Mongo listener port when separateMongoListener is true and ingress.enabled=true
+    values:
+      - ../.lint/separate-mongo-listener.yaml
+    set:
+      ingress:
+        enabled: true
+      proxyListenerMode: multiplex
+      service:
+        type: ClusterIP
+    asserts:
+      - notContains:
+          path: spec.ports
+          content:
+            name: mongo
+            port: 27017
+            targetPort: 27017
+            protocol: TCP
+
+  - it: sets AWS backend protocol annotation to ssl when in AWS mode and ACM annotation is set
+    values:
+      - ../.lint/aws-ha.yaml
+    set:
+      annotations:
+        service:
+          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:1234567890:certificate/a857a76c-51d0-4d3d-8000-465bb3e9829b
+          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
+    asserts:
+      - equal:
+          path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
+          value: ssl
+
+  - it: does not add AWS backend protocol annotation when in AWS mode, ACM annotation is set and ingress is enabled
+    values:
+      - ../.lint/aws-ha.yaml
+    set:
+      ingress:
+        enabled: true
+      service:
+        type: ClusterIP
+      annotations:
+        service:
+          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:1234567890:certificate/a857a76c-51d0-4d3d-8000-465bb3e9829b
+          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
+    asserts:
+      - isNull:
+          path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
+
+  - it: sets AWS backend protocol annotation to tcp when in AWS mode and ACM annotation is not set
+    values:
+      - ../.lint/aws-ha.yaml
+    asserts:
+      - equal:
+          path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
+          value: tcp
+
+  - it: does not set AWS backend protocol annotation when in AWS mode, ACM annotation is not set and ingress is enabled
+    values:
+      - ../.lint/aws-ha.yaml
+    set:
+      ingress:
+        enabled: true
+      service:
+        type: ClusterIP
+      annotations:
+        service:
+          # required so at least one service annotation exists, to avoid non map type error
+          service.beta.kubernetes.io/random-annotation: helm-lint
+    asserts:
+      - isNull:
+          path: metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol
+
+  - it: exposes separate listener ports by default
+    values:
+      - ../.lint/example-minimal-standalone.yaml
+    asserts:
+      - matchSnapshot:
+          path: spec.ports
+
+  - it: does not expose separate listener ports by default when ingress.enabled=true
+    values:
+      - ../.lint/example-minimal-standalone.yaml
+    set:
+      ingress:
+        enabled: true
+      proxyListenerMode: multiplex
+      service:
+        type: ClusterIP
+    asserts:
+      - notContains:
+          path: spec.ports
+          content:
+          - name: sshproxy
+            port: 3023
+            targetPort: 3023
+            protocol: TCP
+          - name: k8s
+            port: 3026
+            targetPort: 3026
+            protocol: TCP
+          - name: sshtun
+            port: 3024
+            targetPort: 3024
+            protocol: TCP
+          - name: mysql
+            port: 3036
+            targetPort: 3036
+            protocol: TCP
+      - matchSnapshot:
+          path: spec.ports
+
+  - it: exposes separate listener ports when running in separate mode
+    values:
+      - ../.lint/proxy-listener-mode-separate.yaml
+    asserts:
+      - matchSnapshot:
+          path: spec.ports
+
+  - it: does not expose separate listener ports when running in separate mode and ingress.enabled=true
+    values:
+      - ../.lint/proxy-listener-mode-separate.yaml
+    set:
+      ingress:
+        enabled: true
+      proxyListenerMode: multiplex
+      service:
+        type: ClusterIP
+    asserts:
+      - notContains:
+          path: spec.ports
+          content:
+          - name: sshproxy
+            port: 3023
+            targetPort: 3023
+            protocol: TCP
+          - name: k8s
+            port: 3026
+            targetPort: 3026
+            protocol: TCP
+          - name: sshtun
+            port: 3024
+            targetPort: 3024
+            protocol: TCP
+          - name: mysql
+            port: 3036
+            targetPort: 3036
+            protocol: TCP
+      - matchSnapshot:
+          path: spec.ports
+
+  - it: exposes a single port when running in multiplex mode
+    values:
+      - ../.lint/proxy-listener-mode-multiplex.yaml
+    asserts:
+      - matchSnapshot:
+          path: spec.ports
+
+  - it: exposes a single port when running in multiplex mode and ingress.enabled=true
+    values:
+      - ../.lint/proxy-listener-mode-multiplex.yaml
+    set:
+      ingress:
+        enabled: true
+      service:
+        type: ClusterIP
+    asserts:
+      - matchSnapshot:
+          path: spec.ports
+
+  - it: sets extraLabels on Service
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        service:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          service:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
diff --git a/teleport-cluster-17.4.9/tests/proxy_serviceaccount_test.yaml b/teleport-cluster-17.4.9/tests/proxy_serviceaccount_test.yaml
new file mode 100644
index 0000000..fe3dee4
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/proxy_serviceaccount_test.yaml
@@ -0,0 +1,64 @@
+suite: Proxy ServiceAccount
+templates:
+  - proxy/serviceaccount.yaml
+tests:
+  - it: sets ServiceAccount annotations when specified
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: metadata.annotations.kubernetes\.io/serviceaccount
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/serviceaccount-different
+          value: 6
+
+  - it: changes ServiceAccount name when specified and appends "-proxy"
+    values:
+      - ../.lint/service-account.yaml
+    asserts:
+      - equal:
+          path: metadata.name
+          value: "helm-lint-proxy"
+
+  - it: sets extraLabels on ServiceAccount
+    values:
+      - ../.lint/annotations.yaml
+    set:
+      extraLabels:
+        serviceAccount:
+          foo: bar
+          baz: override-me
+      proxy:
+        extraLabels:
+          serviceAccount:
+            baz: overridden
+    asserts:
+      - equal:
+          path: metadata.labels.foo
+          value: bar
+      - equal:
+          path: metadata.labels.baz
+          value: overridden
+
+  - it: does not set automountServiceAccountToken if cluster version is <1.20
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 18
+    asserts:
+      - notEqual:
+          path: automountServiceAccountToken
+          value: false
+
+  - it: sets automountServiceAccountToken to false if cluster version is >=1.20
+    set:
+      clusterName: helm-lint
+    capabilities:
+      majorVersion: 1
+      minorVersion: 20
+    asserts:
+      - equal:
+          path: automountServiceAccountToken
+          value: false
diff --git a/teleport-cluster-17.4.9/tests/psp_test.yaml b/teleport-cluster-17.4.9/tests/psp_test.yaml
new file mode 100644
index 0000000..fa3b66e
--- /dev/null
+++ b/teleport-cluster-17.4.9/tests/psp_test.yaml
@@ -0,0 +1,35 @@
+suite: PodSecurityPolicy
+templates:
+  - psp.yaml
+tests:
+  - it: creates a PodSecurityPolicy when enabled in values and supported
+    capabilities:
+      majorVersion: 1
+      minorVersion: 22
+    set:
+      podSecurityPolicy:
+        enabled: true
+    asserts:
+      - hasDocuments:
+          count: 3
+      - documentIndex: 0
+        isKind:
+          of: PodSecurityPolicy
+      - documentIndex: 1
+        isKind:
+          of: Role
+      - documentIndex: 2
+        isKind:
+          of: RoleBinding
+      - matchSnapshot: {}
+
+  - it: does not create a PodSecurityPolicy when enabled in values but not supported
+    set:
+      podSecurityPolicy:
+        enabled: true
+    capabilities:
+      majorVersion: 1
+      minorVersion: 25
+    asserts:
+      - hasDocuments:
+          count: 0
diff --git a/teleport-cluster/values.home.yaml b/teleport-cluster-17.4.9/values.home.yaml
similarity index 100%
rename from teleport-cluster/values.home.yaml
rename to teleport-cluster-17.4.9/values.home.yaml
diff --git a/teleport-cluster-17.4.9/values.schema.json b/teleport-cluster-17.4.9/values.schema.json
new file mode 100644
index 0000000..cadc25b
--- /dev/null
+++ b/teleport-cluster-17.4.9/values.schema.json
@@ -0,0 +1,1010 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema",
+    "type": "object",
+    "required": [
+        "clusterName",
+        "authentication",
+        "enterprise",
+        "operator",
+        "global",
+        "podSecurityPolicy",
+        "labels",
+        "chartMode",
+        "validateConfigOnDeploy",
+        "highAvailability",
+        "podMonitor",
+        "tls",
+        "image",
+        "enterpriseImage",
+        "log",
+        "affinity",
+        "nodeSelector",
+        "annotations",
+        "extraContainers",
+        "extraVolumes",
+        "extraVolumeMounts",
+        "imagePullPolicy",
+        "initContainers",
+        "resources",
+        "tolerations",
+        "probeTimeoutSeconds"
+    ],
+    "properties": {
+        "clusterName": {
+            "$id": "#/properties/clusterName",
+            "type": "string",
+            "default": ""
+        },
+        "proxyProtocol": {
+            "$id": "#/properties/proxyProtocol",
+            "type": "string",
+            "default": "",
+            "enum": [
+                "off",
+                "on"
+            ]
+        },
+        "auth": {
+            "$id": "#/properties/auth",
+            "type": "object"
+        },
+        "proxy": {
+            "$id": "#/properties/proxy",
+            "type": "object"
+        },
+        "createProxyToken": {
+            "$id": "#/properties/createProxyToken",
+            "type": "boolean",
+            "default": true
+        },
+        "podMonitor": {
+            "$id": "#/properties/podMonitor",
+            "type": "object",
+            "required": [
+                "enabled"
+            ],
+            "properties": {
+                "enabled": {
+                    "$id": "#/properties/podMonitor/enabled",
+                    "type": "boolean",
+                    "default": false
+                },
+                "additionalLabels": {
+                    "$id": "#/properties/podMonitor/additionalLabels",
+                    "type": "object",
+                    "default": {
+                        "prometheus": "default"
+                    },
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
+                "interval": {
+                    "$id": "#/properties/podMonitor/interval",
+                    "type": "string",
+                    "default": "30s"
+                }
+            }
+        },
+        "authentication": {
+            "$id": "#/properties/authentication",
+            "type": "object",
+            "required": [
+                "type",
+                "localAuth"
+            ],
+            "properties": {
+                "type": {
+                    "$id": "#/properties/authentication/properties/type",
+                    "type": "string",
+                    "default": "local"
+                },
+                "connectorName": {
+                    "$id": "#/properties/authentication/properties/connectorName",
+                    "type": "string",
+                    "default": ""
+                },
+                "localAuth": {
+                    "$id": "#/properties/authentication/properties/localAuth",
+                    "type": "boolean",
+                    "default": true
+                },
+                "lockingMode": {
+                    "$id": "#/properties/authentication/properties/lockingMode",
+                    "type": "string",
+                    "default": ""
+                },
+                "secondFactor": {
+                    "$id": "#/properties/authentication/properties/secondFactor",
+                    "type": "string",
+                    "enum": [
+                        "off",
+                        "on",
+                        "otp",
+                        "optional",
+                        "webauthn"
+                    ],
+                    "default": "otp"
+                },
+                "secondFactors": {
+                    "$id": "#/properties/authentication/properties/secondFactors",
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "enum": [
+                            "otp",
+                            "sso",
+                            "webauthn"
+                        ]
+                    },
+                    "default": []
+                },
+                "webauthn": {
+                    "$id": "#/properties/authentication/properties/webauthn",
+                    "type": "object",
+                    "required": [],
+                    "properties": {
+                        "attestationAllowedCas": {
+                            "$id": "#/properties/authentication/properties/webauthn/properties/attestationAllowedCas",
+                            "type": "array",
+                            "default": []
+                        },
+                        "attestationDeniedCas": {
+                            "$id": "#/properties/authentication/properties/webauthn/properties/attestationDeniedCas",
+                            "type": "array",
+                            "default": []
+                        }
+                    }
+                }
+            }
+        },
+        "authenticationType": {
+            "$id": "#/properties/authenticationType",
+            "type": "string"
+        },
+        "authenticationSecondFactor": {
+            "$id": "#/properties/authenticationSecondFactor",
+            "type": "object",
+            "required": [],
+            "properties": {
+                "secondFactor": {
+                    "$id": "#/properties/authenticationSecondFactor/properties/secondFactor",
+                    "type": "string",
+                    "enum": [
+                        "off",
+                        "on",
+                        "otp",
+                        "optional",
+                        "webauthn"
+                    ],
+                    "default": "otp"
+                },
+                "webauthn": {
+                    "$id": "#/properties/authenticationSecondFactor/properties/webauthn",
+                    "type": "object",
+                    "required": [],
+                    "properties": {
+                        "attestationAllowedCas": {
+                            "$id": "#/properties/authenticationSecondFactor/properties/webauthn/properties/attestationAllowedCas",
+                            "type": "array",
+                            "default": []
+                        },
+                        "attestationDeniedCas": {
+                            "$id": "#/properties/authenticationSecondFactor/properties/webauthn/properties/attestationDeniedCas",
+                            "type": "array",
+                            "default": []
+                        }
+                    }
+                }
+            }
+        },
+        "proxyListenerMode": {
+            "$id": "#/properties/proxyListenerMode",
+            "type": "string",
+            "default": ""
+        },
+        "sessionRecording": {
+            "$id": "#/properties/sessionRecording",
+            "type": "string",
+            "default": ""
+        },
+        "separatePostgresListener": {
+            "$id": "#/properties/separatePostgresListener",
+            "type": "boolean",
+            "default": false
+        },
+        "separateMongoListener": {
+            "$id": "#/properties/separateMongoListener",
