Bump teleport to version 15.3.3

teleport-cluster-14.3.0/templates/auth/clusterrole.yaml

@@ -1,71 +0,0 @@
-{{- if .Values.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ .Release.Name }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - users
-  - groups
-  - serviceaccounts
-  verbs:
-  - impersonate
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-- apiGroups:
-  - "authorization.k8s.io"
-  resources:
-  - selfsubjectaccessreviews
-  verbs:
-  - create
-
-{{ if .Values.operator.enabled }}
-- apiGroups:
-  - "resources.teleport.dev"
-  resources:
-  - teleportroles
-  - teleportroles/status
-  - teleportusers
-  - teleportusers/status
-  - teleportgithubconnectors
-  - teleportgithubconnectors/status
-  - teleportoidcconnectors
-  - teleportoidcconnectors/status
-  - teleportsamlconnectors
-  - teleportsamlconnectors/status
-  - teleportloginrules
-  - teleportloginrules/status
-  - teleportprovisiontokens
-  - teleportprovisiontokens/status
-  - teleportoktaimportrules
-  - teleportoktaimportrules/status
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
-
-- apiGroups:
-  - "coordination.k8s.io"
-  resources:
-  - leases
-  verbs:
-  - create
-  - get
-  - update
-
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-{{- end -}}
-{{- end -}}

teleport-cluster-14.3.0/templates/auth/config.yaml

@@ -1,28 +0,0 @@
-{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
-{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Release.Name }}-auth
-  namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
-{{- if $auth.annotations.config }}
-  annotations: {{- toYaml $auth.annotations.config | nindent 4 }}
-{{- end }}
-data:
-{{- if $auth.createProxyToken }}
-  apply-on-startup.yaml: |2
-    kind: token
-    version: v2
-    metadata:
-      name: {{ .Release.Name }}-proxy
-      expires: "2050-01-01T00:00:00Z"
-    spec:
-      roles: [Proxy]
-      join_method: kubernetes
-      kubernetes:
-        allow:
-          - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}"
-{{- end }}
-  teleport.yaml: |2
-    {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}}

teleport-cluster-14.3.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap

@@ -1,66 +0,0 @@
-adds operator permissions to ClusterRole:
-  1: |
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
-    metadata:
-      name: RELEASE-NAME
-    rules:
-    - apiGroups:
-      - ""
-      resources:
-      - users
-      - groups
-      - serviceaccounts
-      verbs:
-      - impersonate
-    - apiGroups:
-      - ""
-      resources:
-      - pods
-      verbs:
-      - get
-    - apiGroups:
-      - authorization.k8s.io
-      resources:
-      - selfsubjectaccessreviews
-      verbs:
-      - create
-    - apiGroups:
-      - resources.teleport.dev
-      resources:
-      - teleportroles
-      - teleportroles/status
-      - teleportusers
-      - teleportusers/status
-      - teleportgithubconnectors
-      - teleportgithubconnectors/status
-      - teleportoidcconnectors
-      - teleportoidcconnectors/status
-      - teleportsamlconnectors
-      - teleportsamlconnectors/status
-      - teleportloginrules
-      - teleportloginrules/status
-      - teleportprovisiontokens
-      - teleportprovisiontokens/status
-      - teleportoktaimportrules
-      - teleportoktaimportrules/status
-      verbs:
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    - apiGroups:
-      - coordination.k8s.io
-      resources:
-      - leases
-      verbs:
-      - create
-      - get
-      - update
-    - apiGroups:
-      - ""
-      resources:
-      - events
-      verbs:
-      - create

