diff --git a/teleport-cluster-14.3.0/templates/auth/clusterrole.yaml b/teleport-cluster-14.3.0/templates/auth/clusterrole.yaml deleted file mode 100644 index 6bf0886..0000000 --- a/teleport-cluster-14.3.0/templates/auth/clusterrole.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Release.Name }} -rules: -- apiGroups: - - "" - resources: - - users - - groups - - serviceaccounts - verbs: - - impersonate -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - "authorization.k8s.io" - resources: - - selfsubjectaccessreviews - verbs: - - create - -{{ if .Values.operator.enabled }} -- apiGroups: - - "resources.teleport.dev" - resources: - - teleportroles - - teleportroles/status - - teleportusers - - teleportusers/status - - teleportgithubconnectors - - teleportgithubconnectors/status - - teleportoidcconnectors - - teleportoidcconnectors/status - - teleportsamlconnectors - - teleportsamlconnectors/status - - teleportloginrules - - teleportloginrules/status - - teleportprovisiontokens - - teleportprovisiontokens/status - - teleportoktaimportrules - - teleportoktaimportrules/status - verbs: - - get - - list - - patch - - update - - watch - -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - create - - get - - update - -- apiGroups: - - "" - resources: - - events - verbs: - - create -{{- end -}} -{{- end -}} diff --git a/teleport-cluster-14.3.0/templates/auth/config.yaml b/teleport-cluster-14.3.0/templates/auth/config.yaml deleted file mode 100644 index b5b53cb..0000000 --- a/teleport-cluster-14.3.0/templates/auth/config.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} -{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Release.Name }}-auth - namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} -{{- if $auth.annotations.config }} - annotations: {{- toYaml $auth.annotations.config | nindent 4 }} -{{- end }} -data: -{{- if $auth.createProxyToken }} - apply-on-startup.yaml: |2 - kind: token - version: v2 - metadata: - name: {{ .Release.Name }}-proxy - expires: "2050-01-01T00:00:00Z" - spec: - roles: [Proxy] - join_method: kubernetes - kubernetes: - allow: - - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}" -{{- end }} - teleport.yaml: |2 - {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}} diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster-14.3.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap deleted file mode 100644 index 75650c0..0000000 --- a/teleport-cluster-14.3.0/tests/__snapshot__/auth_clusterrole_test.yaml.snap +++ /dev/null @@ -1,66 +0,0 @@ -adds operator permissions to ClusterRole: - 1: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: RELEASE-NAME - rules: - - apiGroups: - - "" - resources: - - users - - groups - - serviceaccounts - verbs: - - impersonate - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - authorization.k8s.io - resources: - - selfsubjectaccessreviews - verbs: - - create - - apiGroups: - - resources.teleport.dev - resources: - - teleportroles - - teleportroles/status - - teleportusers - - teleportusers/status - - teleportgithubconnectors - - teleportgithubconnectors/status - - teleportoidcconnectors - - teleportoidcconnectors/status - - teleportsamlconnectors - - teleportsamlconnectors/status - - teleportloginrules - - teleportloginrules/status - - teleportprovisiontokens - - teleportprovisiontokens/status - - teleportoktaimportrules - - teleportoktaimportrules/status - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create diff --git a/teleport-cluster-14.3.0/values.home.yaml.old b/teleport-cluster-14.3.0/values.home.yaml.old deleted file mode 100644 index 32e3a02..0000000 --- a/teleport-cluster-14.3.0/values.home.yaml.old +++ /dev/null @@ -1,686 +0,0 @@ -################################################## -# Values that must always be provided by the user. -################################################## - -# `clusterName` controls the name used to refer to the Teleport cluster, along with -# the externally-facing public address to use to access it. In most setups this must -# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is -# used as the cluster's public address by default. -# -# Note: When using a fully qualified domain name as your `clusterName`, you will also -# need to configure the DNS provider for this domain to point to the external -# load balancer address of your Teleport cluster. -# -# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan. -# If you need to change it, you must redeploy a completely new cluster. -clusterName: "teleport.ervine.cloud" - -# Name for this kubernetes cluster to be used by teleport users. -kubeClusterName: "homeK8s" - -################################################## -# Values that you may need to change. -################################################## - -# Version of teleport image, if different from chart version in Chart.yaml. -# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. -# This chart is designed to run a specific teleport version (see Chart.yaml). -# You will face compatibility issues trying to run a different Teleport version with it. -# -# If you want to run Teleport version X, you should use `helm --version X` instead. -teleportVersionOverride: "" - -# The `proxyProtocol` value controls whether the Proxy pods will -# accept PROXY lines with the client's IP address when they are -# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol -# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is -# required to ensure that Teleport can properly audit the client's IP address. -# -# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this -# value should be set to "off" to prevent Teleport from accepting PROXY headers -# from untrusted sources. -# Possible values are "on" and "off". -# - "on" will enable the PROXY protocol for all connections and will require the -# L4 LB to send a PROXY header. -# - "off" will disable the PROXY protocol for all connections and denies all -# connections prefixed with a PROXY header. -# -# If proxyProtocol is unspecified, Teleport does not require PROXY