jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Reduce harbor resources

Browse Source
This commit is contained in:
Jonny Ervine 2026-04-16 20:47:38 +08:00
parent 57f71cab43
commit ddc8ac5ced
215 changed files with 26771 additions and 463 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
embyserver/.helmignore
View File

@ -1,22 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

BIN
embyserver/emby.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

21
embyserver/templates/NOTES.txt
View File

@ -1,21 +0,0 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "emby.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "emby.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "emby.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "emby.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }}

63
embyserver/templates/_helpers.tpl
View File

@ -1,63 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "emby.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "emby.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "emby.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "emby.labels" -}}
helm.sh/chart: {{ include "emby.chart" . }}
{{ include "emby.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "emby.selectorLabels" -}}
app.kubernetes.io/name: {{ include "emby.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "emby.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "emby.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

10
embyserver/templates/configmap.yaml
View File

@ -1,10 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "emby.fullname" . }}-settings
labels:
{{- include "emby.labels" . | nindent 4 }}
data:
{{- range $k, $v := .Values.configmap }}
{{ $k }}: {{ $v | quote }}
{{- end }}

81
embyserver/templates/ingress.yaml
View File

@ -1,81 +0,0 @@
{{- if .Values.ingress.external.enabled -}}
{{- $fullName := include "emby.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}-ext
labels:
{{- include "emby.labels" . | nindent 4 }}
{{- with .Values.ingress.external.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.external.tls }}
tls:
{{- range .Values.ingress.external.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.external.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: /
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
---
{{- if .Values.ingress.internal.enabled -}}
{{- $fullName := include "emby.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}-int
labels:
{{- include "emby.labels" . | nindent 4 }}
{{- with .Values.ingress.external.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.internal.tls }}
tls:
{{- range .Values.ingress.internal.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.internal.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: /
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

15
embyserver/templates/service.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "emby.fullname" . }}
labels:
{{- include "emby.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: 8096
protocol: TCP
name: emby
selector:
{{- include "emby.selectorLabels" . | nindent 4 }}

8
embyserver/templates/serviceaccount.yaml
View File

@ -1,8 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "emby.serviceAccountName" . }}
labels:
{{ include "emby.labels" . | nindent 4 }}
{{- end -}}

93
embyserver/templates/statefulset.yaml
View File

@ -1,93 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "emby.fullname" . }}
labels:
{{- include "emby.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
serviceName: {{ include "emby.fullname" . }}
selector:
matchLabels:
{{- include "emby.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "emby.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "emby.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: UID
valueFrom:
configMapKeyRef:
name: emby-settings
key: uid
- name: GID
valueFrom:
configMapKeyRef:
name: emby-settings
key: gid
ports:
- name: http
containerPort: 8096
protocol: TCP
livenessProbe:
tcpSocket:
port: 8096
readinessProbe:
tcpSocket:
port: 8096
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: /data/media
name: emby-media-pv
- mountPath: /config
name: emby-config
restartPolicy: Always
volumes:
- name: emby-media-pv
persistentVolumeClaim:
claimName: {{ .Values.config.mediaPvc }}
- name: emby-config
persistentVolumeClaim:
claimName: {{ .Values.config.configPvc }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

15
embyserver/templates/tests/test-connection.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "emby.fullname" . }}-test-connection"
labels:
{{ include "emby.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "emby.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

85
embyserver/values.yaml
View File

@ -1,85 +0,0 @@
# Default values for jellyfin.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: harbor.ervine.dev/public/x86_64/embyserver
pullPolicy: IfNotPresent
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 8096
ingress:
external:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTP
hosts:
- host: emby.ervine.cloud
paths:
- path: /
tls:
- secretName: emby-ervine-cloud-tls
hosts:
- emby.ervine.cloud
internal:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
requests:
cpu: 60m
memory: 800Mi
nodeSelector:
location: bedRoom
tolerations: []
affinity: {}
config:
configPvc: emby-config
mediaPvc: emby-icarus-media