teleport-cluster-14.3.0/values.home.yaml.old

@@ -1,686 +0,0 @@
-##################################################
-# Values that must always be provided by the user.
-##################################################
-
-# `clusterName` controls the name used to refer to the Teleport cluster, along with
-# the externally-facing public address to use to access it. In most setups this must
-# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is
-# used as the cluster's public address by default.
-#
-# Note: When using a fully qualified domain name as your `clusterName`, you will also
-# need to configure the DNS provider for this domain to point to the external
-# load balancer address of your Teleport cluster.
-#
-# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan.
-# If you need to change it, you must redeploy a completely new cluster.
-clusterName: "teleport.ervine.cloud"
-
-# Name for this kubernetes cluster to be used by teleport users.
-kubeClusterName: "homeK8s"
-
-##################################################
-# Values that you may need to change.
-##################################################
-
-# Version of teleport image, if different from chart version in Chart.yaml.
-# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
-# This chart is designed to run a specific teleport version (see Chart.yaml).
-# You will face compatibility issues trying to run a different Teleport version with it.
-#
-# If you want to run Teleport version X, you should use `helm --version X` instead.
-teleportVersionOverride: ""
-
-# The `proxyProtocol` value controls whether the Proxy pods will
-# accept PROXY lines with the client's IP address when they are
-# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
-# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
-# required to ensure that Teleport can properly audit the client's IP address.
-#
-# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
-# value should be set to "off" to prevent Teleport from accepting PROXY headers
-# from untrusted sources.
-# Possible values are "on" and "off".
-# - "on" will enable the PROXY protocol for all connections and will require the
-#   L4 LB to send a PROXY header.
-# - "off" will disable the PROXY protocol for all connections and denies all
-#   connections prefixed with a PROXY header.
-#
-# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
-# connection, but will accept it if present. This mode is considered insecure
-# and should only be used for testing purposes.
-#
-# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/
-# for more information.
-#
-# proxyProtocol: on
-
-# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
-# `auth` contains values specific for the auth pods. You can use it to
-#  set specific values for auth pods, taking precedence over chart-scoped values.
-# For example, to override the [`postStart`](#postStart) value only for auth pods:
-#
-# auth:
-#  postStart: ["curl", "http://hook"]
-#  imagePullPolicy: Always
-auth:
-  # auth.teleportConfig contains YAML teleport configuration for auth pods
-  # The configuration will be merged with the chart-generated configuration
-  # and will take precedence in case of conflict.
-  #
-  # See the Teleport Configuration Reference for the list of supported fields:
-  # https://goteleport.com/docs/reference/config/
-  #
-  # teleportConfig:
-  #   teleport:
-  #     cache:
-  #       enabled: false
-  #   auth_service:
-  #     client_idle_timeout: 2h
-  #     client_idle_timeout_message: "Connection closed after 2hours without activity"
-  teleportConfig: {}
-
-# proxy contains values specific for the proxy pods
-# You can override chart-scoped values, for example
-# proxy:
-#   postStart: ["curl", "http://hook"]
-#   imagePullPolicy: Always
-proxy:
-  # proxy.teleportConfig contains YAML teleport configuration for proxy pods
-  # The configuration will be merged with the chart-generated configuration
-  # and will take precedence in case of conflict
-  #
-  # See the Teleport Configuration Reference for the list of supported fields:
-  # https://goteleport.com/docs/reference/config/
-  #
-  # teleportConfig:
-  #   teleport:
-  #     cache:
-  #       enabled: false
-  #   proxy_service:
-  #     https_keypairs:
-  #       - key_file: /my-custom-mount/key.pem
-  #         cert_file: /my-custom-mount/cert.pem
-  teleportConfig: {}
-
-authentication:
-  # Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise.
-  type: local
-
-  # Sets the authenticator connector for SSO or the default connector for "local" authentication.
-  # See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/).
-  # See Passwordless for local
-  # (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default).
-  # Defaults to "local".
-  connectorName: ""
-
-  # Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`.
-  # Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/.
-  localAuth: true
-
-  # Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ?
-  # Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort".
-  # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
-  lockingMode: ""
-
-  # Second factor requirements for users of the Teleport cluster.
-  # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
-  # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
-  #
-  # WARNING:
-  #   If you set `publicAddr` for users to access the cluster under a domain different
-  #   to clusterName you must manually set the webauthn Relying
-  #   Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
-  #   If you don't, RP ID will default to `clusterName` and users will fail
-  #   to register second factors.
-  #
-  #   You can do this by setting the value
-  #   `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
-  #
-  #   RP ID must be both a valid domain, and part of the full domain users are connecting to.
-  #   For example, if users are accessing the cluster with the domain
-  #   "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
-  #
-  #   Changing the RP ID will invalidate all already registered webauthn second factors.
-  secondFactor: "on"
-
-  # (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
-  # webauthn:
-  #   attestationAllowedCas:
-  #     - /path/to/allowed_ca.pem
-  #     - |
-  #       -----BEGIN CERTIFICATE-----
-  #       ...
-  #       -----END CERTIFICATE-----
-  #   attestationDeniedCas:
-  #     - /path/to/denied_ca.pem
-  #     - |
-  #       -----BEGIN CERTIFICATE-----
-  #       ...
-  #       -----END CERTIFICATE-----
-
-# Deprecated way to set the authentication type, `authentication.type` should be preferred.
-# authenticationType: local
-
-# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred.
-# authenticationSecondFactor:
-#   secondFactor: "otp"
-
-# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port.
-# Default mode will not utilize TLS routing and operate in backwards-compatibility mode.
-#
-# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP
-#
-# Possible values are 'separate' and 'multiplex'
-proxyListenerMode: "multiplex"
-
-# Optional setting for configuring session recording.
-# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml
-sessionRecording: ""
-
-# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443)
-# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB)
-# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM)
-# These settings will not apply if proxyListenerMode is set to "multiplex".
-separatePostgresListener: false
-separateMongoListener: false
-
-# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default.
-#
-# WARNING:
-#   If you set `publicAddr` for users to access the cluster under a domain different
-#   to clusterName, you must manually set the webauthn Relying
-#   Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
-#   If you don't, RP ID will default to `clusterName` and users will fail
-#   to register second factors.
-#
-#   You can do this by setting the value
-#   `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
-#
-#   RP ID must be both a valid domain, and part of the full domain users are connecting to.
-#   For example, if users are accessing the cluster with the domain
-#   "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
-#
-#   Changing the RP ID will invalidate all already registered webauthn second factors.
-#
-# Public cluster addresses, including port (e.g. teleport.example.com:443)
-# Defaults to `clusterName` on port 443.
-publicAddr: []
-# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026.
-# Only used when `proxyListenerMode` is not 'multiplex'.
-kubePublicAddr: []
-# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017.
-# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true.
-mongoPublicAddr: []
-# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036.
-# Only used when `proxyListenerMode` is not 'multiplex'.
-mysqlPublicAddr: []
-# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432.
-# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true.
-postgresPublicAddr: []
-# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023.
-# Only used when `proxyListenerMode` is not 'multiplex'.
-sshPublicAddr: []
-# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024.
-# Only used when `proxyListenerMode` is not 'multiplex'.
-tunnelPublicAddr: []
-
-# ACME is a protocol for getting Web X.509 certificates
-# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
-# For HA configurations, see either the "highAvailability.certManager" or "tls" values.
-# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
-# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