header for the -# connection, but will accept it if present. This mode is considered insecure -# and should only be used for testing purposes. -# -# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/ -# for more information. -# -# proxyProtocol: on - -# The `teleport-cluster` charts deploys two sets of pods: auth and proxy. -# `auth` contains values specific for the auth pods. You can use it to -# set specific values for auth pods, taking precedence over chart-scoped values. -# For example, to override the [`postStart`](#postStart) value only for auth pods: -# -# auth: -# postStart: ["curl", "http://hook"] -# imagePullPolicy: Always -auth: - # auth.teleportConfig contains YAML teleport configuration for auth pods - # The configuration will be merged with the chart-generated configuration - # and will take precedence in case of conflict. - # - # See the Teleport Configuration Reference for the list of supported fields: - # https://goteleport.com/docs/reference/config/ - # - # teleportConfig: - # teleport: - # cache: - # enabled: false - # auth_service: - # client_idle_timeout: 2h - # client_idle_timeout_message: "Connection closed after 2hours without activity" - teleportConfig: {} - -# proxy contains values specific for the proxy pods -# You can override chart-scoped values, for example -# proxy: -# postStart: ["curl", "http://hook"] -# imagePullPolicy: Always -proxy: - # proxy.teleportConfig contains YAML teleport configuration for proxy pods - # The configuration will be merged with the chart-generated configuration - # and will take precedence in case of conflict - # - # See the Teleport Configuration Reference for the list of supported fields: - # https://goteleport.com/docs/reference/config/ - # - # teleportConfig: - # teleport: - # cache: - # enabled: false - # proxy_service: - # https_keypairs: - # - key_file: /my-custom-mount/key.pem - # cert_file: /my-custom-mount/cert.pem - teleportConfig: {} - -authentication: - # Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise. - type: local - - # Sets the authenticator connector for SSO or the default connector for "local" authentication. - # See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/). - # See Passwordless for local - # (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default). - # Defaults to "local". - connectorName: "" - - # Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`. - # Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/. - localAuth: true - - # Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ? - # Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort". - # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes. - lockingMode: "" - - # Second factor requirements for users of the Teleport cluster. - # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`. - # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'. - # - # WARNING: - # If you set `publicAddr` for users to access the cluster under a domain different - # to clusterName you must manually set the webauthn Relying - # Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier - # If you don't, RP ID will default to `clusterName` and users will fail - # to register second factors. - # - # You can do this by setting the value - # `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. - # - # RP ID must be both a valid domain, and part of the full domain users are connecting to. - # For example, if users are accessing the cluster with the domain - # "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". - # - # Changing the RP ID will invalidate all already registered webauthn second factors. - secondFactor: "on" - - # (Optional) When using webauthn this allows to restrict which vendor and key models can be used. - # webauthn: - # attestationAllowedCas: - # - /path/to/allowed_ca.pem - # - | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # attestationDeniedCas: - # - /path/to/denied_ca.pem - # - | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - -# Deprecated way to set the authentication type, `authentication.type` should be preferred. -# authenticationType: local - -# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred. -# authenticationSecondFactor: -# secondFactor: "otp" - -# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port. -# Default mode will not utilize TLS routing and operate in backwards-compatibility mode. -# -# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP -# -# Possible values are 'separate' and 'multiplex' -proxyListenerMode: "multiplex" - -# Optional setting for configuring session recording. -# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml -sessionRecording: "" - -# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443) -# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB) -# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM) -# These settings will not apply if proxyListenerMode is set to "multiplex". -separatePostgresListener: false -separateMongoListener: false - -# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default. -# -# WARNING: -# If you set `publicAddr` for users to access the cluster under a domain different -# to clusterName, you must manually set the webauthn Relying -# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier -# If you don't, RP ID will default to `clusterName` and users will fail -# to register second factors. -# -# You can do this by setting the value -# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. -# -# RP ID must be both a valid domain, and part of the full domain users are connecting to. -# For example, if users are accessing the cluster with the domain -# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". -# -# Changing the RP ID will invalidate all already registered webauthn second factors. -# -# Public cluster addresses, including port (e.g. teleport.example.com:443) -# Defaults to `clusterName` on port 443. -publicAddr: [] -# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026. -# Only used when `proxyListenerMode` is not 'multiplex'. -kubePublicAddr: [] -# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017. -# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true. -mongoPublicAddr: [] -# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036. -# Only used when `proxyListenerMode` is not 'multiplex'. -mysqlPublicAddr: [] -# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432. -# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true. -postgresPublicAddr: [] -# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023. -# Only used when `proxyListenerMode` is not 'multiplex'. -sshPublicAddr: [] -# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024. -# Only used when `proxyListenerMode` is not 'multiplex'. -tunnelPublicAddr: [] - -# ACME is a protocol for getting Web X.509 certificates -# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations. -# For HA configurations, see either the "highAvailability.certManager" or "tls" values. -# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt. -# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI. -# This section is mutually exclusive with the "tls" value below. -acme: false -# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement) -acmeEmail: "" -# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server. -acmeURI: "" - -# Set enterprise to true to use enterprise image -# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this: -# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem -enterprise: false - -# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation -# when deploying multiple releases in the same cluster. -# installCRDs: - -# Configuration of the optional Teleport operator -operator: - # Set enabled to true to add the Kubernetes Teleport Operator - enabled: true - # Kubernetes Teleport Operator image - image: public.ecr.aws/gravitational/teleport-operator - # Resources to request for the operator container - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: {} - # requests: - # cpu: "0.5" - # memory: "1Gi" - # limits: - # memory: "1Gi" - -# If true, create & use Pod Security Policy resources -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher. -# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ -podSecurityPolicy: - enabled: false - -# Labels is a map of key-value pairs about this cluster -labels: {} - -# Mode to deploy the chart in. The default is "standalone". Options: -# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage. -# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1) -# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2) -# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3) -# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4) -# (1) To use "aws" mode, you must also configure the "aws" section below. -# (2) To use "gcp" mode, you must also configure the "gcp" section below. -# (3) To use "azure" mode, you must also configure the "azure" section below. -# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig. -# `scratch` usage is strongly discouraged, this is a last resort option and -# everything should be doable with `standalone` mode + overrides through -# `auth.teleportConfig` and `proxy.teleportConfig`. -chartMode: standalone - -# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify -# if the teleport.yaml configuration is valid and will block the deployment if it is not -validateConfigOnDeploy: true - -# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster. -# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the -# Helm chart user is responsible for configuring working join_params on the proxy. -createProxyToken: true - -# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) -# This CRD is managed by the prometheus-operator and allows workload to -# get monitored. To use this value, you need to run a `prometheus-operator` -# in the cluster for this value to take effect. -# See https://prometheus-operator.dev/docs/prologue/introduction/ -podMonitor: - # Whether the chart should deploy a PodMonitor. - # Disabled by default as it requires the PodMonitor CRD to be installed. - enabled: true - # additionalLabels to put on the PodMonitor. - # This is used to be selected by a specific prometheus instance. - # Defaults to {prometheus: default} which seems to be the common default prometheus selector - additionalLabels: - prometheus: k8s - # interval is the interval between two metrics scrapes. Defaults to 30s - interval: 30s - -###################################################################### -# Persistence settings (only used in "standalone" and "scratch" modes) -# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters -# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details. -# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23. -###################################################################### -persistence: - # Enable persistence using a PersistentVolumeClaim - enabled: true - # Leave blank to automatically create a PersistentVolumeClaim for Teleport storage. - # If you would like to use a pre-existing PersistentVolumeClaim, put its name here. - existingClaimName: "" - # Size of persistent volume to request when created by Teleport. - # Ignored if existingClaimName is provided. - volumeSize: 10Gi - -################################################## -# AWS-specific settings (only used in "aws" mode) -################################################## -aws: - # The AWS region where the DynamoDB tables are located. - region: "" - # The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. - backendTable: "" - # The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. - # This MUST NOT be the same table name as used for 'backendTable' as the schemas are different. - auditLogTable: "" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist. - # The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets. - sessionRecordingBucket: "" - # Whether or not to turn on DynamoDB backups - backups: false - - # Whether Teleport should configure DynamoDB's