+            "type": "boolean",
+            "default": false
+        },
+        "publicAddr": {
+            "$id": "#/properties/publicAddr",
+            "type": "array",
+            "items": {
+                "type": "string"
+            },
+            "default": []
+        },
+        "kubePublicAddr": {
+            "$id": "#/properties/kubePublicAddr",
+            "type": "array",
+            "items": {
+                "type": "string"
+            },
+            "default": []
+        },
+        "mongoPublicAddr": {
+            "$id": "#/properties/mongoPublicAddr",
+            "type": "array",
+            "items": {
+                "type": "string"
+            },
+            "default": []
+        },
+        "mysqlPublicAddr": {
+            "$id": "#/properties/mysqlPublicAddr",
+            "type": "array",
+            "items": {
+                "type": "string"
+            },
+            "default": []
+        },
+        "postgresPublicAddr": {
+            "$id": "#/properties/postgresPublicAddr",
+            "type": "array",
+            "items": {
+                "type": "string"
+            },
+            "default": []
+        },
+        "sshPublicAddr": {
+            "$id": "#/properties/sshPublicAddr",
+            "type": "array",
+            "items": {
+                "type": "string"
+            },
+            "default": []
+        },
+        "tunnelPublicAddr": {
+            "$id": "#/properties/tunnelPublicAddr",
+            "type": "array",
+            "items": {
+                "type": "string"
+            },
+            "default": []
+        },
+        "teleportVersionOverride": {
+            "$id": "#/properties/teleportVersionOverride",
+            "type": "string",
+            "default": ""
+        },
+        "acme": {
+            "$id": "#/properties/acme",
+            "type": "boolean",
+            "default": false
+        },
+        "acmeEmail": {
+            "$id": "#/properties/acmeEmail",
+            "type": "string",
+            "default": ""
+        },
+        "acmeURI": {
+            "$id": "#/properties/acmeURI",
+            "type": "string",
+            "default": ""
+        },
+        "enterprise": {
+            "$id": "#/properties/enterprise",
+            "type": "boolean",
+            "default": false
+        },
+        "licenseSecretName": {
+            "$id": "#/properties/licenseSecretName",
+            "type": "string",
+            "default": "license"
+        },
+        "installCRDs": {
+            "$id": "#/properties/installCRDs",
+            "type": "boolean"
+        },
+        "global": {
+            "$id": "#/properties/global",
+            "type": "object",
+            "required": [
+                "clusterDomain"
+            ],
+            "properties": {
+                "clusterDomain": {
+                    "$id": "#/properties/global/properties/clusterDomain",
+                    "type": "string",
+                    "default": "cluster.local"
+                }
+            }
+        },
+        "operator": {
+            "$id": "#/properties/operator",
+            "type": "object",
+            "required": [
+                "enabled"
+            ],
+            "properties": {
+                "enabled": {
+                    "$id": "#/properties/operator/properties/enabled",
+                    "type": "boolean",
+                    "default": false
+                },
+                "image": {
+                    "$id": "#/properties/operator/properties/image",
+                    "type": "string",
+                    "default": "public.ecr.aws/gravitational/teleport-operator"
+                },
+                "resources": {
+                    "$id": "#/properties/operator/properties/resources",
+                    "type": "object",
+                    "default": {}
+                }
+            }
+        },
+        "podSecurityPolicy": {
+            "$id": "#/properties/podSecurityPolicy",
+            "type": "object",
+            "required": [
+                "enabled"
+            ],
+            "properties": {
+                "enabled": {
+                    "$id": "#/properties/podSecurityPolicy/properties/enabled",
+                    "type": "boolean",
+                    "default": true
+                }
+            }
+        },
+        "labels": {
+            "$id": "#/properties/labels",
+            "type": "object",
+            "default": {}
+        },
+        "chartMode": {
+            "$id": "#/properties/chartMode",
+            "type": "string",
+            "enum": [
+                "standalone",
+                "aws",
+                "azure",
+                "gcp",
+                "scratch"
+            ],
+            "default": "standalone"
+        },
+        "validateConfigOnDeploy": {
+            "$id": "#/properties/validateConfigOnDeploy",
+            "type": "boolean",
+            "default": true
+        },
+        "standalone": {
+            "$id": "#/properties/standalone",
+            "type": "object",
+            "required": [
+                "volumeSize"
+            ],
+            "properties": {
+                "existingClaimName": {
+                    "$id": "#/properties/standalone/properties/existingClaimName",
+                    "type": "string",
+                    "default": ""
+                },
+                "volumeSize": {
+                    "$id": "#/properties/standalone/properties/volumeSize",
+                    "type": "string",
+                    "default": ""
+                }
+            }
+        },
+        "persistence": {
+            "$id": "#/properties/persistence",
+            "type": "object",
+            "required": [
+                "enabled",
+                "volumeSize"
+            ],
+            "properties": {
+                "enabled": {
+                    "$id": "#/properties/persistence/properties/enabled",
+                    "type": "boolean",
+                    "default": "true"
+                },
+                "existingClaimName": {
+                    "$id": "#/properties/persistence/properties/existingClaimName",
+                    "type": "string",
+                    "default": ""
+                },
+                "storageClassName": {
+                    "$id": "#/properties/persistence/properties/storageClassName",
+                    "type": "string",
+                    "default": ""
+                },
+                "volumeSize": {
+                    "$id": "#/properties/persistence/properties/volumeSize",
+                    "type": "string",
+                    "default": ""
+                }
+            }
+        },
+        "aws": {
+            "$id": "#/properties/aws",
+            "type": "object",
+            "properties": {
+                "region": {
+                    "$id": "#/properties/aws/properties/region",
+                    "type": "string",
+                    "default": ""
+                },
+                "backendTable": {
+                    "$id": "#/properties/aws/properties/backendTable",
+                    "type": "string",
+                    "default": ""
+                },
+                "auditLogTable": {
+                    "$id": "#/properties/aws/properties/auditLogTable",
+                    "type": "string",
+                    "default": ""
+                },
+                "auditLogMirrorOnStdout": {
+                    "$id": "#/properties/aws/properties/auditLogMirrorOnStdout",
+                    "type": "boolean",
+                    "default": "false"
+                },
+                "sessionRecordingBucket": {
+                    "$id": "#/properties/aws/properties/sessionRecordingBucket",
+                    "type": "string",
+                    "default": ""
+                },
+                "backups": {
+                    "$id": "#/properties/aws/properties/backups",
+                    "type": "boolean",
+                    "default": false
+                },
+                "dynamoAutoScaling": {
+                    "$id": "#/properties/aws/properties/dynamoAutoScaling",
+                    "type": "boolean",
+                    "default": false
+                }
+            },
+            "if": {
+                "properties": {
+                    "dynamoAutoScaling": {
+                        "const": true
+                    }
+                }
+            },
+            "then": {
+                "properties": {
+                    "readMinCapacity": {
+                        "$id": "#/properties/aws/properties/readMinCapacity",
+                        "type": "integer"
+                    },
+                    "readMaxCapacity": {
+                        "$id": "#/properties/aws/properties/readMaxCapacity",
+                        "type": "integer"
+                    },
+                    "readTargetValue": {
+                        "$id": "#/properties/aws/properties/readTargetValue",
+                        "type": "number"
+                    },
+                    "writeMinCapacity": {
+                        "$id": "#/properties/aws/properties/writeMinCapacity",
+                        "type": "integer"
+                    },
+                    "writeMaxCapacity": {
+                        "$id": "#/properties/aws/properties/writeMaxCapacity",
+                        "type": "integer"
+                    },
+                    "writeTargetValue": {
+                        "$id": "#/properties/aws/properties/writeTargetValue",
+                        "type": "number"
+                    }
+                }
+            },
+            "else": {
+                "properties": {
+                    "readMinCapacity": {
+                        "$id": "#/properties/aws/properties/readMinCapacity",
+                        "type": "null"
+                    },
+                    "readMaxCapacity": {
+                        "$id": "#/properties/aws/properties/readMaxCapacity",
+                        "type": "null"
+                    },
+                    "readTargetValue": {
+                        "$id": "#/properties/aws/properties/readTargetValue",
+                        "type": "null"
+                    },
+                    "writeMinCapacity": {
+                        "$id": "#/properties/aws/properties/writeMinCapacity",
+                        "type": "null"
+                    },
+                    "writeMaxCapacity": {
+                        "$id": "#/properties/aws/properties/writeMaxCapacity",
+                        "type": "null"
+                    },
+                    "writeTargetValue": {
+                        "$id": "#/properties/aws/properties/writeTargetValue",
+                        "type": "null"
+                    }
+                }
+            }
+        },
+        "azure": {
+            "$id": "#/properties/azure",
+            "type": "object",
+            "properties": {
+                "databaseHost": {
+                    "$id": "#/properties/azure/properties/databaseHost",
+                    "type": "string",
+                    "default": ""
+                },
+                "databaseUser": {
+                    "$id": "#/properties/azure/properties/databaseUser",
+                    "type": "string",
+                    "default": ""
+                },
+                "backendDatabase": {
+                    "$id": "#/properties/azure/properties/backendDatabase",
+                    "type": "string",
+                    "default": "teleport_backend"
+                },
+                "auditLogDatabase": {
+                    "$id": "#/properties/azure/properties/auditLogDatabase",
+                    "type": "string",
+                    "default": "teleport_audit"
+                },
+                "auditLogMirrorOnStdout": {
+                    "$id": "#/properties/azure/properties/auditLogMirrorOnStdout",
+                    "type": "boolean",
+                    "default": false
+                },
+                "sessionRecordingStorageAccount": {
+                    "$id": "#/properties/azure/properties/sessionRecordingStorageAccount",
+                    "type": "string",
+                    "default": ""
+                },
+                "clientID": {
+                    "$id": "#/properties/azure/properties/clientID",
+                    "type": "string",
+                    "default": ""
+                },
+                "databasePoolMaxConnections": {
+                    "$id": "#/properties/azure/properties/databasePoolMaxConnections",
+                    "type": "integer",
+                    "default": 0
+                }
+            }
+        },
+        "gcp": {
+            "$id": "#/properties/gcp",
+            "type": "object",
+            "properties": {
+                "projectId": {
+                    "$id": "#/properties/gcp/properties/projectId",
+                    "type": "string",
+                    "default": ""
+                },
+                "backendTable": {
+                    "$id": "#/properties/gcp/properties/backendTable",
+                    "type": "string",
+                    "default": ""
+                },
+                "auditLogTable": {
+                    "$id": "#/properties/gcp/properties/auditLogTable",
+                    "type": "string",
+                    "default": ""
+                },
+                "auditLogMirrorOnStdout": {
+                    "$id": "#/properties/aws/properties/auditLogMirrorOnStdout",
+                    "type": "boolean",
+                    "default": "false"
+                },
+                "sessionRecordingBucket": {
+                    "$id": "#/properties/gcp/properties/sessionRecordingBucket",
+                    "type": "string",
+                    "default": ""
+                },
+                "credentialSecretName": {
+                    "$id": "#/properties/gcp/properties/credentialSecretName",
+                    "type": "string",
+                    "default": "teleport-gcp-credentials"
+                }
+            }
+        },
+        "highAvailability": {
+            "$id": "#/properties/highAvailability",
+            "type": "object",
+            "required": [
+                "replicaCount",
+                "requireAntiAffinity",
+                "certManager",
+                "minReadySeconds",
+                "podDisruptionBudget"
+            ],
+            "properties": {
+                "replicaCount": {
+                    "$id": "#/properties/highAvailability/properties/replicaCount",
+                    "type": "integer",
+                    "default": 1
+                },
+                "requireAntiAffinity": {
+                    "$id": "#/properties/highAvailability/properties/requireAntiAffinity",
+                    "type": "boolean",
+                    "default": false
+                },
+                "certManager": {
+                    "$id": "#/properties/highAvailability/properties/certManager",
+                    "type": "object",
+                    "required": [
+                        "enabled",
+                        "issuerName",
+                        "issuerKind",
+                        "issuerGroup"
+                    ],
+                    "properties": {
+                        "addCommonName": {
+                            "$id": "#/properties/highAvailability/properties/certManager/properties/addCommonName",
+                            "type": "boolean",
+                            "default": "false"
+                        },
+                        "addPublicAddrs": {