-# This section is mutually exclusive with the "tls" value below.
-acme: false
-# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement)
-acmeEmail: ""
-# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server.
-acmeURI: ""
-
-# Set enterprise to true to use enterprise image
-# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this:
-# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
-enterprise: false
-
-# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation
-# when deploying multiple releases in the same cluster.
-# installCRDs:
-
-# Configuration of the optional Teleport operator
-operator:
-  # Set enabled to true to add the Kubernetes Teleport Operator
-  enabled: true
-  # Kubernetes Teleport Operator image
-  image: public.ecr.aws/gravitational/teleport-operator
-  # Resources to request for the operator container
-  # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-  resources: {}
-  #  requests:
-  #    cpu: "0.5"
-  #    memory: "1Gi"
-  #  limits:
-  #    memory: "1Gi"
-
-# If true, create & use Pod Security Policy resources
-# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
-# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
-podSecurityPolicy:
-  enabled: false
-
-# Labels is a map of key-value pairs about this cluster
-labels: {}
-
-# Mode to deploy the chart in. The default is "standalone". Options:
-# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage.
-# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1)
-# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2)
-# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3)
-# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4)
-# (1) To use "aws" mode, you must also configure the "aws" section below.
-# (2) To use "gcp" mode, you must also configure the "gcp" section below.
-# (3) To use "azure" mode, you must also configure the "azure" section below.
-# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig.
-# `scratch` usage is strongly discouraged, this is a last resort option and
-# everything should be doable with `standalone` mode + overrides through
-# `auth.teleportConfig` and `proxy.teleportConfig`.
-chartMode: standalone
-
-# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify
-# if the teleport.yaml configuration is valid and will block the deployment if it is not
-validateConfigOnDeploy: true
-
-# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster.
-# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the
-# Helm chart user is responsible for configuring working join_params on the proxy.
-createProxyToken: true
-
-# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
-# This CRD is managed by the prometheus-operator and allows workload to
-# get monitored. To use this value, you need to run a `prometheus-operator`
-# in the cluster for this value to take effect.
-# See https://prometheus-operator.dev/docs/prologue/introduction/
-podMonitor:
-  # Whether the chart should deploy a PodMonitor.
-  # Disabled by default as it requires the PodMonitor CRD to be installed.
-  enabled: true
-  # additionalLabels to put on the PodMonitor.
-  # This is used to be selected by a specific prometheus instance.
-  # Defaults to {prometheus: default} which seems to be the common default prometheus selector
-  additionalLabels:
-    prometheus: k8s
-  # interval is the interval between two metrics scrapes. Defaults to 30s
-  interval: 30s
-
-######################################################################
-# Persistence settings (only used in "standalone" and "scratch" modes)
-# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters
-# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details.
-# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23.
-######################################################################
-persistence:
-  # Enable persistence using a PersistentVolumeClaim
-  enabled: true
-  # Leave blank to automatically create a PersistentVolumeClaim for Teleport storage.
-  # If you would like to use a pre-existing PersistentVolumeClaim, put its name here.
-  existingClaimName: ""
-  # Size of persistent volume to request when created by Teleport.
-  # Ignored if existingClaimName is provided.
-  volumeSize: 10Gi
-
-##################################################
-# AWS-specific settings (only used in "aws" mode)
-##################################################
-aws:
-  # The AWS region where the DynamoDB tables are located.
-  region: ""
-  # The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist.
-  # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
-  backendTable: ""
-  # The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist.
-  # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
-  # This MUST NOT be the same table name as used for 'backendTable' as the schemas are different.
-  auditLogTable: ""
-  # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
-  auditLogMirrorOnStdout: false
-  # The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.
-  # The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.
-  sessionRecordingBucket: ""
-  # Whether or not to turn on DynamoDB backups
-  backups: false
-
-  # Whether Teleport should configure DynamoDB's autoscaling.
-  # Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling.
-  # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
-  dynamoAutoScaling: false
-
-  # DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`.
-  # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
-  readMinCapacity: null      # Integer
-  readMaxCapacity: null      # Integer
-  readTargetValue: null      # Float
-  writeMinCapacity: null     # Integer
-  writeMaxCapacity: null     # Integer
-  writeTargetValue: null     # Float
-
-##################################################
-# GCP-specific settings (only used in "gcp" mode)
-##################################################
-gcp:
-  # The project name being used for the GCP account where Teleport is running.
-  # See https://support.google.com/googleapi/answer/7014113?hl=en
-  projectId: ""
-  # The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist.
-  # Either of the following must be true:
-  # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
-  # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
-  backendTable: ""
-  # The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist.
-  # Either of the following must be true:
-  # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
-  # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
-  # This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different.
-  auditLogTable: ""
-  # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
-  auditLogMirrorOnStdout: false
-  # The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used.
-  sessionRecordingBucket: ""
-  # The name of the Kubernetes secret used to store the Google credentials.
-  # You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use.
-  # You can override this to a blank value if the worker node running Teleport already has a service account which grants access.
-  credentialSecretName: teleport-gcp-credentials
-
-#####################################################
-# Azure-specific settings (only used in "azure" mode)
-#####################################################
-azure:
-  # The fully qualified hostname of the Postgres database cluster hosted in Azure.
-  # It should follow the format "<database name>.postgres.database.azure.com".
-  databaseHost: ""
-  # The Postgres user Teleport must use to connect to the backend and audit
-  # databases.
-  databaseUser: ""
-  # The Postgres database to use for backend storage.
-  backendDatabase: "teleport_backend"
-  # The Postgres database to use for audit log storage.
-  # This MUST NOT be the same database as used for 'backendDatabase'.
-  auditLogDatabase: "teleport_audit"
-  # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
-  auditLogMirrorOnStdout: false
-  # The fully qualified domain name of the Azure Blob Storage account to use for
-  # recorded session storage. This account must already exist.
-  # It should follow the format "<storage account>.blob.core.windows.net"
-  sessionRecordingStorageAccount: ""
-  # Azure client ID is used by the Kubernetes Service Account to know which
-  # Application it should impersonate. This can be unset only if the clientID is
-  # passed through other means (e.g. environment variable)
-  clientID: ""
-  # Controls the `pool_max_conns` setting passed to PostgreSQL. This is the
-  # max amount of connections Teleport can open to the database. This can affect
-  # performance on large clusters and depends on various factors like the
-  # database size, the number of CPU cores available for Teleport, GOMAXPROCS
-  # and the database latency.
-  # This only applies to the core backend connections, not the audit log ones.
-  # 0 means the parameter is not set and the client's default is used (recommended)
-  databasePoolMaxConnections: 0
-
-# `highAvailability` contains settings controlling how Teleport pods are
-# replicated and scheduled. This allows Teleport to run in a highly-available
-# fashion: Teleport should sustain the crash/loss of a machine without interrupting
-# the service.
-#
-# For auth pods:
-#   When using "standalone" or "scratch" mode, you must use highly-available storage
-#   (etcd, DynamoDB or Firestore) for multiple replicas to be supported.
-#   Manually configuring NFS-based storage or ReadWriteMany volume claims
-#   is NOT supported and will result in errors. Using Teleport's built-in
-#   ACME client (as opposed to using cert-manager or passing certs through a secret)