autoscaling. - # Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling. - # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling - dynamoAutoScaling: false - - # DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`. - # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling - readMinCapacity: null # Integer - readMaxCapacity: null # Integer - readTargetValue: null # Float - writeMinCapacity: null # Integer - writeMaxCapacity: null # Integer - writeTargetValue: null # Float - -################################################## -# GCP-specific settings (only used in "gcp" mode) -################################################## -gcp: - # The project name being used for the GCP account where Teleport is running. - # See https://support.google.com/googleapi/answer/7014113?hl=en - projectId: "" - # The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist. - # Either of the following must be true: - # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections - # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. - backendTable: "" - # The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist. - # Either of the following must be true: - # - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections - # - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections. - # This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different. - auditLogTable: "" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used. - sessionRecordingBucket: "" - # The name of the Kubernetes secret used to store the Google credentials. - # You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use. - # You can override this to a blank value if the worker node running Teleport already has a service account which grants access. - credentialSecretName: teleport-gcp-credentials - -##################################################### -# Azure-specific settings (only used in "azure" mode) -##################################################### -azure: - # The fully qualified hostname of the Postgres database cluster hosted in Azure. - # It should follow the format ".postgres.database.azure.com". - databaseHost: "" - # The Postgres user Teleport must use to connect to the backend and audit - # databases. - databaseUser: "" - # The Postgres database to use for backend storage. - backendDatabase: "teleport_backend" - # The Postgres database to use for audit log storage. - # This MUST NOT be the same database as used for 'backendDatabase'. - auditLogDatabase: "teleport_audit" - # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) - auditLogMirrorOnStdout: false - # The fully qualified domain name of the Azure Blob Storage account to use for - # recorded session storage. This account must already exist. - # It should follow the format ".blob.core.windows.net" - sessionRecordingStorageAccount: "" - # Azure client ID is used by the Kubernetes Service Account to know which - # Application it should impersonate. This can be unset only if the clientID is - # passed through other means (e.g. environment variable) - clientID: "" - # Controls the `pool_max_conns` setting passed to PostgreSQL. This is the - # max amount of connections Teleport can open to the database. This can affect - # performance on large clusters and depends on various factors like the - # database size, the number of CPU cores available for Teleport, GOMAXPROCS - # and the database latency. - # This only applies to the core backend connections, not the audit log ones. - # 0 means the parameter is not set and the client's default is used (recommended) - databasePoolMaxConnections: 0 - -# `highAvailability` contains settings controlling how Teleport pods are -# replicated and scheduled. This allows Teleport to run in a highly-available -# fashion: Teleport should sustain the crash/loss of a machine without interrupting -# the service. -# -# For auth pods: -# When using "standalone" or "scratch" mode, you must use highly-available storage -# (etcd, DynamoDB or Firestore) for multiple replicas to be supported. -# Manually configuring NFS-based storage or ReadWriteMany volume claims -# is NOT supported and will result in errors. Using Teleport's built-in -# ACME client (as opposed to using cert-manager or passing certs through a secret) -# is not supported with multiple replicas. -# For proxy pods: -# Proxy pods need to be provided a certificate to be replicated (either via -# `tls.existingSecretName` or via `highAvailability.certManager`). -# If proxy pods are replicable, they will default to 2 replicas, -# even if `highAvailability.replicaCount` is 1. To force a single proxy replica, -# set `proxy.highAvailability.replicaCount: 1`. -highAvailability: - # Controls the amount of pod replicas. The `highAvailability` comment describes - # the replication requirements. - # - # WARNING: You **must** meet the replication criteria, - # else the deployment will result in errors and inconsistent data. - replicaCount: 1 - # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the - # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution. - # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement. - # This setting only has any effect when replicaCount is greater than 1. - requireAntiAffinity: false - # If enabled will create a Pod Disruption Budget - # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # Settings for cert-manager (can be used for provisioning TLS certs in HA mode) - # These settings are mutually exclusive with the "tls" value below. - certManager: - # If set to true, use cert-manager to get certificates for Teleport to use for TLS termination - enabled: true - # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs. - addCommonName: false - # If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request. - # This setting is not enabled by default to preserve backward compatibility. - addPublicAddrs: false - # Name of the Issuer/ClusterIssuer to use for certs - # NOTE: You will always need to create this yourself when certManager.enabled is true. - issuerName: "letsencrypt-prod" - # Kind of Issuer that cert-manager should