+                            "$id": "#/properties/highAvailability/properties/certManager/properties/addPublicAddrs",
+                            "type": "boolean",
+                            "default": "false"
+                        },
+                        "enabled": {
+                            "$id": "#/properties/highAvailability/properties/certManager/properties/enabled",
+                            "type": "boolean",
+                            "default": "false"
+                        },
+                        "issuerName": {
+                            "$id": "#/properties/highAvailability/properties/certManager/properties/issuerName",
+                            "type": "string",
+                            "default": ""
+                        },
+                        "issuerKind": {
+                            "$id": "#/properties/highAvailability/properties/certManager/properties/issuerKind",
+                            "type": "string",
+                            "default": "Issuer"
+                        },
+                        "issuerGroup": {
+                            "$id": "#/properties/highAvailability/properties/certManager/properties/issuerGroup",
+                            "type": "string",
+                            "default": "cert-manager.io"
+                        }
+                    }
+                },
+                "minReadySeconds": {
+                    "$id": "#/properties/highAvailability/properties/minReadySeconds",
+                    "type": "integer",
+                    "default": 15
+                },
+                "podDisruptionBudget": {
+                    "$id": "#/properties/highAvailability/properties/podDisruptionBudget",
+                    "type": "object",
+                    "required": [
+                        "enabled",
+                        "minAvailable"
+                    ],
+                    "properties": {
+                        "enabled": {
+                            "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled",
+                            "type": "boolean",
+                            "default": false
+                        },
+                        "minAvailable": {
+                            "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable",
+                            "type": "integer",
+                            "default": 1
+                        }
+                    }
+                }
+            }
+        },
+        "tls": {
+            "$id": "#/properties/tls",
+            "type": "object",
+            "required": [
+                "existingSecretName",
+                "existingCASecretName"
+            ],
+            "properties": {
+                "existingSecretName": {
+                    "$id": "#/properties/tls/properties/existingSecretName",
+                    "type": "string",
+                    "default": ""
+                },
+                "existingCASecretName": {
+                    "$id": "#/properties/tls/properties/existingCASecretName",
+                    "type": "string",
+                    "default": ""
+                }
+            }
+        },
+        "image": {
+            "$id": "#/properties/image",
+            "type": "string",
+            "default": "public.ecr.aws/gravitational/teleport-distroless"
+        },
+        "enterpriseImage": {
+            "$id": "#/properties/enterpriseImage",
+            "type": "string",
+            "default": "public.ecr.aws/gravitational/teleport-ent-distroless"
+        },
+        "imagePullSecrets": {
+            "$id": "#/properties/imagePullSecrets",
+            "type": "array",
+            "default": []
+        },
+        "logLevel": {
+            "$id": "#/properties/logLevel",
+            "type": "string",
+            "enum": [
+                "DEBUG",
+                "INFO",
+                "WARN",
+                "WARNING",
+                "ERROR"
+            ],
+            "default": "INFO"
+        },
+        "log": {
+            "$id": "#/properties/log",
+            "type": "object",
+            "required": [
+                "output",
+                "format",
+                "extraFields"
+            ],
+            "properties": {
+                "level": {
+                    "$id": "#/properties/log/properties/level",
+                    "type": "string",
+                    "enum": [
+                        "DEBUG",
+                        "INFO",
+                        "WARN",
+                        "WARNING",
+                        "ERROR"
+                    ],
+                    "default": "INFO"
+                },
+                "deployment": {
+                    "$id": "#/properties/log/properties/output",
+                    "type": "string",
+                    "default": {}
+                },
+                "pod": {
+                    "$id": "#/properties/log/properties/format",
+                    "type": "string",
+                    "default": {}
+                },
+                "service": {
+                    "$id": "#/properties/log/properties/extraFields",
+                    "type": "array",
+                    "default": {}
+                }
+            }
+        },
+        "affinity": {
+            "$id": "#/properties/affinity",
+            "type": "object",
+            "default": {}
+        },
+        "nodeSelector": {
+            "$id": "#/properties/nodeSelector",
+            "type": "object",
+            "default": {}
+        },
+        "annotations": {
+            "$id": "#/properties/annotations",
+            "type": "object",
+            "required": [
+                "config",
+                "deployment",
+                "pod",
+                "service",
+                "serviceAccount",
+                "certSecret",
+                "ingress"
+            ],
+            "properties": {
+                "config": {
+                    "$id": "#/properties/annotations/properties/config",
+                    "type": "object",
+                    "default": {}
+                },
+                "deployment": {
+                    "$id": "#/properties/annotations/properties/deployment",
+                    "type": "object",
+                    "default": {}
+                },
+                "pod": {
+                    "$id": "#/properties/annotations/properties/pod",
+                    "type": "object",
+                    "default": {}
+                },
+                "service": {
+                    "$id": "#/properties/annotations/properties/service",
+                    "type": "object",
+                    "default": {}
+                },
+                "serviceAccount": {
+                    "$id": "#/properties/annotations/properties/serviceAccount",
+                    "type": "object",
+                    "default": {}
+                },
+                "certSecret": {
+                    "$id": "#/properties/annotations/properties/certSecret",
+                    "type": "object",
+                    "default": {}
+                }
+            }
+        },
+        "service": {
+            "$id": "#/properties/service",
+            "type": "object",
+            "required": [
+                "type"
+            ],
+            "properties": {
+                "type": {
+                    "$id": "#properties/service/type",
+                    "type": "string",
+                    "default": "LoadBalancer"
+                },
+                "spec": {
+                    "$id": "#/properties/service/spec",
+                    "type": "object",
+                    "default": {}
+                }
+            }
+        },
+        "ingress": {
+            "enabled": {
+                "$id": "#/properties/ingress/enabled",
+                "type": "boolean",
+                "default": false
+            },
+            "suppressAutomaticWildcards": {
+                "$id": "#/properties/ingress/suppressAutomaticWildcards",
+                "type": "boolean",
+                "default": false
+            },
+            "spec": {
+                "$id": "#/properties/ingress/spec",
+                "type": "object",
+                "default": {}
+            }
+        },
+        "serviceAccount": {
+            "$id": "#/properties/serviceAccount",
+            "type": "object",
+            "required": [],
+            "properties": {
+                "name": {
+                    "$id": "#properties/service/name",
+                    "type": "string",
+                    "default": ""
+                },
+                "create": {
+                    "$id": "#properties/service/create",
+                    "type": "boolean",
+                    "default": true
+                }
+            }
+        },
+        "rbac": {
+            "$id": "#/properties/rbac",
+            "type": "object",
+            "required": [],
+            "properties": {
+                "create": {
+                    "$id": "#properties/rbac/create",
+                    "type": "boolean",
+                    "default": true
+                }
+            }
+        },
+        "extraArgs": {
+            "$id": "#/properties/extraArgs",
+            "type": "array",
+            "default": []
+        },
+        "extraEnv": {
+            "$id": "#/properties/extraEnv",
+            "type": "array",
+            "default": []
+        },
+        "extraContainers": {
+            "$id": "#/properties/extraContainers",
+            "type": "array",
+            "default": []
+        },
+        "extraVolumes": {
+            "$id": "#/properties/extraVolumes",
+            "type": "array",
+            "default": []
+        },
+        "extraVolumeMounts": {
+            "$id": "#/properties/extraVolumeMounts",
+            "type": "array",
+            "default": []
+        },
+        "imagePullPolicy": {
+            "$id": "#/properties/imagePullPolicy",
+            "type": "string",
+            "enum": [
+                "Never",
+                "IfNotPresent",
+                "Always"
+            ],
+            "default": "IfNotPresent"
+        },
+        "initContainers": {
+            "$id": "#/properties/initContainers",
+            "type": "array",
+            "default": []
+        },
+        "postStart": {
+            "$id": "#/properties/postStart",
+            "type": "object",
+            "required": [
+                "command"
+            ],
+            "properties": {
+                "command": {
+                    "$id": "#properties/postStart/command",
+                    "type": "array",
+                    "default": []
+                }
+            }
+        },
+        "kubeClusterName": {
+            "$id": "#/properties/kubeClusterName",
+            "type": "string",
+            "default": ""
+        },
+        "resources": {
+            "$id": "#/properties/resources",
+            "type": "object",
+            "default": {}
+        },
+        "podSecurityContext": {
+            "$id": "#/properties/podSecurityContext",
+            "type": "object",
+            "default": {}
+        },
+        "securityContext": {
+            "$id": "#/properties/securityContext",
+            "type": "object",
+            "default": {}
+        },
+        "tolerations": {
+            "$id": "#/properties/tolerations",
+            "type": "array",
+            "default": []
+        },
+        "priorityClassName": {
+            "$id": "#/properties/priorityClassName",
+            "type": "string",
+            "default": ""
+        },
+        "probeTimeoutSeconds": {
+            "$id": "#/properties/probeTimeoutSeconds",
+            "type": "integer",
+            "default": 1
+        },
+        "terminationGracePeriodSeconds": {
+            "$id": "#/properties/terminationGracePeriodSeconds",
+            "type": "integer",
+            "default": 60
+        }
+    }
+}
diff --git a/teleport-cluster-17.4.9/values.yaml b/teleport-cluster-17.4.9/values.yaml
new file mode 100644
index 0000000..25c0acf
--- /dev/null
+++ b/teleport-cluster-17.4.9/values.yaml
@@ -0,0 +1,868 @@
+##################################################
+# Values that must always be provided by the user.
+##################################################
+
+# `clusterName` controls the name used to refer to the Teleport cluster, along with
+# the externally-facing public address to use to access it. In most setups this must
+# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is
+# used as the cluster's public address by default.
+#
+# Note: When using a fully qualified domain name as your `clusterName`, you will also
+# need to configure the DNS provider for this domain to point to the external
+# load balancer address of your Teleport cluster.
+#
+# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan.
+# If you need to change it, you must redeploy a completely new cluster.
+clusterName: ""
+
+# Name for this kubernetes cluster to be used by teleport users.
+kubeClusterName: ""
+
+##################################################
+# Values that you may need to change.
+##################################################
+
+# Version of teleport image, if different from chart version in Chart.yaml.
+# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
+# This chart is designed to run a specific teleport version (see Chart.yaml).
+# You will face compatibility issues trying to run a different Teleport version with it.
+#
+# If you want to run Teleport version X, you should use `helm --version X` instead.
+teleportVersionOverride: ""
+
+# The `proxyProtocol` value controls whether the Proxy pods will
+# accept PROXY lines with the client's IP address when they are
+# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
+# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
+# required to ensure that Teleport can properly audit the client's IP address.
+#
+# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
+# value should be set to "off" to prevent Teleport from accepting PROXY headers
+# from untrusted sources.
+# Possible values are "on" and "off".
+# - "on" will enable the PROXY protocol for all connections and will require the
+#   L4 LB to send a PROXY header.
+# - "off" will disable the PROXY protocol for all connections and denies all
+#   connections prefixed with a PROXY header.
+#
+# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
+# connection, but will accept it if present. This mode is considered insecure
+# and should only be used for testing purposes.
+#
+# See https://goteleport.com/docs/admin-guides/management/security/proxy-protocol/
+# for more information.
+#
+# proxyProtocol: on
+
+# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
+#
+# `auth` allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service.
+# This is merged with chart-scoped values and takes precedence in case of conflict.
+# For example:
+#
+# auth:
+#  postStart:
+#    command: ["curl", "http://hook"]
+#  imagePullPolicy: Always
+auth:
+  # auth.teleportConfig contains YAML teleport configuration for auth pods
+  # The configuration will be merged with the chart-generated configuration
+  # and will take precedence in case of conflict.
+  #
+  # See the Teleport Configuration Reference for the list of supported fields:
+  # https://goteleport.com/docs/reference/config/
+  #
+  # teleportConfig:
+  #   teleport:
+  #     cache:
+  #       enabled: false
+  #   auth_service:
+  #     client_idle_timeout: 2h
+  #     client_idle_timeout_message: "Connection closed after 2hours without activity"
+  teleportConfig: {}
+
+# `proxy` allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service. 
+# This is merged with chart-scoped values and takes precedence in case of conflict.