5
goldilocks/charts/vpa/values.yaml
View File

@ -200,7 +200,10 @@ admissionController:
# admissionController.certGen.env -- Additional environment variables to be added to the certgen container. Format is KEY: Value format
env: {}
# admissionController.certGen.resources -- The resources block for the certgen pod
resources: {}
resources:
requests:
memory: 50Mi
cpu: 10m
# admissionController.certGen.securityContext -- The securityContext block for the certgen pod
securityContext: {}
nodeSelector: {}

4
harbor/values.home.yaml
View File

@ -420,8 +420,8 @@ portal:
revisionHistoryLimit: 10
resources:
requests:
memory: 256Mi
cpu: 100m
memory: 32Mi
cpu: 50m
extraEnvVars: []
nodeSelector:
location: bedRoom

3
teleport-cluster-17.4.9/.lint/acme-off.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: test-cluster-name
extraArgs:
- "--insecure"

3
teleport-cluster-17.4.9/.lint/acme-on.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com

4
teleport-cluster-17.4.9/.lint/acme-uri-staging.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com
acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory

29
teleport-cluster-17.4.9/.lint/affinity.yaml Normal file
View File

@ -0,0 +1,29 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 2
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- teleport
topologyKey: kubernetes.io/hostname
weight: 1

17
teleport-cluster-17.4.9/.lint/annotations.yaml Normal file
View File

@ -0,0 +1,17 @@
clusterName: helm-lint
annotations:
config:
kubernetes.io/config: "test-annotation"
kubernetes.io/config-different: 2
deployment:
kubernetes.io/deployment: "test-annotation"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-annotation"
kubernetes.io/pod-different: 4
service:
kubernetes.io/service: "test-annotation"
kubernetes.io/service-different: 5
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"
kubernetes.io/serviceaccount-different: 6

3
teleport-cluster-17.4.9/.lint/auth-connector-name.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
connectorName: "okta"

5
teleport-cluster-17.4.9/.lint/auth-disable-local.yaml Normal file
View File

@ -0,0 +1,5 @@
clusterName: helm-lint
authentication:
type: "github"
localAuth: false
secondFactor: "off"

5
teleport-cluster-17.4.9/.lint/auth-disable-passwordless.yaml Normal file
View File

@ -0,0 +1,5 @@
clusterName: helm-lint
authentication:
type: "github"
passwordless: false
secondFactor: "off"

4
teleport-cluster-17.4.9/.lint/auth-enterprise-license.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
enterprise: true
licenseSecretName: enterprise-license

3
teleport-cluster-17.4.9/.lint/auth-locking-mode.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
lockingMode: "strict"

4
teleport-cluster-17.4.9/.lint/auth-passwordless.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
connectorName: passwordless
secondFactor: webauthn

4
teleport-cluster-17.4.9/.lint/auth-secondfactors-sso.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
secondFactors:
- sso

10
teleport-cluster-17.4.9/.lint/auth-secondfactors-webauthn.yaml Normal file
View File

@ -0,0 +1,10 @@
clusterName: helm-lint
authentication:
secondFactors:
- sso
- webauthn
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

4
teleport-cluster-17.4.9/.lint/auth-type-legacy.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
type: "this-should-be-ignored"
authenticationType: "github"

3
teleport-cluster-17.4.9/.lint/auth-type.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
type: "github"

10
teleport-cluster-17.4.9/.lint/auth-webauthn-legacy.yaml Normal file
View File

@ -0,0 +1,10 @@
clusterName: helm-lint
authentication:
secondFactor: "off" # this should be overridden
authenticationSecondFactor:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

8
teleport-cluster-17.4.9/.lint/auth-webauthn.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
authentication:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

13
teleport-cluster-17.4.9/.lint/aws-access-monitoring.yaml Normal file
View File

@ -0,0 +1,13 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
sessionRecordingBucket: test-s3-session-storage-bucket
athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
accessMonitoring:
enabled: true
reportResults: "s3://example-athena-long-term/report_results"
roleARN: "arn:aws:iam::123456789012:role/example_AccessMonitoringRole"
workgroup: "example_access_monitoring_workgroup"

14
teleport-cluster-17.4.9/.lint/aws-dynamodb-autoscaling.yaml Normal file
View File