look for. - # This defaults to 'Issuer' to keep everything contained within the teleport namespace. - issuerKind: ClusterIssuer - # Group of Issuer that cert-manager should look for. - # This defaults to 'cert-manager.io' which is the default Issuer group. - issuerGroup: cert-manager.io - # Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time - # See https://github.com/gravitational/teleport/issues/13129 - minReadySeconds: 15 - -# Settings for mounting your own TLS keypair to secure Teleport's web UI. -# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above. -tls: - # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml. - # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file` - # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information. - existingSecretName: "" - # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. - # Useful for building trust when using intermediate certificate authorities. - # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. - # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem - # The filename inside the secret is important - it _must_ be ca.pem - existingCASecretName: "" - -################################################## -# Values that you shouldn't need to change. -################################################## - -# Container image for the cluster. -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport`. Those images will be -# removed with teleport 14. -image: public.ecr.aws/gravitational/teleport-distroless -# Enterprise version of the image -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport-ent`. Those images will be -# removed with teleport 14. -enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless -# Optional array of imagePullSecrets, to use when pulling from a private registry -imagePullSecrets: [] -# Teleport logging configuration -log: - # Log level for the Teleport process. - # Available log levels are: DEBUG, INFO, WARNING, ERROR. - # The default is INFO, which is recommended in production. - # DEBUG is useful during first-time setup or to see more detailed logs for debugging. - level: INFO - # Log output - # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log' - # Other supported values: 'stdout', 'stderr' and 'syslog' - output: stderr - # Log format configuration - # Possible output values are 'json' and 'text' (default). - format: text - # Possible extra_fields values include: timestamp, component, caller, and level. - # All extra fields are included by default. - extraFields: ["timestamp", "level", "component", "caller"] - -################################## -# Extra Kubernetes configuration # -################################## - -# nodeSelector to apply for pod assignment -# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector -nodeSelector: {} - -# Affinity for pod assignment -# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other. -affinity: {} - -# Kubernetes annotations to apply -# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -annotations: - # Annotations for the ConfigMap - config: {} - # Annotations for the Deployment - deployment: {} - # Annotations for each Pod in the Deployment - pod: {} - # Annotations for the Service object - service: {} - # Annotations for the ServiceAccount object - serviceAccount: {} - # Annotations for the certificate secret generated by cert-manager v1.5+ when - # highAvailability.certManager.enabled is true - certSecret: {} - # Annotations for the Ingress object - ingress: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" - nginx.ingress.kubernetes.io/affinity: "cookie" - nginx.ingress.kubernetes.io/session-cookie-name: "http-cookie" - nginx.ingress.kubernetes.io/session-cookie-expires: "172800" - nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" - -# Kubernetes service account to create/use. -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If not set and serviceAccount.create is true, the name is generated using the release name. - # If create is false, the name will be used to reference an existing service account. - name: "" - # To set annotations on the service account, use the annotations.serviceAccount value. - -# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. -rbac: - # Specifies whether a ClusterRole and ClusterRoleBinding should be created. - # Set to false if your cluster level resources are managed separately. - create: true - -# Options for the Teleport proxy service -# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP. -# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed. -# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true -service: - type: ClusterIP - # Additional entries here will be added to the service spec. - spec: {} - # loadBalancerIP: "1.2.3.4" - -# Options for ingress -# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent -# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer. -# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport. -# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details. -ingress: - enabled: true - # Setting suppressAutomaticWildcards to true will not automatically add *. as a hostname served - # by the Ingress. This may be desirable if you don't use Teleport Application Access. - suppressAutomaticWildcards: false - # Additional entries here will be added to the ingress spec. - spec: {} - # ingressClassName: nginx - -# Extra arguments to pass to 'teleport start' for the main Teleport pod -extraArgs: [] - -# Extra environment to be configured on the Teleport pod -extraEnv: [] - -# Extra containers to be added to the Teleport pod -extraContainers: [] -# - name: nscenter -# command: -# - /bin/bash -# - -c -# - sleep infinity & wait -# image: praqma/network-multitool -# imagePullPolicy: IfNotPresent -# securityContext: -# privileged: true -# runAsNonRoot: false - -# Extra volumes to mount into the Teleport pods -# https://kubernetes.io/docs/concepts/storage/volumes/ -extraVolumes: [] -# - name: myvolume -# secret: -# secretName: testSecret - -# Extra volume mounts corresponding to the