+# For example:
+# proxy:
+#   postStart:
+#     command: ["curl", "http://hook"]
+#   imagePullPolicy: Always
+#   annotations:
+#     service:
+#       external-dns.alpha.kubernetes.io/hostname: "teleport.example.com"
+proxy:
+  # proxy.teleportConfig contains YAML teleport configuration for proxy pods
+  # The configuration will be merged with the chart-generated configuration
+  # and will take precedence in case of conflict
+  #
+  # See the Teleport Configuration Reference for the list of supported fields:
+  # https://goteleport.com/docs/reference/config/
+  #
+  # teleportConfig:
+  #   teleport:
+  #     cache:
+  #       enabled: false
+  #   proxy_service:
+  #     https_keypairs:
+  #       - key_file: /my-custom-mount/key.pem
+  #         cert_file: /my-custom-mount/cert.pem
+  teleportConfig: {}
+
+authentication:
+  # Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise.
+  type: local
+
+  # Sets the authenticator connector for SSO or the default connector for "local" authentication.
+  # See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/).
+  # See Passwordless for local
+  # (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default).
+  # Defaults to "local".
+  connectorName: ""
+
+  # Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`.
+  # Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/.
+  localAuth: true
+
+  # Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ?
+  # Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort".
+  # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
+  lockingMode: ""
+
+  # DEPRECATED: Second factor requirements for users of the Teleport cluster.
+  # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
+  # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
+  # This field is kept for backward compatibility purposes, you should use
+  # `secondFactors` instead.
+  #
+  # WARNING:
+  #   If you set `publicAddr` for users to access the cluster under a domain different
+  #   to clusterName you must manually set the webauthn Relying
+  #   Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
+  #   If you don't, RP ID will default to `clusterName` and users will fail
+  #   to register second factors.
+  #
+  #   You can do this by setting the value
+  #   `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
+  #
+  #   RP ID must be both a valid domain, and part of the full domain users are connecting to.
+  #   For example, if users are accessing the cluster with the domain
+  #   "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
+  #
+  #   Changing the RP ID will invalidate all already registered webauthn second factors.
+  # secondFactor: ""
+
+  # Second factor requirements for users of the Teleport cluster.
+  # Controls the `auth_config.authentication.second_factors` field in `teleport.yaml`.
+  # This is a list whose possible item values are item values are 'otp', 'sso' and 'webauthn'.
+  # This should be preferred over `secondFactor`.
+  #
+  # WARNING:
+  #   If you set `publicAddr` for users to access the cluster under a domain different
+  #   to clusterName you must manually set the webauthn Relying
+  #   Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
+  #   If you don't, RP ID will default to `clusterName` and users will fail
+  #   to register second factors.
+  #
+  #   You can do this by setting the value
+  #   `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
+  #
+  #   RP ID must be both a valid domain, and part of the full domain users are connecting to.
+  #   For example, if users are accessing the cluster with the domain
+  #   "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
+  #
+  #   Changing the RP ID will invalidate all already registered webauthn second factors.
+  secondFactors: ["otp", "webauthn"]
+
+  # (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
+  # webauthn:
+  #   attestationAllowedCas:
+  #     - /path/to/allowed_ca.pem
+  #     - |
+  #       -----BEGIN CERTIFICATE-----
+  #       ...
+  #       -----END CERTIFICATE-----
+  #   attestationDeniedCas:
+  #     - /path/to/denied_ca.pem
+  #     - |
+  #       -----BEGIN CERTIFICATE-----
+  #       ...
+  #       -----END CERTIFICATE-----
+
+# Deprecated way to set the authentication type, `authentication.type` should be preferred.
+# authenticationType: local
+
+# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred.
+# authenticationSecondFactor:
+#   secondFactor: "otp"
+
+# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port.
+# Default mode will not utilize TLS routing and operate in backwards-compatibility mode.
+#
+# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP
+#
+# Possible values are 'separate' and 'multiplex'
+proxyListenerMode: "separate"
+
+# Optional setting for configuring session recording.
+# See `session_recording` under https://goteleport.com/docs/reference/config/#auth-service
+sessionRecording: ""
+
+# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443)
+# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB)
+# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM)
+# These settings will not apply if proxyListenerMode is set to "multiplex".
+separatePostgresListener: false
+separateMongoListener: false
+
+# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default.
+#
+# WARNING:
+#   If you set `publicAddr` for users to access the cluster under a domain different
+#   to clusterName, you must manually set the webauthn Relying
+#   Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
+#   If you don't, RP ID will default to `clusterName` and users will fail
+#   to register second factors.
+#
+#   You can do this by setting the value
+#   `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
+#
+#   RP ID must be both a valid domain, and part of the full domain users are connecting to.
+#   For example, if users are accessing the cluster with the domain
+#   "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
+#
+#   Changing the RP ID will invalidate all already registered webauthn second factors.
+#
+# Public cluster addresses, including port (e.g. teleport.example.com:443)
+# Defaults to `clusterName` on port 443.
+publicAddr: []
+# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026.
+# Only used when `proxyListenerMode` is not 'multiplex'.
+kubePublicAddr: []
+# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017.
+# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true.
+mongoPublicAddr: []
+# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036.
+# Only used when `proxyListenerMode` is not 'multiplex'.
+mysqlPublicAddr: []
+# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432.
+# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true.
+postgresPublicAddr: []
+# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023.
+# Only used when `proxyListenerMode` is not 'multiplex'.
+sshPublicAddr: []
+# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024.
+# Only used when `proxyListenerMode` is not 'multiplex'.
+tunnelPublicAddr: []
+
+# ACME is a protocol for getting Web X.509 certificates
+# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
+# For HA configurations, see either the "highAvailability.certManager" or "tls" values.
+# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
+# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
+# This section is mutually exclusive with the "tls" value below.
+acme: false
+# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement)
+acmeEmail: ""
+# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server.
+acmeURI: ""
+
+# Set enterprise to true to use enterprise image
+# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this:
+# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
+enterprise: false
+# Override default Enterprise license name
+licenseSecretName: "license"
+# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation
+# when deploying multiple releases in the same cluster.
+# installCRDs:
+
+# Configuration of the optional Teleport operator
+operator:
+  # Set enabled to true to add the Kubernetes Teleport Operator
+  enabled: false
+  # Kubernetes Teleport Operator image
+  image: public.ecr.aws/gravitational/teleport-operator
+  # Resources to request for the operator container
+  # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  resources: {}
+  #  requests:
+  #    cpu: "0.5"
+  #    memory: "1Gi"
+  #  limits:
+  #    memory: "1Gi"
+  joinMethod: "kubernetes"
+  token: "teleport-operator"
+  # This is needed to have a sensible name and predictable service account name.
+  nameOverride: operator
+
+# If true, create & use Pod Security Policy resources
+# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
+# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
+podSecurityPolicy:
+  enabled: true
+
+# The `global` section contains values that are shared between the main chart and all subcharts.
+global:
+  # The `clusterDomain` value controls the domain suffix used in the Kubernetes
+  # DNS service. This is used to resolve service names in the cluster.
+  # The default value is `cluster.local`.
+
+  # WARNING: Changing this value must match the Kubernetes cluster's configuration 
+  # otherwise Teleport will not be able to resolve service names.
+  clusterDomain: cluster.local
+
+# Labels is a map of key-value pairs about this cluster. Those labels are used
+# in Teleport to access the Kubernetes cluster. They must not be confused with
+# `extraLabels` which are additional labels to add on Kubernetes resources
+# created by the Helm chart.
+labels: {}
+
+# Mode to deploy the chart in. The default is "standalone". Options:
+# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage.
+# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1)
+# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2)
+# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3)
+# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4)
+# (1) To use "aws" mode, you must also configure the "aws" section below.
+# (2) To use "gcp" mode, you must also configure the "gcp" section below.
+# (3) To use "azure" mode, you must also configure the "azure" section below.
+# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig.
+# `scratch` usage is strongly discouraged, this is a last resort option and
+# everything should be doable with `standalone` mode + overrides through
+# `auth.teleportConfig` and `proxy.teleportConfig`.
+chartMode: standalone
+
+# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify
+# if the teleport.yaml configuration is valid and will block the deployment if it is not
+validateConfigOnDeploy: true
+
+# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster.
+# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the
+# Helm chart user is responsible for configuring working join_params on the proxy.
+createProxyToken: true
+
+# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
+# This CRD is managed by the prometheus-operator and allows workload to
+# get monitored. To use this value, you need to run a `prometheus-operator`
+# in the cluster for this value to take effect.
+# See https://prometheus-operator.dev/docs/prologue/introduction/
+podMonitor:
+  # Whether the chart should deploy a PodMonitor.
+  # Disabled by default as it requires the PodMonitor CRD to be installed.
+  enabled: false
+  # additionalLabels to put on the PodMonitor.
+  # This is used to be selected by a specific prometheus instance.
+  # Defaults to {prometheus: default} which seems to be the common default prometheus selector
+  additionalLabels:
+    prometheus: default
+  # interval is the interval between two metrics scrapes. Defaults to 30s
+  interval: 30s
+
+######################################################################
+# Persistence settings (only used in "standalone" and "scratch" modes)
+# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters
+# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details.
+# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23.
+######################################################################
+persistence:
+  # Enable persistence using a PersistentVolumeClaim
+  enabled: true
+  # Leave blank to automatically create a PersistentVolumeClaim for Teleport storage.
+  # If you would like to use a pre-existing PersistentVolumeClaim, put its name here.
+  existingClaimName: ""
+  # Size of persistent volume to request when created by Teleport.
+  # Ignored if existingClaimName is provided.
+  volumeSize: 10Gi
+
+##################################################
+# AWS-specific settings (only used in "aws" mode)
+##################################################
+aws:
+  # The AWS region where the DynamoDB tables are located.
+  region: ""
+  # The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist.
+  # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
+  backendTable: ""
+  # The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist.
+  # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
+  # This MUST NOT be the same table name as used for 'backendTable' as the schemas are different.
+  #
+  # If you are using the Athena backend, you don't need to set this value.
+  # If you set this value, audit logs will be sent both to the Athena and DynamoDB
+  # backends, this is useful when migrating backends.
+  # If both `aws.athenaURL` and `aws.auditLogTable` (DynamoDB) are set, the
+  # `aws.auditLogPrimaryBackend` value configures which backend is used for querying.
+  # Teleport queries the audit backend to display the audit log in the web UI, export events
+  # using the audit log collector, or perform any action that needs to inspect past audit events.
+  auditLogTable: ""
+  # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
+  auditLogMirrorOnStdout: false
+  # auditLogPrimaryBackend controls which backend is used for queries when multiple
+  # audit backends are enabled. This setting has no effect when a single audit
+  # log backend is enabled.This setting is used when migrating from DynamoDB to
+  # Athena.
+  #
+  # Possible values are `dynamo` and `athena`.
+  auditLogPrimaryBackend: ""
+  # athenaURL contains the Athena audit log backend configuration
+  # When this value is set, Teleport will export events to the Athena audit backend.
+  #
+  # To use the Athena audit backend, you must set up the required infrastructure
+  # (S3 buckets, SQS queue, AthenaDB, IAM roles and permissions, ...).
+  # The requirements are described in the documentation: https://goteleport.com/docs/reference/backends/#athena
+  #
+  # If both `aws.athenaURL` and `aws.auditLogTable` (DynamoDB) are set, the
+  # `aws.auditLogPrimaryBackend` value configures which backend is used for querying.
+  athenaURL: ""
+  # The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.
+  # The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.
+  sessionRecordingBucket: ""
+  # Whether or not to turn on DynamoDB backups
+  backups: false
+
+  # Whether Teleport should configure DynamoDB's autoscaling.
+  #
+  # WARNING: DynamoDB autoscaling is no longer recommended. Teleport now
+  # defaults to "on demand" DynamoDB billing, which has more reliable performance.
+  #
+  # Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling.
+  # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
+  dynamoAutoScaling: false
+
+  # DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`.
+  # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
+  readMinCapacity: null      # Integer
+  readMaxCapacity: null      # Integer
+  readTargetValue: null      # Float
+  writeMinCapacity: null     # Integer
+  writeMaxCapacity: null     # Integer
+  writeTargetValue: null     # Float
+
+  # accessMonitoring configures the Access Monitoring feature of the Auth Service.
+  # Using this features requires setting up specific AWS infrastructure as described
+  # in https://goteleport.com/docs/access-controls/access-monitoring/#configuration
+  # The Terraform example code will output the chart values for this section.
+  accessMonitoring:
+    enabled: false
+    # reportResults is the bucket uri where query results are reported.
+    # Example: "s3://example-athena-long-term/report_results"
+    reportResults: ""
+    # roleARN is the ARN of the role that is assumed to run the reports.
+    roleARN: ""
+    # workgroup is the Athena workgroup in which Teleport runs queries.
+    workgroup: ""
+
+##################################################
+# GCP-specific settings (only used in "gcp" mode)
+##################################################
+gcp:
+  # The project name being used for the GCP account where Teleport is running.