@ -0,0 +1,14 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
dynamoAutoScaling: true
readMinCapacity: 5
readMaxCapacity: 100
readTargetValue: 50.0
writeMinCapacity: 5
writeMaxCapacity: 100
writeTargetValue: 50.0

14
teleport-cluster-17.4.9/.lint/aws-ha-acme.yaml Normal file
View File

@ -0,0 +1,14 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

12
teleport-cluster-17.4.9/.lint/aws-ha-antiaffinity.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: aws

17
teleport-cluster-17.4.9/.lint/aws-ha-log.yaml Normal file
View File

@ -0,0 +1,17 @@
clusterName: test-aws-cluster
chartMode: aws
log:
level: DEBUG
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 2
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

11
teleport-cluster-17.4.9/.lint/aws-ha.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: aws

11
teleport-cluster-17.4.9/.lint/aws.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: aws

11
teleport-cluster-17.4.9/.lint/azure.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-azure-cluster
chartMode: azure
azure:
databaseHost: "mypostgresinstance.postgres.database.azure.com"
databaseUser: "teleport"
backendDatabase: "teleport_backend"
auditLogDatabase: "teleport_audit"
auditLogMirrorOnStdout: true
sessionRecordingStorageAccount: "mystorageaccount.blob.core.windows.net"
clientID: "1234"
databasePoolMaxConnections: 100

15
teleport-cluster-17.4.9/.lint/cert-manager.yaml Normal file
View File

@ -0,0 +1,15 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
addCommonName: true
enabled: true
issuerGroup: custom.cert-manager.io
issuerName: custom
issuerKind: CustomClusterIssuer

15
teleport-cluster-17.4.9/.lint/cert-secret.yaml Normal file
View File

@ -0,0 +1,15 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
annotations:
certSecret:
kubernetes.io/cert-secret: value
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt

7
teleport-cluster-17.4.9/.lint/example-minimal-standalone.yaml Normal file
View File

@ -0,0 +1,7 @@
# This setup is not safe for production because the proxy will self-sign its certificate.
# Use those values for testing only
# The chart should deploy and work only with a clusterName.
# This setup can also cause redirection issues if the proxy is contacted with a hostName instead of an IP address
# as it is not aware of its external hostname and will attempt to perform a redirection.
clusterName: helm-lint

4
teleport-cluster-17.4.9/.lint/existing-tls-secret-with-ca.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret
existingCASecretName: helm-lint-existing-tls-secret-ca

3
teleport-cluster-17.4.9/.lint/existing-tls-secret.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret

12
teleport-cluster-17.4.9/.lint/extra-containers.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: helm-lint.example.com
extraContainers:
- name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false

4
teleport-cluster-17.4.9/.lint/extra-env.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint.example.com
extraEnv:
- name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"

14
teleport-cluster-17.4.9/.lint/gcp-ha-acme.yaml Normal file
View File

@ -0,0 +1,14 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-17.4.9/.lint/gcp-ha-antiaffinity.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: gcp

17
teleport-cluster-17.4.9/.lint/gcp-ha-log.yaml Normal file
View File

@ -0,0 +1,17 @@
clusterName: test-gcp-cluster
chartMode: gcp
log:
level: DEBUG
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-17.4.9/.lint/gcp-ha-workload.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
credentialSecretName: ""
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-17.4.9/.lint/gcp-ha.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-17.4.9/.lint/gcp.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: gcp

4
teleport-cluster-17.4.9/.lint/imagepullsecrets.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-standalone-cluster
chartMode: standalone
imagePullSecrets:
- name: myRegistryKeySecretName

8
teleport-cluster-17.4.9/.lint/ingress-publicaddr.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: teleport.example.com
publicAddr: ["my-teleport-ingress.example.com:443"]
ingress:
enabled: true
suppressAutomaticWildcards: true
proxyListenerMode: multiplex
service:
type: ClusterIP

6
teleport-cluster-17.4.9/.lint/ingress.yaml Normal file
View File

@ -0,0 +1,6 @@
clusterName: teleport.example.com
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP

8
teleport-cluster-17.4.9/.lint/initcontainers.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
initContainers:
- name: "teleport-init"
image: "alpine"
args: ["echo test"]
- name: "teleport-init2"
image: "alpine"
args: ["echo test2"]