-#   is not supported with multiple replicas.
-# For proxy pods:
-#   Proxy pods need to be provided a certificate to be replicated (either via
-#  `tls.existingSecretName` or via `highAvailability.certManager`).
-#   If proxy pods are replicable, they will default to 2 replicas,
-#   even if `highAvailability.replicaCount` is 1. To force a single proxy replica,
-#   set `proxy.highAvailability.replicaCount: 1`.
-highAvailability:
-  # Controls the amount of pod replicas. The `highAvailability` comment describes
-  # the replication requirements.
-  #
-  # WARNING: You **must** meet the replication criteria,
-  # else the deployment will result in errors and inconsistent data.
-  replicaCount: 1
-  # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
-  # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
-  # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
-  # This setting only has any effect when replicaCount is greater than 1.
-  requireAntiAffinity: false
-  # If enabled will create a Pod Disruption Budget
-  # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
-  podDisruptionBudget:
-    enabled: false
-    minAvailable: 1
-  # Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
-  # These settings are mutually exclusive with the "tls" value below.
-  certManager:
-    # If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
-    enabled: true
-    # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
-    addCommonName: false
-    # If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
-    # This setting is not enabled by default to preserve backward compatibility.
-    addPublicAddrs: false
-    # Name of the Issuer/ClusterIssuer to use for certs
-    # NOTE: You will always need to create this yourself when certManager.enabled is true.
-    issuerName: "letsencrypt-prod"
-    # Kind of Issuer that cert-manager should look for.
-    # This defaults to 'Issuer' to keep everything contained within the teleport namespace.
-    issuerKind: ClusterIssuer
-    # Group of Issuer that cert-manager should look for.
-    # This defaults to 'cert-manager.io' which is the default Issuer group.
-    issuerGroup: cert-manager.io
-  # Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time
-  # See https://github.com/gravitational/teleport/issues/13129
-  minReadySeconds: 15
-
-# Settings for mounting your own TLS keypair to secure Teleport's web UI.
-# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above.
-tls:
-  # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml.
-  # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file`
-  # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
-  existingSecretName: ""
-  # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
-  # Useful for building trust when using intermediate certificate authorities.
-  # This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
-  # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
-  # The filename inside the secret is important - it _must_ be ca.pem
-  existingCASecretName: ""
-
-##################################################
-# Values that you shouldn't need to change.
-##################################################
-
-# Container image for the cluster.
-# Since version 13, hardened distroless images are used by default.
-# You can use the deprecated debian-based images by setting the value to
-# `public.ecr.aws/gravitational/teleport`. Those images will be
-# removed with teleport 14.
-image: public.ecr.aws/gravitational/teleport-distroless
-# Enterprise version of the image
-# Since version 13, hardened distroless images are used by default.
-# You can use the deprecated debian-based images by setting the value to
-# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
-# removed with teleport 14.
-enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
-# Optional array of imagePullSecrets, to use when pulling from a private registry
-imagePullSecrets: []
-# Teleport logging configuration
-log:
-  # Log level for the Teleport process.
-  # Available log levels are: DEBUG, INFO, WARNING, ERROR.
-  # The default is INFO, which is recommended in production.
-  # DEBUG is useful during first-time setup or to see more detailed logs for debugging.
-  level: INFO
-  # Log output
-  # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
-  # Other supported values: 'stdout', 'stderr' and 'syslog'
-  output: stderr
-  # Log format configuration
-  # Possible output values are 'json' and 'text' (default).
-  format: text
-  # Possible extra_fields values include: timestamp, component, caller, and level.
-  # All extra fields are included by default.
-  extraFields: ["timestamp", "level", "component", "caller"]
-
-##################################
-# Extra Kubernetes configuration #
-##################################
-
-# nodeSelector to apply for pod assignment
-# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
-nodeSelector: {}
-
-# Affinity for pod assignment
-# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
-affinity: {}
-
-# Kubernetes annotations to apply
-# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-annotations:
-  # Annotations for the ConfigMap
-  config: {}
-  # Annotations for the Deployment
-  deployment: {}
-  # Annotations for each Pod in the Deployment
-  pod: {}
-  # Annotations for the Service object
-  service: {}
-  # Annotations for the ServiceAccount object
-  serviceAccount: {}
-  # Annotations for the certificate secret generated by cert-manager v1.5+ when
-  # highAvailability.certManager.enabled is true
-  certSecret: {}
-  # Annotations for the Ingress object
-  ingress:
-    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
-    nginx.ingress.kubernetes.io/affinity: "cookie"
-    nginx.ingress.kubernetes.io/session-cookie-name: "http-cookie"
-    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
-    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
-
-# Kubernetes service account to create/use.
-serviceAccount:
-  # Specifies whether a ServiceAccount should be created
-  create: true
-  # The name of the ServiceAccount to use.
-  # If not set and serviceAccount.create is true, the name is generated using the release name.
-  # If create is false, the name will be used to reference an existing service account.
-  name: ""
-  # To set annotations on the service account, use the annotations.serviceAccount value.
-
-# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
-rbac:
-  # Specifies whether a ClusterRole and ClusterRoleBinding should be created.
-  # Set to false if your cluster level resources are managed separately.
-  create: true
-
-# Options for the Teleport proxy service
-# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP.
-# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed.
-# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true
-service:
-  type: ClusterIP
-  # Additional entries here will be added to the service spec.
-  spec: {}
-    # loadBalancerIP: "1.2.3.4"
-
-# Options for ingress
-# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent
-# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer.
-# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport.
-# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details.
-ingress:
-  enabled: true
-  # Setting suppressAutomaticWildcards to true will not automatically add *.<clusterName> as a hostname served
-  # by the Ingress. This may be desirable if you don't use Teleport Application Access.
-  suppressAutomaticWildcards: false
-  # Additional entries here will be added to the ingress spec.
-  spec: {}
-    # ingressClassName: nginx
-
-# Extra arguments to pass to 'teleport start' for the main Teleport pod
-extraArgs: []
-
-# Extra environment to be configured on the Teleport pod
-extraEnv: []
-
-# Extra containers to be added to the Teleport pod
-extraContainers: []
-# - name: nscenter
-#   command:
-#     - /bin/bash
-#     - -c
-#     - sleep infinity & wait
-#   image: praqma/network-multitool
-#   imagePullPolicy: IfNotPresent
-#   securityContext:
-#     privileged: true
-#     runAsNonRoot: false
-
-# Extra volumes to mount into the Teleport pods
-# https://kubernetes.io/docs/concepts/storage/volumes/
-extraVolumes: []
-# - name: myvolume
-#   secret:
-#     secretName: testSecret
-
-# Extra volume mounts corresponding to the volumes mounted above
-extraVolumeMounts: []
-# - name: myvolume
-#   mountPath: /path/on/host
-
-# Allow the imagePullPolicy to be overridden
-imagePullPolicy: IfNotPresent
-
-# A list of initContainers to run before each Teleport pod starts
-# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
-initContainers: []
-# - name: "teleport-init"
-#   image: "alpine"
-#   args: ["echo test"]
-
-# If set, will run the command as a postStart handler
-# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
-postStart:
-  command: []
-
-# Resources to request for the teleport container
-# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-resources: {}
-#  requests:
-#    cpu: "1"
-#    memory: "2Gi"
-
-# Security context to add to the container
-securityContext: {}
-  # runAsUser: 99
-
-# Priority class name to add to the deployment
-priorityClassName: ""
-
-# Tolerations for pod assignment
-# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-
-# Timeouts for the readiness and liveness probes
-# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
-probeTimeoutSeconds: 1
-
-# Kubernetes termination grace period
-# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
-#
-# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook.
-terminationGracePeriodSeconds: 60