+  # See https://support.google.com/googleapi/answer/7014113?hl=en
+  projectId: ""
+  # The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist.
+  # Either of the following must be true:
+  # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
+  # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
+  backendTable: ""
+  # The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist.
+  # Either of the following must be true:
+  # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
+  # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
+  # This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different.
+  auditLogTable: ""
+  # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
+  auditLogMirrorOnStdout: false
+  # The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used.
+  sessionRecordingBucket: ""
+  # The name of the Kubernetes secret used to store the Google credentials.
+  # You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use.
+  # You can override this to a blank value if the worker node running Teleport already has a service account which grants access.
+  credentialSecretName: teleport-gcp-credentials
+
+#####################################################
+# Azure-specific settings (only used in "azure" mode)
+#####################################################
+azure:
+  # The fully qualified hostname of the Postgres database cluster hosted in Azure.
+  # It should follow the format "<database name>.postgres.database.azure.com".
+  databaseHost: ""
+  # The Postgres user Teleport must use to connect to the backend and audit
+  # databases.
+  databaseUser: ""
+  # The Postgres database to use for backend storage.
+  backendDatabase: "teleport_backend"
+  # The Postgres database to use for audit log storage.
+  # This MUST NOT be the same database as used for 'backendDatabase'.
+  auditLogDatabase: "teleport_audit"
+  # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
+  auditLogMirrorOnStdout: false
+  # The fully qualified domain name of the Azure Blob Storage account to use for
+  # recorded session storage. This account must already exist.
+  # It should follow the format "<storage account>.blob.core.windows.net"
+  sessionRecordingStorageAccount: ""
+  # Azure client ID is used by the Kubernetes Service Account to know which
+  # Application it should impersonate. This can be unset only if the clientID is
+  # passed through other means (e.g. environment variable)
+  clientID: ""
+  # Controls the `pool_max_conns` setting passed to PostgreSQL. This is the
+  # max amount of connections Teleport can open to the database. This can affect
+  # performance on large clusters and depends on various factors like the
+  # database size, the number of CPU cores available for Teleport, GOMAXPROCS
+  # and the database latency.
+  # This only applies to the core backend connections, not the audit log ones.
+  # 0 means the parameter is not set and the client's default is used (recommended)
+  databasePoolMaxConnections: 0
+
+# `highAvailability` contains settings controlling how Teleport pods are
+# replicated and scheduled. This allows Teleport to run in a highly-available
+# fashion: Teleport should sustain the crash/loss of a machine without interrupting
+# the service.
+#
+# For auth pods:
+#   When using "standalone" or "scratch" mode, you must use highly-available storage
+#   (etcd, DynamoDB or Firestore) for multiple replicas to be supported.
+#   Manually configuring NFS-based storage or ReadWriteMany volume claims
+#   is NOT supported and will result in errors. Using Teleport's built-in
+#   ACME client (as opposed to using cert-manager or passing certs through a secret)
+#   is not supported with multiple replicas.
+# For proxy pods:
+#   Proxy pods need to be provided a certificate to be replicated (either via
+#  `tls.existingSecretName` or via `highAvailability.certManager`) or be exposed
+#   via an ingress (`ingress.enabled`).
+#   If proxy pods are replicable, they will default to 2 replicas,
+#   even if `highAvailability.replicaCount` is 1. To force a single proxy replica,
+#   set `proxy.highAvailability.replicaCount: 1`.
+highAvailability:
+  # Controls the amount of pod replicas. The `highAvailability` comment describes
+  # the replication requirements.
+  #
+  # WARNING: You **must** meet the replication criteria,
+  # else the deployment will result in errors and inconsistent data.
+  replicaCount: 1
+  # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
+  # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
+  # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
+  # This setting only has any effect when replicaCount is greater than 1.
+  requireAntiAffinity: false
+  # If enabled will create a Pod Disruption Budget
+  # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+  podDisruptionBudget:
+    enabled: false
+    minAvailable: 1
+  # Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
+  # These settings are mutually exclusive with the "tls" value below.
+  certManager:
+    # If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
+    enabled: false
+    # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
+    addCommonName: false
+    # If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
+    # This setting is not enabled by default to preserve backward compatibility.
+    addPublicAddrs: false
+    # Name of the Issuer/ClusterIssuer to use for certs
+    # NOTE: You will always need to create this yourself when certManager.enabled is true.
+    issuerName: ""
+    # Kind of Issuer that cert-manager should look for.
+    # This defaults to 'Issuer' to keep everything contained within the teleport namespace.
+    issuerKind: Issuer
+    # Group of Issuer that cert-manager should look for.
+    # This defaults to 'cert-manager.io' which is the default Issuer group.
+    issuerGroup: cert-manager.io
+  # Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time
+  # See https://github.com/gravitational/teleport/issues/13129
+  minReadySeconds: 15
+
+# Settings for mounting your own TLS keypair to secure Teleport's web UI.
+# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above.
+tls:
+  # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml.
+  # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file`
+  # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
+  existingSecretName: ""
+  # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
+  # Useful for building trust when using intermediate certificate authorities.
+  # This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
+  # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
+  # The filename inside the secret is important - it _must_ be ca.pem
+  existingCASecretName: ""
+
+##################################################
+# Values that you shouldn't need to change.
+##################################################
+
+# Container image for the cluster. By default, the image contains only the
+# Teleport application and its runtime dependencies, and does not contain a
+# shell.
+image: public.ecr.aws/gravitational/teleport-distroless
+# Enterprise version of the image. By default, the image contains only the
+# Teleport application and its runtime dependencies, and does not contain a
+# shell.
+enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
+# Optional array of imagePullSecrets, to use when pulling from a private registry
+imagePullSecrets: []
+# Teleport logging configuration
+log:
+  # Log level for the Teleport process.
+  # Available log levels are: DEBUG, INFO, WARNING, ERROR.
+  # The default is INFO, which is recommended in production.
+  # DEBUG is useful during first-time setup or to see more detailed logs for debugging.
+  level: INFO
+  # Log output
+  # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
+  # Other supported values: 'stdout', 'stderr' and 'syslog'
+  output: stderr
+  # Log format configuration
+  # Possible output values are 'json' and 'text' (default).
+  format: text
+  # Possible extra_fields values include: timestamp, component, caller, and level.
+  # All extra fields are included by default.
+  extraFields: ["timestamp", "level", "component", "caller"]
+
+##################################
+# Extra Kubernetes configuration #
+##################################
+
+# nodeSelector to apply for pod assignment
+# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+nodeSelector: {}
+
+# Turns off the topology spread constraints.
+# The feature is automatically turned off on Kubernetes versions below 1.18.
+disableTopologySpreadConstraints: false
+
+# Pod topology spread constraints:
+# https://kubernetes.io/fr/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+# When unset, the chart defaults to a soft topology spread constraint
+# that tries to spread pods across hosts and zones.
+#
+# ```
+# topologySpreadConstraints
+#   - maxSkew: 1
+#     topologyKey: kubernetes.io/hostname
+#     whenUnsatisfiable: ScheduleAnyway
+#     labelSelector:
+#       matchLabels: # dynamically computed
+#   - maxSkew: 1
+#     topologyKey: topology.kubernetes.io/zone
+#     whenUnsatisfiable: ScheduleAnyway
+#     labelSelector:
+#       matchLabels: # dynamically computed
+# ```
+topologySpreadConstraints: []
+
+# Affinity for pod assignment
+# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
+affinity: {}
+
+# Kubernetes annotations to apply
+# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+annotations:
+  # Annotations for the ConfigMap
+  config: {}
+  # Annotations for the Deployment
+  deployment: {}
+  # Annotations for each Pod in the Deployment
+  pod: {}
+  # Annotations for the Service object
+  service: {}
+  # Annotations for the ServiceAccount object
+  serviceAccount: {}
+  # Annotations for the certificate secret generated by cert-manager v1.5+ when
+  # highAvailability.certManager.enabled is true
+  certSecret: {}
+  # Annotations for the Ingress object
+  ingress: {}
+
+# extraLabels -- contains additional Kubernetes labels to apply on the resources
+# created by the chart.
+# See [the Kubernetes label documentation
+# ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+# for more information.
+#
+# Note: for PodMonitor labels, see `podMonitor.additionalLabels` instead.
+extraLabels:
+  # extraLabels.certSecret(object) -- are labels to set on the certificate secret
+  # generated by cert-manager v1.5+ when `highAvailability.certManager.enabled`
+  # is true.
+  certSecret: {}
+  # extraLabels.clusterRole(object) -- are labels to set on the ClusterRole.
+  clusterRole: {}
+  # extraLabels.clusterRoleBinding(object) -- are labels to set on the ClusterRoleBinding.
+  clusterRoleBinding: {}
+  # extraLabels.role(object) -- are labels to set on the Role.
+  config: {}
+  # extraLabels.deployment(object) -- are labels to set on the Deployment.
+  deployment: {}
+  # extraLabels.ingress(object) -- are labels to set on the Ingress.
+  ingress: {}
+  # extraLabels.job(object) -- are labels to set on the Job run by the Helm hook.
+  job: {}
+  # extraLabels.jobPod(object) -- are labels to set on the Pods created by the
+  # Job run by the Helm hook.
+  jobPod: {}
+  # extraLabels.persistentVolumeClaim(object) -- are labels to set on the PersistentVolumeClaim.
+  persistentVolumeClaim: {}
+  # extraLabels.pod(object) -- are labels to set on the Pods created by the
+  # Deployment.
+  pod: {}
+  # extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget.
+  podDisruptionBudget: {}
+  # extraLabels.secret(object) -- are labels to set on the Secret.
+  secret: {}
+  # extraLabels.service(object) -- are labels to set on the Service.
+  service: {}
+  # extraLabels.serviceAccount(object) -- are labels to set on the ServiceAccount.
+  serviceAccount: {}
+
+# Kubernetes service account to create/use.
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and serviceAccount.create is true, the name is generated using the release name.
+  # If create is false, the name will be used to reference an existing service account.
+  name: ""
+  # To set annotations on the service account, use the annotations.serviceAccount value.
+
+# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
+rbac:
+  # Specifies whether a ClusterRole and ClusterRoleBinding should be created.
+  # Set to false if your cluster level resources are managed separately.
+  create: true
+
+# Options for the Teleport proxy service
+# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP.
+# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed.
+# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true
+service:
+  type: LoadBalancer
+  # Additional entries here will be added to the service spec.
+  spec: {}
+    # loadBalancerIP: "1.2.3.4"
+
+# Options for ingress
+# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent
+# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer.
+# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport.
+# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details.
+ingress:
+  enabled: false
+  # useExisting indicates to the chart that you are managing your own ingress.
+  # (or HTTPRoute, or any other LoadBalancing method that terminates TLS).
+  # The chart will configure Teleport like it's running behind an ingress, but will not create the ingress resource.
+  # You are responsible for creating and managing the ingress.
+  useExisting: false
+  # Setting suppressAutomaticWildcards to true will not automatically add *.<clusterName> as a hostname served
+  # by the Ingress. This may be desirable if you don't use Teleport Application Access.
+  suppressAutomaticWildcards: false
+  # Additional entries here will be added to the ingress spec.
+  spec: {}
+    # ingressClassName: nginx
+
+# Extra arguments to pass to 'teleport start' for the main Teleport pod
+extraArgs: []
+
+# Extra environment to be configured on the Teleport pod
+extraEnv: []
+
+# Extra containers to be added to the Teleport pod
+extraContainers: []
+# - name: nscenter
+#   command:
+#     - /bin/bash
+#     - -c
+#     - sleep infinity & wait
+#   image: praqma/network-multitool
+#   imagePullPolicy: IfNotPresent
+#   securityContext:
+#     privileged: true
+#     runAsNonRoot: false
+
+# Extra volumes to mount into the Teleport pods
+# https://kubernetes.io/docs/concepts/storage/volumes/
+extraVolumes: []
+# - name: myvolume
+#   secret:
+#     secretName: testSecret
+
+# Extra volume mounts corresponding to the volumes mounted above
+extraVolumeMounts: []
+# - name: myvolume
+#   mountPath: /path/on/host
+
+# Allow the imagePullPolicy to be overridden
+imagePullPolicy: IfNotPresent
+
+# A list of initContainers to run before each Teleport pod starts
+# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+initContainers: []
+# - name: "teleport-init"
+#   image: "alpine"
+#   args: ["echo test"]
+
+# If set, will run the command as a postStart handler
+# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+postStart:
+  command: []
+
+# Resources to request for the teleport container
+# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+#
+# DANGER: Setting CPU limits is an anti-pattern and harmful in most cases.
+# Unless you enabled [the Static CPU management policy](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy),
+# a multithreaded workload with CPU limits will very likely not behave the way
+# you expect when approaching its CPU limit.