2
teleport-cluster-17.4.9/.lint/kube-cluster-name.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-aws-cluster
kubeClusterName: test-kube-cluster

4
teleport-cluster-17.4.9/.lint/log-basic.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-log-cluster
log:
format: json
level: INFO

6
teleport-cluster-17.4.9/.lint/log-extra.yaml Normal file
View File

@ -0,0 +1,6 @@
clusterName: test-log-cluster
log:
format: json
level: DEBUG
output: /var/lib/teleport/test.log
extraFields: ["level", "timestamp", "component", "caller"]

2
teleport-cluster-17.4.9/.lint/log-legacy.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-log-cluster
logLevel: DEBUG

4
teleport-cluster-17.4.9/.lint/node-selector.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-cluster-name
nodeSelector:
role: bastion
environment: security

4
teleport-cluster-17.4.9/.lint/operator.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-cluster-name
operator:
enabled: true
installCRDs: true

12
teleport-cluster-17.4.9/.lint/pdb.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: helm-lint
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
podDisruptionBudget:
enabled: true
minAvailable: 2

4
teleport-cluster-17.4.9/.lint/persistence-legacy.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-persistence-cluster
standalone:
existingClaimName: ""
volumeSize: 10Gi

1
teleport-cluster-17.4.9/.lint/pod-security-context-empty.yaml Normal file
View File

@ -0,0 +1 @@
clusterName: helm-lint

7
teleport-cluster-17.4.9/.lint/pod-security-context.yaml Normal file
View File

@ -0,0 +1,7 @@
clusterName: helm-lint
podSecurityContext:
fsGroup: 99
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99

6
teleport-cluster-17.4.9/.lint/podmonitor.yaml Normal file
View File

@ -0,0 +1,6 @@
clusterName: test-kube-cluster-name
podMonitor:
enabled: true
additionalLabels:
prometheus: default
interval: 30s

4
teleport-cluster-17.4.9/.lint/priority-class-name.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
priorityClassName: "system-cluster-critical"

4
teleport-cluster-17.4.9/.lint/probe-timeout-seconds.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
probeTimeoutSeconds: 5

2
teleport-cluster-17.4.9/.lint/proxy-listener-mode-multiplex.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: multiplex

2
teleport-cluster-17.4.9/.lint/proxy-listener-mode-separate.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: separate

11
teleport-cluster-17.4.9/.lint/public-addresses.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: helm-lint
publicAddr: ["loadbalancer.example.com:443"]
sshPublicAddr: ["loadbalancer.example.com:3023"]
tunnelPublicAddr: ["loadbalancer.example.com:3024"]
postgresPublicAddr: ["loadbalancer.example.com:5432"]
mongoPublicAddr: ["loadbalancer.example.com:27017"]
mysqlPublicAddr: ["loadbalancer.example.com:3036"]
kubePublicAddr: ["loadbalancer.example.com:3026"]
separatePostgresListener: true
separateMongoListener: true

10
teleport-cluster-17.4.9/.lint/resources.yaml Normal file
View File

@ -0,0 +1,10 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi

1
teleport-cluster-17.4.9/.lint/security-context-empty.yaml Normal file
View File

@ -0,0 +1 @@
clusterName: helm-lint

8
teleport-cluster-17.4.9/.lint/security-context.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99

2
teleport-cluster-17.4.9/.lint/separate-mongo-listener.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
separateMongoListener: true

2
teleport-cluster-17.4.9/.lint/separate-postgres-listener.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
separatePostgresListener: true

7
teleport-cluster-17.4.9/.lint/service-account.yaml Normal file
View File

@ -0,0 +1,7 @@
clusterName: helm-lint
serviceAccount:
create: true
name: helm-lint
annotations:
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"

5
teleport-cluster-17.4.9/.lint/service.yaml Normal file
View File

@ -0,0 +1,5 @@
clusterName: helm-lint
service:
type: LoadBalancer
spec:
loadBalancerIP: 1.2.3.4

2
teleport-cluster-17.4.9/.lint/session-recording-off.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
sessionRecording: "off"