teleport-cluster-15.0.1/Chart.yaml

@@ -1,13 +1,14 @@
 apiVersion: v2
-appVersion: 14.3.0
+appVersion: 15.0.1
 dependencies:
-- condition: installCRDs,operator.enabled
+- alias: operator
+  condition: installCRDs,operator.enabled
   name: teleport-operator
   repository: ""
-  version: 14.3.0
+  version: 15.0.1
 description: Teleport is an access platform for your infrastructure
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords:
 - Teleport
 name: teleport-cluster
-version: 14.3.0
+version: 15.0.1

teleport-cluster-15.0.1/README.md

@@ -1,13 +1,16 @@
 # Teleport Cluster
 
-This chart sets up a single node Teleport cluster.
-It uses a persistent volume claim for storage.
-Great for getting started with Teleport.
+This chart sets up a Teleport cluster composed of at least 1 Proxy instance
+and 1 Auth instance. When applicable, the chart will default to 2 pods to
+provide high-availability.
 
 ## Important Notices
 
 - The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x
-- Teleport does mutual TLS to authenticate clients. It currently does not support running behind a L7 LoadBalancer, like a Kubernetes `Ingress`. It requires being exposed through a L4 LoadBalancer (Kubernetes `Service`).
+- Teleport does mutual TLS to authenticate clients. Establishing mTLS through a L7
+  LoadBalancer, like a Kubernetes `Ingress` [requires ALPN support](https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies).
+  Exposing Teleport through a `Service` with type `LoadBalancer` is still recommended
+  because its the most flexible and least complex setup.
 