+#
+# Teleport will become unstable once throttling starts. We recommend not to set CPU limits.
+# See [the GitHub PR](https://github.com/gravitational/teleport/pull/36251) for technical details.
+resources: {}
+#  requests:
+#    cpu: "1"
+#    memory: "2Gi"
+#  limits:
+#    memory: "2Gi"
+
+# Pod security context for any pods created by the chart
+podSecurityContext: {}
+  # fsGroup: 65532
+
+# Security context to add to the container
+securityContext: {}
+  # runAsUser: 99
+
+# Priority class name to add to the deployment
+priorityClassName: ""
+
+# Tolerations for pod assignment
+# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
+# Timeouts for the readiness and liveness probes
+# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+probeTimeoutSeconds: 5
+
+# readinessProbe(object) -- configures the readiness probe settings.
+# This can be tuned to keep proxy pods ready even when the auth is unavailable.
+#
+# The default values mark the pod unready after one minute of failing readiness probe.
+readinessProbe:
+  # readinessProbe.initialDelaySeconds(int) -- controls the number of seconds after the container has started before
+  # liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+  initialDelaySeconds: 5
+  # readinessProbe.periodSeconds(int) -- controls how often (in seconds) to perform the probe. Minimum value is 1.
+  periodSeconds: 5
+  # readinessProbe.failureThreshold(int) -- is the minimum consecutive failures for the probe to be considered failed
+  # after having succeeded. Minimum value is 1.
+  failureThreshold: 12
+  # readinessProbe.successThreshold(int) -- is the minimum consecutive successes for the probe to be considered
+  # successful after having failed. Minimum value is 1.
+  successThreshold: 1
+
+# Kubernetes termination grace period
+# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
+#
+# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook.
+terminationGracePeriodSeconds: 60
diff --git a/teleport-cluster/Chart.yaml b/teleport-cluster/Chart.yaml
index 97d66f1..fdda123 100644
--- a/teleport-cluster/Chart.yaml
+++ b/teleport-cluster/Chart.yaml
@@ -1,13 +1,13 @@
 apiVersion: v2
-appVersion: 17.4.9
+appVersion: 18.0.1
 dependencies:
 - alias: operator
   name: teleport-operator
   repository: ""
-  version: 17.4.9
+  version: 18.0.1
 description: Teleport is an access platform for your infrastructure
 icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
 name: teleport-cluster
-version: 17.4.9
+version: 18.0.1
diff --git a/teleport-cluster/charts/teleport-operator/Chart.yaml b/teleport-cluster/charts/teleport-operator/Chart.yaml
index 64d9260..c49fcd2 100644
--- a/teleport-cluster/charts/teleport-operator/Chart.yaml
+++ b/teleport-cluster/charts/teleport-operator/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 17.4.9
+appVersion: 18.0.1
 description: Teleport Operator provides management of select Teleport resources.
 icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
 name: teleport-operator
-version: 17.4.9
+version: 18.0.1
diff --git a/teleport-cluster/charts/teleport-operator/README.md b/teleport-cluster/charts/teleport-operator/README.md
index 8755e8c..f723792 100644
--- a/teleport-cluster/charts/teleport-operator/README.md
+++ b/teleport-cluster/charts/teleport-operator/README.md
@@ -16,9 +16,9 @@ The chart can be deployed in two ways:
   ```code
   helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token
   ```
-  See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details.
+  See [the standalone guide](https://goteleport.com/docs/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator-standalone/) for more details.
 - as a dependency of the `teleport-cluster` Helm chart by adding `--set operator.enabled=true`. See
-  [the operator within teleport-cluster chart guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-helm/).
+  [the operator within teleport-cluster chart guide](https://goteleport.com/docs/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator-helm/).
 
 ## Values and reference
 
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml
index 2c59561..57651c9 100644
--- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml
@@ -190,6 +190,12 @@ spec:
                 description: title is a plaintext short description of the Access
                   List.
                 type: string
+              type:
+                description: type can be currently "dynamic" (the default if empty
+                  string) which denotes a regular Access List, "scim" which represents
+                  an Access List created from SCIM group or "static" for Access Lists
+                  managed by IaC tools.
+                type: string
             type: object
           status:
             description: Status defines the observed state of the Teleport resource
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateconfigsv1.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateconfigsv1.yaml
new file mode 100644
index 0000000..f56da0e
--- /dev/null
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateconfigsv1.yaml
@@ -0,0 +1,176 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportautoupdateconfigsv1.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportAutoupdateConfigV1
+    listKind: TeleportAutoupdateConfigV1List
+    plural: teleportautoupdateconfigsv1
+    shortNames:
+    - autoupdateconfigv1
+    - autoupdateconfigsv1
+    singular: teleportautoupdateconfigv1
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AutoupdateConfigV1 is the Schema for the autoupdateconfigsv1
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AutoupdateConfig resource definition v1 from Teleport
+            properties:
+              agents:
+                nullable: true
+                properties:
+                  maintenance_window_duration:
+                    description: maintenance_window_duration is the maintenance window
+                      duration. This can only be set if `strategy` is "time-based".
+                      Once the window is over, the group transitions to the done state.
+                      Existing agents won't be updated until the next maintenance
+                      window.
+                    format: duration
+                    type: string
+                  mode:
+                    description: mode specifies whether agent autoupdates are enabled,
+                      disabled, or paused.
+                    type: string
+                  schedules:
+                    description: schedules specifies schedules for updates of grouped
+                      agents.
+                    nullable: true
+                    properties:
+                      regular:
+                        description: regular schedules for non-critical versions.
+                        items:
+                          properties:
+                            days:
+                              description: days when the update can run. Supported
+                                values are "Mon", "Tue", "Wed", "Thu", "Fri", "Sat",
+                                "Sun" and "*"
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            name:
+                              description: name of the group
+                              type: string
+                            start_hour:
+                              description: start_hour to initiate update
+                              format: int32
+                              type: integer
+                            wait_hours:
+                              description: wait_hours after last group succeeds before
+                                this group can run. This can only be used when the
+                                strategy is "halt-on-failure". This field must be
+                                positive.
+                              format: int32
+                              type: integer
+                          type: object
+                        nullable: true
+                        type: array
+                    type: object
+                  strategy:
+                    description: strategy to use for updating the agents.
+                    type: string
+                type: object
+              tools:
+                nullable: true
+                properties:
+                  mode:
+                    description: Mode defines state of the client tools auto update.
+                    type: string
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateversionsv1.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateversionsv1.yaml
new file mode 100644
index 0000000..dc35ecb
--- /dev/null
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_autoupdateversionsv1.yaml
@@ -0,0 +1,141 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportautoupdateversionsv1.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportAutoupdateVersionV1
+    listKind: TeleportAutoupdateVersionV1List
+    plural: teleportautoupdateversionsv1
+    shortNames:
+    - autoupdateversionv1
+    - autoupdateversionsv1
+    singular: teleportautoupdateversionv1
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AutoupdateVersionV1 is the Schema for the autoupdateversionsv1
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AutoupdateVersion resource definition v1 from Teleport
+            properties:
+              agents:
+                nullable: true
+                properties:
+                  mode:
+                    description: autoupdate_mode to use for the rollout
+                    type: string
+                  schedule:
+                    description: schedule to use for the rollout
+                    type: string
+                  start_version:
+                    description: start_version is the version to update from.
+                    type: string
+                  target_version:
+                    description: target_version is the version to update to.
+                    type: string
+                type: object
+              tools:
+                nullable: true
+                properties:
+                  target_version:
+                    description: TargetVersion specifies the semantic version required
+                      for tools to establish a connection with the cluster. Client
+                      tools after connection to the cluster going to be updated to
+                      this version automatically.
+                    type: string
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
index 29a7b8e..c3881a6 100644
--- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
@@ -152,6 +152,10 @@ spec:
                       for backwards compatibility.
                     type: string
                 type: object
+              pkce_mode:
+                description: PKCEMode represents the configuration state for PKCE
+                  (Proof Key for Code Exchange). It can be "enabled" or "disabled"
+                type: string
               prompt:
                 description: Prompt is an optional OIDC prompt. An empty string omits
                   prompt. If not specified, it defaults to select_account for backwards
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
index 00ebc52..2d8522d 100644
--- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
@@ -102,6 +102,43 @@ spec:
                     nullable: true
                     type: array
                 type: object
+              azure_devops:
+                description: AzureDevops allows the configuration of options specific
+                  to the "azure_devops" join method.
+                nullable: true
+                properties:
+                  allow:
+                    description: Allow is a list of TokenRules, nodes using this token
+                      must match one allow rule to use this token. At least one allow
+                      rule must be specified.
+                    items:
+                      properties:
+                        definition_id:
+                          type: string
+                        pipeline_name:
+                          type: string
+                        project_id:
+                          type: string
+                        project_name:
+                          type: string
+                        repository_ref:
+                          type: string
+                        repository_uri:
+                          type: string
+                        repository_version:
+                          type: string
+                        sub:
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  organization_id:
+                    description: OrganizationID specifies the UUID of the Azure DevOps
+                      organization that this join token will grant access to. This
+                      is used to identify the correct issuer verification of the ID
+                      token. This is a required field.
+                    type: string
+                type: object
               bitbucket:
                 description: Bitbucket allows the configuration of options specific
                   to the "bitbucket" join method.
@@ -140,6 +177,45 @@ spec:
                 description: BotName is the name of the bot this token grants access
                   to, if any
                 type: string
+              bound_keypair:
+                description: BoundKeypair allows the configuration of options specific
+                  to the "bound_keypair" join method.
+                nullable: true
+                properties:
+                  onboarding:
+                    description: Onboarding contains parameters related to initial
+                      onboarding and keypair registration.
+                    nullable: true
+                    properties:
+                      initial_public_key:
+                        type: string
+                      must_register_before:
+                        format: date-time
+                        type: string
+                      registration_secret:
+                        type: string
+                    type: object
+                  recovery:
+                    description: Recovery contains parameters related to recovery
+                      after identity expiration.
+                    nullable: true
+                    properties:
+                      limit:
+                        format: int32
+                        type: integer
+                      mode:
+                        type: string
+                    type: object
+                  rotate_after:
+                    description: RotateAfter is an optional timestamp that forces
+                      clients to perform a keypair rotation on the next join or recovery
+                      attempt after the given date. If `LastRotatedAt` is unset or
+                      before this timestamp, a rotation will be requested. It is recommended
+                      to set this value to the current timestamp if a rotation should
+                      be triggered on the next join attempt.
+                    format: date-time
+                    type: string
+                type: object
               circleci:
                 description: CircleCI allows the configuration of options specific
                   to the "circleci" join method.
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
index 5b8d0cd..09ce2f3 100644
--- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
@@ -270,6 +270,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -357,6 +361,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
@@ -858,6 +866,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -945,6 +957,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
@@ -1743,6 +1759,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -1830,6 +1850,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
@@ -2331,6 +2355,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -2418,6 +2446,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
index dd182ab..512eee6 100644
--- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
@@ -273,6 +273,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -360,6 +364,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
@@ -861,6 +869,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -948,6 +960,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
index 2f43956..e72c514 100644
--- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
@@ -273,6 +273,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -360,6 +364,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
@@ -861,6 +869,10 @@ spec:
                       Role grants access to.
                     items:
                       properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
                         kind:
                           description: Kind specifies the Kubernetes Resource type.
                           type: string
@@ -948,6 +960,10 @@ spec:
                           "kube_cluster" and enforce requesting any of its subresources.'
                         items:
                           properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
                             kind:
                               description: kind specifies the Kubernetes Resource
                                 type.
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv8.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv8.yaml
new file mode 100644
index 0000000..c4847df
--- /dev/null
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv8.yaml
@@ -0,0 +1,1512 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: teleportrolesv8.resources.teleport.dev
+spec:
+  group: resources.teleport.dev
+  names:
+    kind: TeleportRoleV8
+    listKind: TeleportRoleV8List
+    plural: teleportrolesv8
+    shortNames:
+    - rolev8
+    - rolesv8
+    singular: teleportrolev8
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RoleV8 is the Schema for the rolesv8 API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Role resource definition v8 from Teleport
+            properties:
+              allow:
+                description: Allow is the set of conditions evaluated to grant access.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              deny:
+                description: Deny is the set of conditions evaluated to deny access.
+                  Deny takes priority over allow.
+                properties:
+                  account_assignments:
+                    description: AccountAssignments holds the list of account assignments
+                      affected by this condition.
+                    items:
+                      properties:
+                        account:
+                          type: string
+                        permission_set:
+                          type: string
+                      type: object
+                    type: array
+                  app_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: AppLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  app_labels_expression:
+                    description: AppLabelsExpression is a predicate expression used
+                      to allow/deny access to Apps.