2
teleport-cluster-17.4.9/.lint/session-recording.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
sessionRecording: "node-sync"

9
teleport-cluster-17.4.9/.lint/standalone-custom-storage-class.yaml Normal file
View File

@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
storageClassName: ebs-ssd
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
teleport-cluster-17.4.9/.lint/standalone-customsize.yaml Normal file
View File

@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
volumeSize: 50Gi
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
teleport-cluster-17.4.9/.lint/standalone-existingpvc.yaml Normal file
View File

@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
existingClaimName: teleport-storage
acme: true
acmeEmail: test@email.com
labels:
env: standalone

18
teleport-cluster-17.4.9/.lint/tolerations.yaml Normal file
View File

@ -0,0 +1,18 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
tolerations:
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoExecute"
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoSchedule"

5
teleport-cluster-17.4.9/.lint/version-override.yaml Normal file
View File

@ -0,0 +1,5 @@
clusterName: test-cluster-name
teleportVersionOverride: 5.2.1
labels:
env: test
version: 5.2.1

8
teleport-cluster-17.4.9/.lint/volumes.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
extraVolumeMounts:
- name: "my-mount"
mountPath: "/path/to/mount"
extraVolumes:
- name: "my-mount"
secret:
secretName: "mySecret"

13
teleport-cluster-17.4.9/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v2
appVersion: 17.4.9
dependencies:
- alias: operator
name: teleport-operator
repository: ""
version: 17.4.9
description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
name: teleport-cluster
version: 17.4.9

68
teleport-cluster-17.4.9/README.md Normal file
View File

@ -0,0 +1,68 @@
# Teleport Cluster
This chart sets up a Teleport cluster composed of at least 1 Proxy instance
and 1 Auth instance. When applicable, the chart will default to 2 pods to
provide high-availability.
## Important Notices
- The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x
- Teleport does mutual TLS to authenticate clients. Establishing mTLS through a L7
LoadBalancer, like a Kubernetes `Ingress` [requires ALPN support](https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies).
Exposing Teleport through a `Service` with type `LoadBalancer` is still recommended
because its the most flexible and least complex setup.
## Getting Started
### Single-node example
To install Teleport in a separate namespace and provision a web certificate using Let's Encrypt, run:
```bash
$ helm install teleport/teleport-cluster \
--set acme=true \
--set acmeEmail=alice@example.com \
--set clusterName=teleport.example.com\
--create-namespace \
--namespace=teleport-cluster \
./teleport-cluster/
```
Finally, configure the DNS for `teleport.example.com` to point to the newly created LoadBalancer.
Note: this guide uses the built-in ACME client to get certificates.
In this setup, Teleport nodes cannot be replicated. If you want to run multiple
Teleport replicas, you must provide a certificate through `tls.existingSecretName`
or by installing [cert-manager](https://cert-manager.io/docs/) and setting the `highAvailability.certManager.*` values.
### Replicated setup guides
- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/aws/)
- [Running an HA Teleport cluster in Kubernetes using an Google Cloud GKE cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/gcp/)
- [Running an HA Teleport cluster in Kubernetes using an Azure AKS cluster](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/azure/)
- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/custom/)
### Creating first user
The first user can be created by executing a command in one of the auth pods.
```code
kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access
```
The command should output a registration link to finalize the user creation.
## Uninstalling
```bash
helm uninstall --namespace teleport-cluster teleport-cluster
```
## Documentation
See https://goteleport.com/docs/admin-guides/deploy-a-cluster/helm-deployments/ for guides on setting up HA Teleport clusters
in EKS or GKE, plus a comprehensive chart reference.
## Contributing to the chart
Please read [CONTRIBUTING.md](../CONTRIBUTING.md) before raising a pull request to this chart.