volumes mounted above -extraVolumeMounts: [] -# - name: myvolume -# mountPath: /path/on/host - -# Allow the imagePullPolicy to be overridden -imagePullPolicy: IfNotPresent - -# A list of initContainers to run before each Teleport pod starts -# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ -initContainers: [] -# - name: "teleport-init" -# image: "alpine" -# args: ["echo test"] - -# If set, will run the command as a postStart handler -# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ -postStart: - command: [] - -# Resources to request for the teleport container -# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -resources: {} -# requests: -# cpu: "1" -# memory: "2Gi" - -# Security context to add to the container -securityContext: {} - # runAsUser: 99 - -# Priority class name to add to the deployment -priorityClassName: "" - -# Tolerations for pod assignment -# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] - -# Timeouts for the readiness and liveness probes -# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ -probeTimeoutSeconds: 1 - -# Kubernetes termination grace period -# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution -# -# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook. -terminationGracePeriodSeconds: 60 diff --git a/teleport-cluster-14.3.0/.lint/acme-off.yaml b/teleport-cluster-15.0.1/.lint/acme-off.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/acme-off.yaml rename to teleport-cluster-15.0.1/.lint/acme-off.yaml diff --git a/teleport-cluster-14.3.0/.lint/acme-on.yaml b/teleport-cluster-15.0.1/.lint/acme-on.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/acme-on.yaml rename to teleport-cluster-15.0.1/.lint/acme-on.yaml diff --git a/teleport-cluster-14.3.0/.lint/acme-uri-staging.yaml b/teleport-cluster-15.0.1/.lint/acme-uri-staging.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/acme-uri-staging.yaml rename to teleport-cluster-15.0.1/.lint/acme-uri-staging.yaml diff --git a/teleport-cluster-14.3.0/.lint/affinity.yaml b/teleport-cluster-15.0.1/.lint/affinity.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/affinity.yaml rename to teleport-cluster-15.0.1/.lint/affinity.yaml diff --git a/teleport-cluster-14.3.0/.lint/annotations.yaml b/teleport-cluster-15.0.1/.lint/annotations.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/annotations.yaml rename to teleport-cluster-15.0.1/.lint/annotations.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-connector-name.yaml b/teleport-cluster-15.0.1/.lint/auth-connector-name.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-connector-name.yaml rename to teleport-cluster-15.0.1/.lint/auth-connector-name.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-disable-local.yaml b/teleport-cluster-15.0.1/.lint/auth-disable-local.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-disable-local.yaml rename to teleport-cluster-15.0.1/.lint/auth-disable-local.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-locking-mode.yaml b/teleport-cluster-15.0.1/.lint/auth-locking-mode.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-locking-mode.yaml rename to teleport-cluster-15.0.1/.lint/auth-locking-mode.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-passwordless.yaml b/teleport-cluster-15.0.1/.lint/auth-passwordless.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-passwordless.yaml rename to teleport-cluster-15.0.1/.lint/auth-passwordless.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-type-legacy.yaml b/teleport-cluster-15.0.1/.lint/auth-type-legacy.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-type-legacy.yaml rename to teleport-cluster-15.0.1/.lint/auth-type-legacy.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-type.yaml b/teleport-cluster-15.0.1/.lint/auth-type.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-type.yaml rename to teleport-cluster-15.0.1/.lint/auth-type.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-webauthn-legacy.yaml b/teleport-cluster-15.0.1/.lint/auth-webauthn-legacy.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-webauthn-legacy.yaml rename to teleport-cluster-15.0.1/.lint/auth-webauthn-legacy.yaml diff --git a/teleport-cluster-14.3.0/.lint/auth-webauthn.yaml b/teleport-cluster-15.0.1/.lint/auth-webauthn.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/auth-webauthn.yaml rename to teleport-cluster-15.0.1/.lint/auth-webauthn.yaml diff --git a/teleport-cluster-14.3.0/.lint/aws-dynamodb-autoscaling.yaml b/teleport-cluster-15.0.1/.lint/aws-dynamodb-autoscaling.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/aws-dynamodb-autoscaling.yaml rename to teleport-cluster-15.0.1/.lint/aws-dynamodb-autoscaling.yaml diff --git a/teleport-cluster-14.3.0/.lint/aws-ha-acme.yaml b/teleport-cluster-15.0.1/.lint/aws-ha-acme.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/aws-ha-acme.yaml rename to teleport-cluster-15.0.1/.lint/aws-ha-acme.yaml diff --git a/teleport-cluster-14.3.0/.lint/aws-ha-antiaffinity.yaml b/teleport-cluster-15.0.1/.lint/aws-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/aws-ha-antiaffinity.yaml rename to teleport-cluster-15.0.1/.lint/aws-ha-antiaffinity.yaml diff --git a/teleport-cluster-14.3.0/.lint/aws-ha-log.yaml b/teleport-cluster-15.0.1/.lint/aws-ha-log.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/aws-ha-log.yaml rename to teleport-cluster-15.0.1/.lint/aws-ha-log.yaml diff --git a/teleport-cluster-14.3.0/.lint/aws-ha.yaml b/teleport-cluster-15.0.1/.lint/aws-ha.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/aws-ha.yaml rename to teleport-cluster-15.0.1/.lint/aws-ha.yaml diff --git a/teleport-cluster-14.3.0/.lint/aws.yaml b/teleport-cluster-15.0.1/.lint/aws.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/aws.yaml rename to teleport-cluster-15.0.1/.lint/aws.yaml diff --git a/teleport-cluster-14.3.0/.lint/azure.yaml b/teleport-cluster-15.0.1/.lint/azure.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/azure.yaml rename to teleport-cluster-15.0.1/.lint/azure.yaml diff --git a/teleport-cluster-14.3.0/.lint/cert-manager.yaml b/teleport-cluster-15.0.1/.lint/cert-manager.