+                    type: string
+                  aws_role_arns:
+                    description: AWSRoleARNs is a list of AWS role ARNs this role
+                      is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  azure_identities:
+                    description: AzureIdentities is a list of Azure identities this
+                      role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  cluster_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: ClusterLabels is a map of node labels (used to dynamically
+                      grant access to clusters).
+                    type: object
+                  cluster_labels_expression:
+                    description: ClusterLabelsExpression is a predicate expression
+                      used to allow/deny access to remote Teleport clusters.
+                    type: string
+                  db_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseLabels are used in RBAC system to allow/deny
+                      access to databases.
+                    type: object
+                  db_labels_expression:
+                    description: DatabaseLabelsExpression is a predicate expression
+                      used to allow/deny access to Databases.
+                    type: string
+                  db_names:
+                    description: DatabaseNames is a list of database names this role
+                      is allowed to connect to.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_permissions:
+                    description: DatabasePermissions specifies a set of permissions
+                      that will be granted to the database user when using automatic
+                      database user provisioning.
+                    items:
+                      properties:
+                        match:
+                          additionalProperties:
+                            x-kubernetes-preserve-unknown-fields: true
+                          description: Match is a list of object labels that must
+                            be matched for the permission to be granted.
+                          type: object
+                        permissions:
+                          description: Permission is the list of string representations
+                            of the permission to be given, e.g. SELECT, INSERT, UPDATE,
+                            ...
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  db_roles:
+                    description: DatabaseRoles is a list of databases roles for automatic
+                      user creation.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  db_service_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: DatabaseServiceLabels are used in RBAC system to
+                      allow/deny access to Database Services.
+                    type: object
+                  db_service_labels_expression:
+                    description: DatabaseServiceLabelsExpression is a predicate expression
+                      used to allow/deny access to Database Services.
+                    type: string
+                  db_users:
+                    description: DatabaseUsers is a list of databases users this role
+                      is allowed to connect as.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  desktop_groups:
+                    description: DesktopGroups is a list of groups for created desktop
+                      users to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  gcp_service_accounts:
+                    description: GCPServiceAccounts is a list of GCP service accounts
+                      this role is allowed to assume.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  github_permissions:
+                    description: GitHubPermissions defines GitHub integration related
+                      permissions.
+                    items:
+                      properties:
+                        orgs:
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  group_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: GroupLabels is a map of labels used as part of the
+                      RBAC system.
+                    type: object
+                  group_labels_expression:
+                    description: GroupLabelsExpression is a predicate expression used
+                      to allow/deny access to user groups.
+                    type: string
+                  host_groups:
+                    description: HostGroups is a list of groups for created users
+                      to be added to
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  host_sudoers:
+                    description: HostSudoers is a list of entries to include in a
+                      users sudoer file
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  impersonate:
+                    description: Impersonate specifies what users and roles this role
+                      is allowed to impersonate by issuing certificates or other possible
+                      means.
+                    nullable: true
+                    properties:
+                      roles:
+                        description: Roles is a list of resources this role is allowed
+                          to impersonate
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      users:
+                        description: Users is a list of resources this role is allowed
+                          to impersonate, could be an empty list or a Wildcard pattern
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where specifies optional advanced matcher
+                        type: string
+                    type: object
+                  join_sessions:
+                    description: JoinSessions specifies policies to allow users to
+                      join other sessions.
+                    items:
+                      properties:
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is a list of permitted participant modes
+                            for this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        roles:
+                          description: Roles is a list of roles that you can join
+                            the session of.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    nullable: true
+                    type: array
+                  kubernetes_groups:
+                    description: KubeGroups is a list of kubernetes groups
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  kubernetes_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: KubernetesLabels is a map of kubernetes cluster labels
+                      used for RBAC.
+                    type: object
+                  kubernetes_labels_expression:
+                    description: KubernetesLabelsExpression is a predicate expression
+                      used to allow/deny access to kubernetes clusters.
+                    type: string
+                  kubernetes_resources:
+                    description: KubernetesResources is the Kubernetes Resources this
+                      Role grants access to.
+                    items:
+                      properties:
+                        api_group:
+                          description: APIGroup specifies the Kubernetes API group
+                            of the Kubernetes resource. It supports wildcards.
+                          type: string
+                        kind:
+                          description: Kind specifies the Kubernetes Resource type.
+                          type: string
+                        name:
+                          description: Name is the resource name. It supports wildcards.
+                          type: string
+                        namespace:
+                          description: Namespace is the resource namespace. It supports
+                            wildcards.
+                          type: string
+                        verbs:
+                          description: Verbs are the allowed Kubernetes verbs for
+                            the following resource.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      type: object
+                    type: array
+                  kubernetes_users:
+                    description: KubeUsers is an optional kubernetes users to impersonate
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  logins:
+                    description: Logins is a list of *nix system logins.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  node_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: NodeLabels is a map of node labels (used to dynamically
+                      grant access to nodes).
+                    type: object
+                  node_labels_expression:
+                    description: NodeLabelsExpression is a predicate expression used
+                      to allow/deny access to SSH nodes.
+                    type: string
+                  request:
+                    nullable: true
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        description: Annotations is a collection of annotations to
+                          be programmatically appended to pending Access Requests
+                          at the time of their creation. These annotations serve as
+                          a mechanism to propagate extra information to plugins.  Since
+                          these annotations support variable interpolation syntax,
+                          they also offer a mechanism for forwarding claims from an
+                          external identity provider, to a plugin via `{{external.trait_name}}`
+                          style substitutions.
+                        type: object
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      kubernetes_resources:
+                        description: 'kubernetes_resources can optionally enforce
+                          a requester to request only certain kinds of kube resources.
+                          Eg: Users can make request to either a resource kind "kube_cluster"
+                          or any of its subresources like "namespaces". This field
+                          can be defined such that it prevents a user from requesting
+                          "kube_cluster" and enforce requesting any of its subresources.'
+                        items:
+                          properties:
+                            api_group:
+                              description: APIGroup specifies the Kubernetes Resource
+                                API group.
+                              type: string
+                            kind:
+                              description: kind specifies the Kubernetes Resource
+                                type.
+                              type: string
+                          type: object
+                        type: array
+                      max_duration:
+                        description: MaxDuration is the amount of time the access
+                          will be granted for. If this is zero, the default duration
+                          is used.
+                        format: duration
+                        type: string
+                      reason:
+                        description: Reason defines settings for the reason for the
+                          access provided by the user.
+                        nullable: true
+                        properties:
+                          mode:
+                            description: Mode can be either "required" or "optional".
+                              Empty string is treated as "optional". If a role has
+                              the request reason mode set to "required", then reason
+                              is required for all Access Requests requesting roles
+                              or resources allowed by this role. It applies only to
+                              users who have this role assigned.
+                            type: string
+                        type: object
+                      roles:
+                        description: Roles is the name of roles which will match the
+                          request rule.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      search_as_roles:
+                        description: SearchAsRoles is a list of extra roles which
+                          should apply to a user while they are searching for resources
+                          as part of a Resource Access Request, and defines the underlying
+                          roles which will be requested as part of any Resource Access
+                          Request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      suggested_reviewers:
+                        description: SuggestedReviewers is a list of reviewer suggestions.  These
+                          can be teleport usernames, but that is not a requirement.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      thresholds:
+                        description: Thresholds is a list of thresholds, one of which
+                          must be met in order for reviews to trigger a state-transition.  If
+                          no thresholds are provided, a default threshold of 1 for
+                          approval and denial is used.
+                        items:
+                          properties:
+                            approve:
+                              description: Approve is the number of matching approvals
+                                needed for state-transition.
+                              format: int32
+                              type: integer
+                            deny:
+                              description: Deny is the number of denials needed for
+                                state-transition.
+                              format: int32
+                              type: integer
+                            filter:
+                              description: Filter is an optional predicate used to
+                                determine which reviews count toward this threshold.
+                              type: string
+                            name:
+                              description: Name is the optional human-readable name
+                                of the threshold.
+                              type: string
+                          type: object
+                        type: array
+                    type: object
+                  require_session_join:
+                    description: RequireSessionJoin specifies policies for required
+                      users to start a session.
+                    items:
+                      properties:
+                        count:
+                          description: Count is the amount of people that need to
+                            be matched for this policy to be fulfilled.
+                          format: int32
+                          type: integer
+                        filter:
+                          description: Filter is a predicate that determines what
+                            users count towards this policy.
+                          type: string
+                        kinds:
+                          description: Kinds are the session kinds this policy applies
+                            to.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        modes:
+                          description: Modes is the list of modes that may be used
+                            to fulfill this policy.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        name:
+                          description: Name is the name of the policy.
+                          type: string
+                        on_leave:
+                          description: OnLeave is the behaviour that's used when the
+                            policy is no longer fulfilled for a live session.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  review_requests:
+                    description: ReviewRequests defines conditions for submitting
+                      access reviews.
+                    nullable: true
+                    properties:
+                      claims_to_roles:
+                        description: ClaimsToRoles specifies a mapping from claims
+                          (traits) to teleport roles.
+                        items:
+                          properties:
+                            claim:
+                              description: Claim is a claim name.
+                              type: string
+                            roles:
+                              description: Roles is a list of static teleport roles
+                                to match.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            value:
+                              description: Value is a claim value to match.
+                              type: string
+                          type: object
+                        type: array
+                      preview_as_roles:
+                        description: PreviewAsRoles is a list of extra roles which
+                          should apply to a reviewer while they are viewing a Resource
+                          Access Request for the purposes of viewing details such
+                          as the hostname and labels of requested resources.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is the name of roles which may be reviewed.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      where:
+                        description: Where is an optional predicate which further
+                          limits which requests are reviewable.
+                        type: string
+                    type: object
+                  rules:
+                    description: Rules is a list of rules and their access levels.
+                      Rules are a high level construct used for access control.
+                    items:
+                      properties:
+                        actions:
+                          description: Actions specifies optional actions taken when
+                            this rule matches
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        resources:
+                          description: Resources is a list of resources
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        verbs:
+                          description: Verbs is a list of verbs
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        where:
+                          description: Where specifies optional advanced matcher
+                          type: string
+                      type: object
+                    type: array
+                  spiffe:
+                    description: SPIFFE is used to allow or deny access to a role
+                      holder to generating a SPIFFE SVID.
+                    items:
+                      properties:
+                        dns_sans:
+                          description: 'DNSSANs specifies matchers for the SPIFFE
+                            ID DNS SANs.  Each requested DNS SAN is compared against
+                            all matchers configured and if any match, the condition
+                            is considered to be met.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: *.example.com would
+                            match foo.example.com'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        ip_sans:
+                          description: 'IPSANs specifies matchers for the SPIFFE ID
+                            IP SANs.  Each requested IP SAN is compared against all
+                            matchers configured and if any match, the condition is
+                            considered to be met.  The matchers should be specified
+                            using CIDR notation, it supports IPv4 and IPv6.  Examples:
+                            - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 -
+                            10.0.0.42/32 would match only 10.0.0.42'
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        path:
+                          description: 'Path specifies a matcher for the SPIFFE ID
+                            path. It should not include the trust domain and should
+                            start with a leading slash.  The matcher by default allows
+                            ''*'' to be used to indicate zero or more of any character.
+                            Prepend ''^'' and append ''$'' to instead switch to matching
+                            using the Go regex syntax.  Example: - /svc/foo/*/bar
+                            would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would
+                            match /svc/foo/baz/bar'
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  windows_desktop_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WindowsDesktopLabels are used in the RBAC system
+                      to allow/deny access to Windows desktops.
+                    type: object
+                  windows_desktop_labels_expression:
+                    description: WindowsDesktopLabelsExpression is a predicate expression
+                      used to allow/deny access to Windows desktops.
+                    type: string
+                  windows_desktop_logins:
+                    description: WindowsDesktopLogins is a list of desktop login names
+                      allowed/denied for Windows desktops.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
+                type: object
+              options:
+                description: Options is for OpenSSH options like agent forwarding.
+                properties:
+                  cert_extensions:
+                    description: CertExtensions specifies the key/values
+                    items:
+                      properties:
+                        mode:
+                          description: Mode is the type of extension to be used --
+                            currently critical-option is not supported. 0 is "extension".
+                          x-kubernetes-int-or-string: true
+                        name:
+                          description: Name specifies the key to be used in the cert
+                            extension.
+                          type: string
+                        type:
+                          description: Type represents the certificate type being
+                            extended, only ssh is supported at this time. 0 is "ssh".
+                          x-kubernetes-int-or-string: true
+                        value:
+                          description: Value specifies the value to be used in the
+                            cert extension.
+                          type: string
+                      type: object
+                    nullable: true
+                    type: array
+                  cert_format:
+                    description: CertificateFormat defines the format of the user
+                      certificate to allow compatibility with older versions of OpenSSH.