14
teleport-cluster-17.4.9/charts/teleport-operator/.lint/annotations.yaml Normal file
View File

@ -0,0 +1,14 @@
annotations:
deployment:
kubernetes.io/deployment: "test-annotation"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-annotation"
kubernetes.io/pod-different: 4
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"
kubernetes.io/serviceaccount-different: 6
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
teleportClusterName: "example.teleport.sh"

3
teleport-cluster-17.4.9/charts/teleport-operator/.lint/cloud-join.yaml Normal file
View File

@ -0,0 +1,3 @@
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
teleportClusterName: "example.teleport.sh"

1
teleport-cluster-17.4.9/charts/teleport-operator/.lint/disabled.yaml Normal file
View File

@ -0,0 +1 @@
enabled: false

6
teleport-cluster-17.4.9/charts/teleport-operator/.lint/existing-tls-ca.yaml Normal file
View File

@ -0,0 +1,6 @@
tls:
existingCASecretName: helm-lint-existing-tls-secret-ca
teleportAddress: "teleport.example.com:3080"
token: "my-operator-bot"
teleportClusterName: "teleport.example.com"

10
teleport-cluster-17.4.9/charts/teleport-operator/.lint/labels.yaml Normal file
View File

@ -0,0 +1,10 @@
labels:
deployment:
kubernetes.io/deployment: "test-label"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-label"
kubernetes.io/pod-different: 4
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
teleportClusterName: "example.teleport.sh"

3
teleport-cluster-17.4.9/charts/teleport-operator/.lint/non-kubernetes-joining.yaml Normal file
View File

@ -0,0 +1,3 @@
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
joinMethod: "iam"

13
teleport-cluster-17.4.9/charts/teleport-operator/.lint/resources.yaml Normal file
View File

@ -0,0 +1,13 @@
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
teleportClusterName: "example.teleport.sh"

8
teleport-cluster-17.4.9/charts/teleport-operator/Chart.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v2
appVersion: 17.4.9
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
name: teleport-operator
version: 17.4.9

28
teleport-cluster-17.4.9/charts/teleport-operator/README.md Normal file
View File

@ -0,0 +1,28 @@
# Teleport Operator
This chart deploys the Teleport Kubernetes Operator. The operator allows to manage
Teleport resources from inside Kubernetes.
## Important notice
The chart version follows the Teleport and Teleport Kube Operator version. e.g.
chart v15.0.1 runs the operator version 15.0.1 by default. To control which
operator version is deployed, use the `--version` Helm flag.
## Deployment
The chart can be deployed in two ways:
- in standalone mode by running
```code
helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token
```
See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details.
- as a dependency of the `teleport-cluster` Helm chart by adding `--set operator.enabled=true`. See
[the operator within teleport-cluster chart guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-helm/).
## Values and reference
The `values.yaml` is documented through comment or via
[the reference docs](https://goteleport.com/docs/reference/helm-reference/teleport-operator/).
Please make sure you are looking at the correct version when looking at the values reference.

269
teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml Normal file
View File

@ -0,0 +1,269 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportaccesslists.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportAccessList
listKind: TeleportAccessListList
plural: teleportaccesslists
shortNames:
- accesslist
- accesslists
singular: teleportaccesslist
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: AccessList is the Schema for the accesslists API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AccessList resource definition v1 from Teleport
properties:
audit:
description: audit describes the frequency that this Access List must
be audited.
nullable: true
properties:
next_audit_date:
description: next_audit_date is when the next audit date should
be done by.
format: date-time
type: string
notifications:
description: notifications is the configuration for notifying
users.
nullable: true
properties:
start:
description: start specifies when to start notifying users
that the next audit date is coming up.
format: duration
type: string
type: object
recurrence:
description: recurrence is the recurrence definition
nullable: true
properties:
day_of_month:
description: day_of_month is the day of month that reviews
will be scheduled on. Supported values are 0, 1, 15, and
31.
x-kubernetes-int-or-string: true
frequency:
description: frequency is the frequency of reviews. This represents
the period in months between two reviews. Supported values
are 0, 1, 3, 6, and 12.
x-kubernetes-int-or-string: true
type: object
type: object
description:
description: description is an optional plaintext description of the
Access List.
type: string
grants:
description: grants describes the access granted by membership to
this Access List.
nullable: true
properties:
roles:
description: roles are the roles that are granted to users who
are members of the Access List.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that are granted to users who
are members of the Access List.
type: object
type: object
membership_requires:
description: membership_requires describes the requirements for a
user to be a member of the Access List. For a membership to an Access
List to be effective, the user must meet the requirements of Membership_requires
and must be in the members list.
nullable: true
properties:
roles:
description: roles are the user roles that must be present for
the user to obtain access.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that must be present for the
user to obtain access.
type: object
type: object
owner_grants:
description: owner_grants describes the access granted by owners to
this Access List.
nullable: true
properties:
roles:
description: roles are the roles that are granted to users who
are members of the Access List.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that are granted to users who
are members of the Access List.
type: object
type: object
owners:
description: owners is a list of owners of the Access List.
items:
properties:
description:
description: description is the plaintext description of the
owner and why they are an owner.
type: string
ineligible_status:
description: ineligible_status describes if this owner is eligible
or not and if not, describes how they're lacking eligibility.
x-kubernetes-int-or-string: true
membership_kind:
description: membership_kind describes the type of membership,
either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
x-kubernetes-int-or-string: true
name:
description: name is the username of the owner.
type: string
type: object
nullable: true
type: array
ownership_requires:
description: ownership_requires describes the requirements for a user
to be an owner of the Access List. For ownership of an Access List
to be effective, the user must meet the requirements of ownership_requires
and must be in the owners list.
nullable: true
properties:
roles:
description: roles are the user roles that must be present for
the user to obtain access.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that must be present for the
user to obtain access.
type: object
type: object
title:
description: title is a plaintext short description of the Access
List.
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