 ## Getting Started
 

teleport-cluster-15.0.1/charts/teleport-operator/.lint/annotations.yaml

@@ -0,0 +1,14 @@
+annotations:
+  deployment:
+    kubernetes.io/deployment: "test-annotation"
+    kubernetes.io/deployment-different: 3
+  pod:
+    kubernetes.io/pod: "test-annotation"
+    kubernetes.io/pod-different: 4
+  serviceAccount:
+    kubernetes.io/serviceaccount: "test-annotation"
+    kubernetes.io/serviceaccount-different: 6
+
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+teleportClusterName: "example.teleport.sh"

teleport-cluster-15.0.1/charts/teleport-operator/.lint/cloud-join.yaml

@@ -0,0 +1,3 @@
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+teleportClusterName: "example.teleport.sh"

teleport-cluster-15.0.1/charts/teleport-operator/.lint/disabled.yaml

@@ -0,0 +1 @@
+enabled: false

teleport-cluster-15.0.1/charts/teleport-operator/.lint/existing-tls-ca.yaml

@@ -0,0 +1,6 @@
+tls:
+  existingCASecretName: helm-lint-existing-tls-secret-ca
+
+teleportAddress: "teleport.example.com:3080"
+token: "my-operator-bot"
+teleportClusterName: "teleport.example.com"

teleport-cluster-15.0.1/charts/teleport-operator/.lint/non-kubernetes-joining.yaml

@@ -0,0 +1,3 @@
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+joinMethod: "iam"

teleport-cluster-15.0.1/charts/teleport-operator/.lint/resources.yaml

@@ -0,0 +1,13 @@
+# These are just sample values to test the chart.
+# They are not intended to be guidelines or suggestions for running teleport.
+resources:
+  limits:
+    cpu: 2
+    memory: 4Gi
+  requests:
+    cpu: 1
+    memory: 2Gi
+
+teleportAddress: "example.teleport.sh:443"
+token: "my-operator-bot"
+teleportClusterName: "example.teleport.sh"

teleport-cluster-15.0.1/charts/teleport-operator/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 14.3.0
+appVersion: 15.0.1
 description: Teleport Operator provides management of select Teleport resources.
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords:
 - Teleport
 name: teleport-operator
-version: 14.3.0
+version: 15.0.1

teleport-cluster-15.0.1/charts/teleport-operator/README.md

@@ -0,0 +1,28 @@
+# Teleport Operator
+
+This chart deploys the Teleport Kubernetes Operator. The operator allows to manage
+Teleport resources from inside Kubernetes.
+
+## Important notice
+
+The chart version follows the Teleport and Teleport Kube Operator version. e.g.
+chart v15.0.1 runs the operator version 15.0.1 by default. To control which
+operator version is deployed, use the `--version` Helm flag.
+
+## Deployment
+
+The chart can be deployed in two ways:
+- in standalone mode by running
+  ```shell
+  helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token
+  ```
+  See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details.
+- as a dependency of the `teleport-cluster` Helm chart by adding `--set operator.enabled=true`. See
+  [the operator within teleport-cluster chart guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-helm/).
+
+## Values and reference
+
+The `values.yaml` is documented through comment or via
+[the reference docs](https://goteleport.com/docs/reference/helm-reference/teleport-operator/).
+
+Please make sure you are looking at the correct version when looking at the values reference.

teleport-cluster-15.0.1/charts/teleport-operator/templates/_helpers.tpl

@@ -0,0 +1,77 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "teleport-cluster.operator.name" -}}
+    {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+This is a modified version of the default fully qualified app name helper.
+We diverge by always honouring "nameOverride" when it's set, as opposed to the
+default behaviour of shortening if `nameOverride` is included in chart name.
+This is done to avoid naming conflicts when including th chart in `teleport-cluster`
+*/}}
+{{- define "teleport-cluster.operator.fullname" -}}
+    {{- if .Values.fullnameOverride }}
+        {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+        {{- if .Values.nameOverride }}
+            {{- printf "%s-%s" .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+        {{- else }}
+            {{- if contains .Chart.Name .Release.Name }}
+                {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+            {{- else }}
+                {{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
+            {{- end }}
+        {{- end }}
+    {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
+*/}}
+{{- define "teleport-cluster.operator.serviceAccountName" -}}
+{{- coalesce .Values.serviceAccount.name (include "teleport-cluster.operator.fullname" .) -}}
+{{- end -}}
+
+{{- define "teleport-cluster.version" -}}
+{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
+{{- end -}}
+
+{{- define "teleport-cluster.majorVersion" -}}
+{{- (semver (include "teleport-cluster.version" .)).Major -}}
+{{- end -}}
+
+{{/* Operator selector labels */}}
+{{- define "teleport-cluster.operator.selectorLabels" -}}
+app.kubernetes.io/name: '{{ include "teleport-cluster.operator.name" . }}'
+app.kubernetes.io/instance: '{{ .Release.Name }}'
+app.kubernetes.io/component: 'operator'
+{{- end -}}
+
+{{/* Operator all labels */}}
+{{- define "teleport-cluster.operator.labels" -}}
+{{ include "teleport-cluster.operator.selectorLabels" . }}
+helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
+teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
+{{- end -}}
+
+{{/* Teleport auth or proxy address */}}
+{{- define "teleport-cluster.operator.teleportAddress" -}}
+{{- $clusterAddr := include "teleport-cluster.auth.serviceFQDN" . -}}
+{{- if empty $clusterAddr -}}
+    {{- required "The `teleportAddress` value is mandatory when deploying a standalone operator." .Values.teleportAddress -}}
+    {{- if and (eq .Values.joinMethod "kubernetes") (empty .Values.teleportClusterName) (not (hasSuffix ":3025" .Values.teleportAddress)) -}}
+        {{- fail "When joining using the Kubernetes JWKS join method, you must set the value `teleportClusterName`" -}}
+    {{- end -}}
+{{- else -}}
+    {{- $clusterAddr | printf "%s:3025" -}}
+{{- end -}}
+{{- end -}}
+
+{{- /* This template is a placeholder.
+If we are imported by the main chart "teleport-cluster" it is overridden*/ -}}
+{{- define "teleport-cluster.auth.serviceFQDN" -}}{{- end }}