+                    type: string
+                  client_idle_timeout:
+                    description: ClientIdleTimeout sets disconnect clients on idle
+                      timeout behavior, if set to 0 means do not disconnect, otherwise
+                      is set to the idle duration.
+                    format: duration
+                    type: string
+                  create_db_user:
+                    description: CreateDatabaseUser enabled automatic database user
+                      creation.
+                    type: boolean
+                  create_db_user_mode:
+                    description: CreateDatabaseUserMode allows users to be automatically
+                      created on a database when not set to off. 0 is "unspecified",
+                      1 is "off", 2 is "keep", 3 is "best_effort_drop".
+                    x-kubernetes-int-or-string: true
+                  create_desktop_user:
+                    description: CreateDesktopUser allows users to be automatically
+                      created on a Windows desktop
+                    type: boolean
+                  create_host_user:
+                    description: 'Deprecated: use CreateHostUserMode instead.'
+                    type: boolean
+                  create_host_user_default_shell:
+                    description: CreateHostUserDefaultShell is used to configure the
+                      default shell for newly provisioned host users.
+                    type: string
+                  create_host_user_mode:
+                    description: CreateHostUserMode allows users to be automatically
+                      created on a host when not set to off. 0 is "unspecified"; 1
+                      is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep";
+                      4 is "insecure-drop".
+                    x-kubernetes-int-or-string: true
+                  desktop_clipboard:
+                    description: DesktopClipboard indicates whether clipboard sharing
+                      is allowed between the user's workstation and the remote desktop.
+                      It defaults to true unless explicitly set to false.
+                    type: boolean
+                  desktop_directory_sharing:
+                    description: DesktopDirectorySharing indicates whether directory
+                      sharing is allowed between the user's workstation and the remote
+                      desktop. It defaults to false unless explicitly set to true.
+                    type: boolean
+                  device_trust_mode:
+                    description: DeviceTrustMode is the device authorization mode
+                      used for the resources associated with the role. See DeviceTrust.Mode.
+                    type: string
+                  disconnect_expired_cert:
+                    description: DisconnectExpiredCert sets disconnect clients on
+                      expired certificates.
+                    type: boolean
+                  enhanced_recording:
+                    description: BPF defines what events to record for the BPF-based
+                      session recorder.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  forward_agent:
+                    description: ForwardAgent is SSH agent forwarding.
+                    type: boolean
+                  idp:
+                    description: IDP is a set of options related to accessing IdPs
+                      within Teleport. Requires Teleport Enterprise.
+                    nullable: true
+                    properties:
+                      saml:
+                        description: SAML are options related to the Teleport SAML
+                          IdP.
+                        nullable: true
+                        properties:
+                          enabled:
+                            description: Enabled is set to true if this option allows
+                              access to the Teleport SAML IdP.
+                            type: boolean
+                        type: object
+                    type: object
+                  lock:
+                    description: Lock specifies the locking mode (strict|best_effort)
+                      to be applied with the role.
+                    type: string
+                  max_connections:
+                    description: MaxConnections defines the maximum number of concurrent
+                      connections a user may hold.
+                    format: int64
+                    type: integer
+                  max_kubernetes_connections:
+                    description: MaxKubernetesConnections defines the maximum number
+                      of concurrent Kubernetes sessions a user may hold.
+                    format: int64
+                    type: integer
+                  max_session_ttl:
+                    description: MaxSessionTTL defines how long a SSH session can
+                      last for.
+                    format: duration
+                    type: string
+                  max_sessions:
+                    description: MaxSessions defines the maximum number of concurrent
+                      sessions per connection.
+                    format: int64
+                    type: integer
+                  mfa_verification_interval:
+                    description: MFAVerificationInterval optionally defines the maximum
+                      duration that can elapse between successive MFA verifications.
+                      This variable is used to ensure that users are periodically
+                      prompted to verify their identity, enhancing security by preventing
+                      prolonged sessions without re-authentication when using tsh
+                      proxy * derivatives. It's only effective if the session requires
+                      MFA. If not set, defaults to `max_session_ttl`.
+                    format: duration
+                    type: string
+                  permit_x11_forwarding:
+                    description: PermitX11Forwarding authorizes use of X11 forwarding.
+                    type: boolean
+                  pin_source_ip:
+                    description: PinSourceIP forces the same client IP for certificate
+                      generation and usage
+                    type: boolean
+                  port_forwarding:
+                    description: 'Deprecated: Use SSHPortForwarding instead'
+                    type: boolean
+                  record_session:
+                    description: RecordDesktopSession indicates whether desktop access
+                      sessions should be recorded. It defaults to true unless explicitly
+                      set to false.
+                    nullable: true
+                    properties:
+                      default:
+                        description: Default indicates the default value for the services.
+                        type: string
+                      desktop:
+                        description: Desktop indicates whether desktop sessions should
+                          be recorded. It defaults to true unless explicitly set to
+                          false.
+                        type: boolean
+                      ssh:
+                        description: SSH indicates the session mode used on SSH sessions.
+                        type: string
+                    type: object
+                  request_access:
+                    description: RequestAccess defines the request strategy (optional|reason|always)
+                      where optional is the default.
+                    type: string
+                  request_prompt:
+                    description: RequestPrompt is an optional message which tells
+                      users what they aught to request.
+                    type: string
+                  require_session_mfa:
+                    description: RequireMFAType is the type of MFA requirement enforced
+                      for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY",
+                      3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
+                    x-kubernetes-int-or-string: true
+                  ssh_file_copy:
+                    description: SSHFileCopy indicates whether remote file operations
+                      via SCP or SFTP are allowed over an SSH session. It defaults
+                      to true unless explicitly set to false.
+                    type: boolean
+                  ssh_port_forwarding:
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
+                    nullable: true
+                    properties:
+                      local:
+                        description: Allow local port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                      remote:
+                        description: Allow remote port forwarding.
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
+                    type: object
+                type: object
+            type: object
+          status:
+            description: Status defines the observed state of the Teleport resource
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              teleportResourceID:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml
index c681433..caf7efa 100644
--- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml
+++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml
@@ -161,6 +161,17 @@ spec:
                       Usually set from EntityDescriptor.
                     type: string
                 type: object
+              preferred_request_binding:
+                description: PreferredRequestBinding is a preferred SAML request binding
+                  method. Value must be either "http-post" or "http-redirect". In
+                  general, the SAML identity provider lists request binding methods
+                  it supports. And the SAML service provider uses one of the IdP supported
+                  request binding method that it prefers. But we never honored request
+                  binding value provided by the IdP and always used http-redirect
+                  binding as a default. Setting up PreferredRequestBinding value lets
+                  us preserve existing auth connector behavior and only use http-post
+                  binding if it is explicitly configured.
+                type: string
               provider:
                 description: Provider is the external identity provider.
                 type: string
diff --git a/teleport-cluster/charts/teleport-operator/templates/role.yaml b/teleport-cluster/charts/teleport-operator/templates/role.yaml
index e6f073c..aab0c27 100644
--- a/teleport-cluster/charts/teleport-operator/templates/role.yaml
+++ b/teleport-cluster/charts/teleport-operator/templates/role.yaml
@@ -42,6 +42,10 @@ rules:
       - teleportbotsv1/status
       - teleportworkloadidentitiesv1
       - teleportworkloadidentitiesv1/status
+      - teleportautoupdateconfigsv1
+      - teleportautoupdateconfigsv1/status
+      - teleportautoupdateversionsv1
+      - teleportautoupdateversionsv1/status
     verbs:
       - get
       - list
diff --git a/teleport-cluster/templates/auth/config.yaml b/teleport-cluster/templates/auth/config.yaml
index 303052e..355bf05 100644
--- a/teleport-cluster/templates/auth/config.yaml
+++ b/teleport-cluster/templates/auth/config.yaml
@@ -155,6 +155,22 @@ data:
               - read
               - update
               - delete
+          - resources:
+              - autoupdate_version
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
+          - resources:
+              - autoupdate_config
+            verbs:
+              - list
+              - create
+              - read
+              - update
+              - delete
       deny: {}
     version: v7
     ---
diff --git a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
index 2e1442a..08787b0 100644
--- a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
+++ b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
@@ -8,9 +8,9 @@ adds operator permissions to ClusterRole:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 17.4.9
-        helm.sh/chart: teleport-cluster-17.4.9
-        teleport.dev/majorVersion: "17"
+        app.kubernetes.io/version: 18.0.1
+        helm.sh/chart: teleport-cluster-18.0.1
+        teleport.dev/majorVersion: "18"
       name: RELEASE-NAME
     rules:
     - apiGroups:
diff --git a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
index f95406d..bf806fd 100644
--- a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
+++ b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
@@ -2040,9 +2040,9 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 17.4.9
-        helm.sh/chart: teleport-cluster-17.4.9
-        teleport.dev/majorVersion: "17"
+        app.kubernetes.io/version: 18.0.1
+        helm.sh/chart: teleport-cluster-18.0.1
+        teleport.dev/majorVersion: "18"
       name: RELEASE-NAME-auth
       namespace: NAMESPACE
 uses athena as primary backend when configured:
diff --git a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
index b794f09..35c5d69 100644
--- a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
+++ b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
@@ -8,7 +8,7 @@
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -159,7 +159,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -274,7 +274,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -378,7 +378,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
diff --git a/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
index ea0f9a9..0945301 100644
--- a/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
+++ b/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
@@ -567,8 +567,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 17.4.9
-        helm.sh/chart: teleport-cluster-17.4.9
-        teleport.dev/majorVersion: "17"
+        app.kubernetes.io/version: 18.0.1
+        helm.sh/chart: teleport-cluster-18.0.1
+        teleport.dev/majorVersion: "18"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
diff --git a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
index 26c8cfa..ce9560d 100644
--- a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
+++ b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
@@ -11,9 +11,9 @@ sets clusterDomain on Deployment Pods:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 17.4.9
-        helm.sh/chart: teleport-cluster-17.4.9
-        teleport.dev/majorVersion: "17"
+        app.kubernetes.io/version: 18.0.1
+        helm.sh/chart: teleport-cluster-18.0.1
+        teleport.dev/majorVersion: "18"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
     spec:
@@ -26,7 +26,7 @@ sets clusterDomain on Deployment Pods:
       template:
         metadata:
           annotations:
-            checksum/config: da6155f69a526a5b92d4fa09d4b6658536bfab0d3e5435e2e898b77c1a30dbff
+            checksum/config: a75090749e3017fcd929cd83817d8c68f2cd21d8f10a95d459102b9fef31e58e
             kubernetes.io/pod: test-annotation
             kubernetes.io/pod-different: 4
           labels:
@@ -34,9 +34,9 @@ sets clusterDomain on Deployment Pods:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-cluster
-            app.kubernetes.io/version: 17.4.9
-            helm.sh/chart: teleport-cluster-17.4.9
-            teleport.dev/majorVersion: "17"
+            app.kubernetes.io/version: 18.0.1
+            helm.sh/chart: teleport-cluster-18.0.1
+            teleport.dev/majorVersion: "18"
         spec:
           affinity:
             podAntiAffinity: null
@@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods:
           containers:
           - args:
             - --diag-addr=0.0.0.0:3000
-            image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+            image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
             imagePullPolicy: IfNotPresent
             lifecycle:
               preStop:
@@ -105,8 +105,8 @@ sets clusterDomain on Deployment Pods:
             - teleport
             - wait
             - no-resolve
-            - RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com
-            image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+            - RELEASE-NAME-auth-v17.NAMESPACE.svc.test.com
+            image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
             name: wait-auth-update
           serviceAccountName: RELEASE-NAME-proxy
           terminationGracePeriodSeconds: 60
@@ -154,8 +154,8 @@ should provision initContainer correctly when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      - RELEASE-NAME-auth-v17.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       name: wait-auth-update
       resources:
         limits:
@@ -219,7 +219,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -280,8 +280,8 @@ should set nodeSelector when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      - RELEASE-NAME-auth-v17.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -349,7 +349,7 @@ should set resources for wait-auth-update initContainer when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -417,8 +417,8 @@ should set resources for wait-auth-update initContainer when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      - RELEASE-NAME-auth-v17.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       name: wait-auth-update
       resources:
         limits:
@@ -475,7 +475,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -543,8 +543,8 @@ should set resources when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      - RELEASE-NAME-auth-v17.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       name: wait-auth-update
       resources:
         limits:
@@ -601,7 +601,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -669,8 +669,8 @@ should set securityContext for initContainers when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      - RELEASE-NAME-auth-v17.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -727,7 +727,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -795,8 +795,8 @@ should set securityContext when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
+      - RELEASE-NAME-auth-v17.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:18.0.1
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false