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/cert-manager.yaml rename to teleport-cluster-15.0.1/.lint/cert-manager.yaml diff --git a/teleport-cluster-14.3.0/.lint/cert-secret.yaml b/teleport-cluster-15.0.1/.lint/cert-secret.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/cert-secret.yaml rename to teleport-cluster-15.0.1/.lint/cert-secret.yaml diff --git a/teleport-cluster-14.3.0/.lint/example-minimal-standalone.yaml b/teleport-cluster-15.0.1/.lint/example-minimal-standalone.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/example-minimal-standalone.yaml rename to teleport-cluster-15.0.1/.lint/example-minimal-standalone.yaml diff --git a/teleport-cluster-14.3.0/.lint/existing-tls-secret-with-ca.yaml b/teleport-cluster-15.0.1/.lint/existing-tls-secret-with-ca.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/existing-tls-secret-with-ca.yaml rename to teleport-cluster-15.0.1/.lint/existing-tls-secret-with-ca.yaml diff --git a/teleport-cluster-14.3.0/.lint/existing-tls-secret.yaml b/teleport-cluster-15.0.1/.lint/existing-tls-secret.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/existing-tls-secret.yaml rename to teleport-cluster-15.0.1/.lint/existing-tls-secret.yaml diff --git a/teleport-cluster-14.3.0/.lint/extra-containers.yaml b/teleport-cluster-15.0.1/.lint/extra-containers.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/extra-containers.yaml rename to teleport-cluster-15.0.1/.lint/extra-containers.yaml diff --git a/teleport-cluster-14.3.0/.lint/extra-env.yaml b/teleport-cluster-15.0.1/.lint/extra-env.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/extra-env.yaml rename to teleport-cluster-15.0.1/.lint/extra-env.yaml diff --git a/teleport-cluster-14.3.0/.lint/gcp-ha-acme.yaml b/teleport-cluster-15.0.1/.lint/gcp-ha-acme.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/gcp-ha-acme.yaml rename to teleport-cluster-15.0.1/.lint/gcp-ha-acme.yaml diff --git a/teleport-cluster-14.3.0/.lint/gcp-ha-antiaffinity.yaml b/teleport-cluster-15.0.1/.lint/gcp-ha-antiaffinity.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/gcp-ha-antiaffinity.yaml rename to teleport-cluster-15.0.1/.lint/gcp-ha-antiaffinity.yaml diff --git a/teleport-cluster-14.3.0/.lint/gcp-ha-log.yaml b/teleport-cluster-15.0.1/.lint/gcp-ha-log.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/gcp-ha-log.yaml rename to teleport-cluster-15.0.1/.lint/gcp-ha-log.yaml diff --git a/teleport-cluster-14.3.0/.lint/gcp-ha-workload.yaml b/teleport-cluster-15.0.1/.lint/gcp-ha-workload.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/gcp-ha-workload.yaml rename to teleport-cluster-15.0.1/.lint/gcp-ha-workload.yaml diff --git a/teleport-cluster-14.3.0/.lint/gcp-ha.yaml b/teleport-cluster-15.0.1/.lint/gcp-ha.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/gcp-ha.yaml rename to teleport-cluster-15.0.1/.lint/gcp-ha.yaml diff --git a/teleport-cluster-14.3.0/.lint/gcp.yaml b/teleport-cluster-15.0.1/.lint/gcp.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/gcp.yaml rename to teleport-cluster-15.0.1/.lint/gcp.yaml diff --git a/teleport-cluster-14.3.0/.lint/imagepullsecrets.yaml b/teleport-cluster-15.0.1/.lint/imagepullsecrets.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/imagepullsecrets.yaml rename to teleport-cluster-15.0.1/.lint/imagepullsecrets.yaml diff --git a/teleport-cluster-14.3.0/.lint/ingress-publicaddr.yaml b/teleport-cluster-15.0.1/.lint/ingress-publicaddr.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/ingress-publicaddr.yaml rename to teleport-cluster-15.0.1/.lint/ingress-publicaddr.yaml diff --git a/teleport-cluster-14.3.0/.lint/ingress.yaml b/teleport-cluster-15.0.1/.lint/ingress.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/ingress.yaml rename to teleport-cluster-15.0.1/.lint/ingress.yaml diff --git a/teleport-cluster-14.3.0/.lint/initcontainers.yaml b/teleport-cluster-15.0.1/.lint/initcontainers.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/initcontainers.yaml rename to teleport-cluster-15.0.1/.lint/initcontainers.yaml diff --git a/teleport-cluster-14.3.0/.lint/kube-cluster-name.yaml b/teleport-cluster-15.0.1/.lint/kube-cluster-name.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/kube-cluster-name.yaml rename to teleport-cluster-15.0.1/.lint/kube-cluster-name.yaml diff --git a/teleport-cluster-14.3.0/.lint/log-basic.yaml b/teleport-cluster-15.0.1/.lint/log-basic.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/log-basic.yaml rename to teleport-cluster-15.0.1/.lint/log-basic.yaml diff --git a/teleport-cluster-14.3.0/.lint/log-extra.yaml b/teleport-cluster-15.0.1/.lint/log-extra.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/log-extra.yaml rename to teleport-cluster-15.0.1/.lint/log-extra.yaml diff --git a/teleport-cluster-14.3.0/.lint/log-legacy.yaml b/teleport-cluster-15.0.1/.lint/log-legacy.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/log-legacy.yaml rename to teleport-cluster-15.0.1/.lint/log-legacy.yaml diff --git a/teleport-cluster-14.3.0/.lint/node-selector.yaml b/teleport-cluster-15.0.1/.lint/node-selector.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/node-selector.yaml rename to teleport-cluster-15.0.1/.lint/node-selector.yaml diff --git a/teleport-cluster-14.3.0/.lint/operator.yaml b/teleport-cluster-15.0.1/.lint/operator.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/operator.yaml rename to teleport-cluster-15.0.1/.lint/operator.yaml diff --git a/teleport-cluster-14.3.0/.lint/pdb.yaml b/teleport-cluster-15.0.1/.lint/pdb.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/pdb.yaml rename to teleport-cluster-15.0.1/.lint/pdb.yaml diff --git a/teleport-cluster-14.3.0/.lint/persistence-legacy.yaml b/teleport-cluster-15.0.1/.lint/persistence-legacy.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/persistence-legacy.yaml rename to teleport-cluster-15.0.1/.lint/persistence-legacy.yaml diff --git a/teleport-cluster-14.3.0/.lint/podmonitor.yaml b/teleport-cluster-15.0.1/.lint/podmonitor.