146
teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml Normal file
View File

@ -0,0 +1,146 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportbotsv1.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportBotV1
listKind: TeleportBotV1List
plural: teleportbotsv1
shortNames:
- botv1
- botsv1
singular: teleportbotv1
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: BotV1 is the Schema for the botsv1 API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Bot resource definition v1 from Teleport
properties:
max_session_ttl:
description: The max session TTL value for the bot's internal role.
Unless specified, bots may not request a value beyond the default
maximum TTL of 12 hours. This value may not be larger than 7 days
(168 hours).
format: duration
type: string
roles:
description: The roles that the bot should be able to impersonate.
items:
type: string
nullable: true
type: array
traits:
description: The traits that will be associated with the bot for the
purposes of role templating. Where multiple specified with the
same name, these will be merged by the server.
items:
properties:
name:
description: The name of the trait. This is what allows the
trait to be queried in role templates.
type: string
values:
description: The values associated with the named trait.
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

178
teleport-cluster-17.4.9/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml Normal file
View File

@ -0,0 +1,178 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportgithubconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportGithubConnector
listKind: TeleportGithubConnectorList
plural: teleportgithubconnectors
shortNames:
- githubconnector
- githubconnectors
singular: teleportgithubconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: GithubConnector is the Schema for the githubconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GithubConnector resource definition v3 from Teleport
properties:
api_endpoint_url:
description: APIEndpointURL is the URL of the API endpoint of the
Github instance this connector is for.
type: string
client_id:
description: ClientID is the Github OAuth app client ID.
type: string
client_redirect_settings:
description: ClientRedirectSettings defines which client redirect
URLs are allowed for non-browser SSO logins other than the standard
localhost ones.
nullable: true
properties:
allowed_https_hostnames:
description: a list of hostnames allowed for https client redirect
URLs
items:
type: string
nullable: true
type: array
insecure_allowed_cidr_ranges:
description: a list of CIDRs allowed for HTTP or HTTPS client
redirect URLs
items:
type: string
nullable: true
type: array
type: object
client_secret:
description: ClientSecret is the Github OAuth app client secret. This
field supports secret lookup. See the operator documentation for
more details.
type: string
display:
description: Display is the connector display name.
type: string
endpoint_url:
description: EndpointURL is the URL of the GitHub instance this connector
is for.
type: string
redirect_url:
description: RedirectURL is the authorization callback URL.
type: string
teams_to_roles:
description: TeamsToRoles maps Github team memberships onto allowed
roles.
items:
properties:
organization:
description: Organization is a Github organization a user belongs
to.
type: string
roles:
description: Roles is a list of allowed logins for this org/team.
items:
type: string
nullable: true
type: array
team:
description: Team is a team within the organization a user belongs
to.
type: string
type: object
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

Some files were not shown because too many files have changed in this diff Show More