teleport-cluster-15.0.1/charts/teleport-operator/templates/deployment.yaml

@@ -0,0 +1,155 @@
+{{- if .Values.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
+  {{- if .Values.annotations.deployment }}
+  annotations: {{- toYaml .Values.annotations.deployment | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.highAvailability.replicaCount }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+  selector:
+    matchLabels: {{- include "teleport-cluster.operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+  {{- if .Values.annotations.pod }}
+      annotations: {{- toYaml .Values.annotations.pod | nindent 8 }}
+  {{- end }}
+      labels: {{- include "teleport-cluster.operator.labels" . | nindent 8 }}
+    spec:
+  {{- if .Values.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }}
+  {{- end }}
+  {{- if .Values.affinity }}
+      affinity: {{- toYaml .Values.affinity | nindent 8 }}
+  {{- end }}
+  {{- if .Values.tolerations }}
+      tolerations: {{- toYaml .Values.tolerations | nindent 8 }}
+  {{- end }}
+  {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
+  {{- end }}
+      containers:
+        - name: "operator"
+          image: '{{ .Values.image }}:{{ include "teleport-cluster.version" . }}'
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          command:
+            - /teleport-operator
+            - -auth-server
+            - '{{ include "teleport-cluster.operator.teleportAddress" . }}'
+            - -join-method
+            - '{{ .Values.joinMethod }}'
+            - -token
+            - '{{ .Values.token }}'
+  {{- if .Values.caPins }}
+            - -ca-pin
+            - '{{ join "," .Values.caPins }}'
+  {{- end }}
+  {{- if or (.Values.tls.existingCASecretName) (.Values.teleportClusterName) }}
+          env:
+    {{- if .Values.tls.existingCASecretName }}
+            - name: SSL_CERT_FILE
+              value: /etc/teleport-tls-ca/ca.pem
+    {{- end }}
+    {{- if .Values.teleportClusterName }}
+            - name: KUBERNETES_TOKEN_PATH
+              value: /var/run/secrets/teleport/serviceaccount/token
+    {{- end }}
+  {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          ports:
+            - name: op-metrics
+              containerPort: 8080
+              protocol: TCP
+            - name: op-health
+              containerPort: 8081
+              protocol: TCP
+  {{- if .Values.securityContext }}
+          securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+  {{- end }}
+  {{- if .Values.resources }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+  {{- end }}
+          volumeMounts:
+          - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: operator-serviceaccount-token
+            readOnly: true
+  {{- if .Values.teleportClusterName }}
+          - mountPath: /var/run/secrets/teleport/serviceaccount
+            name: bot-serviceaccount-token
+            readOnly: true
+  {{- end }}
+  {{- if .Values.tls.existingCASecretName }}
+          - mountPath: /etc/teleport-tls-ca
+            name: "teleport-tls-ca"
+            readOnly: true
+  {{- end }}
+      automountServiceAccountToken: false
+      volumes:
+        # This projected token volume mimics the `automountServiceAccountToken`
+        # behaviour but defaults to a 1h TTL instead of 1y.
+        - name: operator-serviceaccount-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: token
+              - configMap:
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                  name: kube-root-ca.crt
+              - downwardAPI:
+                  items:
+                    - path: "namespace"
+                      fieldRef:
+                        fieldPath: metadata.namespace
+  {{- if .Values.teleportClusterName }}
+        - name: bot-serviceaccount-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: token
+                  audience: "{{ .Values.teleportClusterName }}"
+                  expirationSeconds: 600
+              - configMap:
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                  name: kube-root-ca.crt
+              - downwardAPI:
+                  items:
+                    - path: "namespace"
+                      fieldRef:
+                        fieldPath: metadata.namespace
+  {{- end }}
+  {{- if .Values.tls.existingCASecretName }}
+        - name: teleport-tls-ca
+          secret:
+            secretName: {{ .Values.tls.existingCASecretName }}
+  {{- end }}
+  {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+  {{- end }}
+  {{- if .Values.podSecurityContext }}
+      securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
+  {{- end }}
+      serviceAccountName: {{ include "teleport-cluster.operator.serviceAccountName" . }}
+{{- end }}

teleport-cluster-15.0.1/charts/teleport-operator/templates/role.yaml

@@ -0,0 +1,55 @@
+{{- if .Values.enabled }}
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - "resources.teleport.dev"
+    resources:
+      - teleportroles
+      - teleportroles/status
+      - teleportrolesv6
+      - teleportrolesv6/status
+      - teleportrolesv7
+      - teleportrolesv7/status
+      - teleportusers
+      - teleportusers/status
+      - teleportgithubconnectors
+      - teleportgithubconnectors/status
+      - teleportoidcconnectors
+      - teleportoidcconnectors/status
+      - teleportsamlconnectors
+      - teleportsamlconnectors/status
+      - teleportloginrules
+      - teleportloginrules/status
+      - teleportprovisiontokens
+      - teleportprovisiontokens/status
+      - teleportoktaimportrules
+      - teleportoktaimportrules/status
+      - teleportaccesslists
+      - teleportaccesslists/status
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+{{- end -}}
+{{- end -}}

teleport-cluster-15.0.1/charts/teleport-operator/templates/rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.enabled }}
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "teleport-cluster.operator.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "teleport-cluster.operator.serviceAccountName" . }}
+{{- end }}
+{{- end }}

teleport-cluster-15.0.1/charts/teleport-operator/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.enabled }}
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "teleport-cluster.operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.annotations.serviceAccount }}
+  annotations: {{- toYaml .Values.annotations.serviceAccount | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

teleport-cluster-15.0.1/charts/teleport-operator/tests/deployment_test.yaml

@@ -0,0 +1,199 @@
+suite: Operator Deployment
+templates:
+  - deployment.yaml
+tests:
+  - it: creates no deployment when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a deployment when operator is enabled
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - containsDocument:
+          kind: Deployment
+          apiVersion: apps/v1
+          name: RELEASE-NAME-operator
+
+  - it: sets annotations when specified
+    values:
+      - ../.lint/annotations.yaml
+    asserts:
+      # Pod annotations
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod
+          value: test-annotation
+      - equal:
+          path: spec.template.metadata.annotations.kubernetes\.io/pod-different
+          value: 4
+      # Deployment annotations
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment-different
+          value: 3
+
+  - it: should mount tls.existingCASecretName and set environment when set in values
+    values:
+      - ../.lint/existing-tls-ca.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: teleport-tls-ca
+            secret:
+              secretName: helm-lint-existing-tls-secret-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/teleport-tls-ca
+            name: teleport-tls-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: SSL_CERT_FILE
+            value: /etc/teleport-tls-ca/ca.pem
+
+  - it: mounts tokens through projected volumes
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: operator-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - path: "namespace"
+                        fieldRef:
+                          fieldPath: metadata.namespace
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: operator-serviceaccount-token
+            readOnly: true
+
+  - it: should set imagePullPolicy when set in values
+    values:
+      - ../.lint/cloud-join.yaml
+    set:
+      imagePullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+
+  - it: should set resources when set in values
+    values:
+      - ../.lint/resources.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 2
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 4Gi
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 2Gi
+
+  - it: should set security contexts by default
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            seccompProfile:
+              type: RuntimeDefault
+            runAsUser: 65532
+            runAsGroup: 65532
+            fsGroup: 65532
+            runAsNonRoot: true
+
+  - it: configures a dedicated token when kube JWKS joining
+    values:
+      - ../.lint/cloud-join.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: bot-serviceaccount-token
+            projected:
+              sources:
+                - serviceAccountToken:
+                    audience: example.teleport.sh
+                    expirationSeconds: 600
+                    path: token
+                - configMap:
+                    items:
+                      - key: ca.crt
+                        path: ca.crt
+                    name: kube-root-ca.crt
+                - downwardAPI:
+                    items:
+                      - fieldRef:
+                          fieldPath: metadata.namespace
+                        path: namespace
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/run/secrets/teleport/serviceaccount
+            name: bot-serviceaccount-token
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBERNETES_TOKEN_PATH
+            value: /var/run/secrets/teleport/serviceaccount/token

teleport-cluster-15.0.1/charts/teleport-operator/tests/role_test.yaml

@@ -0,0 +1,43 @@
+suite: Operator Role
+templates:
+  - role.yaml
+tests:
+  - it: creates no role when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates no role when rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a role by default
+    asserts:
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    asserts:
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-operator

teleport-cluster-15.0.1/charts/teleport-operator/tests/rolebinding_test.yaml

@@ -0,0 +1,43 @@
+suite: Operator RoleBinding
+templates:
+  - rolebinding.yaml
+tests:
+  - it: creates no RoleBinding when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates no RoleBinding when rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a RoleBinding by default
+    asserts:
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    asserts:
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: RELEASE-NAME-operator

teleport-cluster-15.0.1/charts/teleport-operator/tests/serviceaccount_test.yaml

@@ -0,0 +1,63 @@
+suite: Operator ServiceAccount
+templates:
+  - serviceaccount.yaml
+tests:
+  - it: creates no ServiceAccount when operator is not enabled
+    values:
+      - ../.lint/disabled.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: creates no ServiceAccount when rbac.create is false
+    set:
+      serviceAccount:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: creates a ServiceAccount by default
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: RELEASE-NAME-teleport-operator
+
+  - it: shortens fullname if .Release.Name == .Chart.Name
+    release:
+      name: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: teleport-operator
+
+  - it: respects the nameOverride
+    set:
+      nameOverride: operator
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: RELEASE-NAME-operator
+
+  - it: does not shorten fullname if .Release.Name == .Chart.Name but there's a nameOverride
+    release:
+      name: teleport-operator
+    set:
+      nameOverride: teleport-operator
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: teleport-operator-teleport-operator
+
+  - it: names the ServiceAccount according to serviceAccount.name
+    set:
+      serviceAccount:
+        name: foobar
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: foobar