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/podmonitor.yaml rename to teleport-cluster-15.0.1/.lint/podmonitor.yaml diff --git a/teleport-cluster-14.3.0/.lint/priority-class-name.yaml b/teleport-cluster-15.0.1/.lint/priority-class-name.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/priority-class-name.yaml rename to teleport-cluster-15.0.1/.lint/priority-class-name.yaml diff --git a/teleport-cluster-14.3.0/.lint/probe-timeout-seconds.yaml b/teleport-cluster-15.0.1/.lint/probe-timeout-seconds.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/probe-timeout-seconds.yaml rename to teleport-cluster-15.0.1/.lint/probe-timeout-seconds.yaml diff --git a/teleport-cluster-14.3.0/.lint/proxy-listener-mode-multiplex.yaml b/teleport-cluster-15.0.1/.lint/proxy-listener-mode-multiplex.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/proxy-listener-mode-multiplex.yaml rename to teleport-cluster-15.0.1/.lint/proxy-listener-mode-multiplex.yaml diff --git a/teleport-cluster-14.3.0/.lint/proxy-listener-mode-separate.yaml b/teleport-cluster-15.0.1/.lint/proxy-listener-mode-separate.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/proxy-listener-mode-separate.yaml rename to teleport-cluster-15.0.1/.lint/proxy-listener-mode-separate.yaml diff --git a/teleport-cluster-14.3.0/.lint/public-addresses.yaml b/teleport-cluster-15.0.1/.lint/public-addresses.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/public-addresses.yaml rename to teleport-cluster-15.0.1/.lint/public-addresses.yaml diff --git a/teleport-cluster-14.3.0/.lint/resources.yaml b/teleport-cluster-15.0.1/.lint/resources.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/resources.yaml rename to teleport-cluster-15.0.1/.lint/resources.yaml diff --git a/teleport-cluster-14.3.0/.lint/security-context-empty.yaml b/teleport-cluster-15.0.1/.lint/security-context-empty.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/security-context-empty.yaml rename to teleport-cluster-15.0.1/.lint/security-context-empty.yaml diff --git a/teleport-cluster-14.3.0/.lint/security-context.yaml b/teleport-cluster-15.0.1/.lint/security-context.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/security-context.yaml rename to teleport-cluster-15.0.1/.lint/security-context.yaml diff --git a/teleport-cluster-14.3.0/.lint/separate-mongo-listener.yaml b/teleport-cluster-15.0.1/.lint/separate-mongo-listener.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/separate-mongo-listener.yaml rename to teleport-cluster-15.0.1/.lint/separate-mongo-listener.yaml diff --git a/teleport-cluster-14.3.0/.lint/separate-postgres-listener.yaml b/teleport-cluster-15.0.1/.lint/separate-postgres-listener.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/separate-postgres-listener.yaml rename to teleport-cluster-15.0.1/.lint/separate-postgres-listener.yaml diff --git a/teleport-cluster-14.3.0/.lint/service-account.yaml b/teleport-cluster-15.0.1/.lint/service-account.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/service-account.yaml rename to teleport-cluster-15.0.1/.lint/service-account.yaml diff --git a/teleport-cluster-14.3.0/.lint/service.yaml b/teleport-cluster-15.0.1/.lint/service.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/service.yaml rename to teleport-cluster-15.0.1/.lint/service.yaml diff --git a/teleport-cluster-14.3.0/.lint/session-recording.yaml b/teleport-cluster-15.0.1/.lint/session-recording.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/session-recording.yaml rename to teleport-cluster-15.0.1/.lint/session-recording.yaml diff --git a/teleport-cluster-14.3.0/.lint/standalone-custom-storage-class.yaml b/teleport-cluster-15.0.1/.lint/standalone-custom-storage-class.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/standalone-custom-storage-class.yaml rename to teleport-cluster-15.0.1/.lint/standalone-custom-storage-class.yaml diff --git a/teleport-cluster-14.3.0/.lint/standalone-customsize.yaml b/teleport-cluster-15.0.1/.lint/standalone-customsize.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/standalone-customsize.yaml rename to teleport-cluster-15.0.1/.lint/standalone-customsize.yaml diff --git a/teleport-cluster-14.3.0/.lint/standalone-existingpvc.yaml b/teleport-cluster-15.0.1/.lint/standalone-existingpvc.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/standalone-existingpvc.yaml rename to teleport-cluster-15.0.1/.lint/standalone-existingpvc.yaml diff --git a/teleport-cluster-14.3.0/.lint/tolerations.yaml b/teleport-cluster-15.0.1/.lint/tolerations.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/tolerations.yaml rename to teleport-cluster-15.0.1/.lint/tolerations.yaml diff --git a/teleport-cluster-14.3.0/.lint/version-override.yaml b/teleport-cluster-15.0.1/.lint/version-override.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/version-override.yaml rename to teleport-cluster-15.0.1/.lint/version-override.yaml diff --git a/teleport-cluster-14.3.0/.lint/volumes.yaml b/teleport-cluster-15.0.1/.lint/volumes.yaml similarity index 100% rename from teleport-cluster-14.3.0/.lint/volumes.yaml rename to teleport-cluster-15.0.1/.lint/volumes.yaml diff --git a/teleport-cluster-15.0.1/.values.home.yaml.swp b/teleport-cluster-15.0.1/.values.home.yaml.swp new file mode 100644 index 0000000..9a7a158 Binary files /dev/null and b/teleport-cluster-15.0.1/.values.home.yaml.swp differ diff --git a/teleport-cluster-14.3.0/Chart.yaml b/teleport-cluster-15.0.1/Chart.yaml similarity index 68% rename from teleport-cluster-14.3.0/Chart.yaml rename to teleport-cluster-15.0.1/Chart.yaml index d215736..8f4176c 100644 --- a/teleport-cluster-14.3.0/Chart.yaml +++ b/teleport-cluster-15.0.1/Chart.yaml @@ -1,13 +1,14 @@ apiVersion: v2 -appVersion: 14.3.0 +appVersion: 15.0.1 dependencies: -- condition: installCRDs,operator.enabled +- alias: operator + condition: installCRDs,operator.enabled name: teleport-operator repository: "" - version: 14.3.0 + version: 15.0.1 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-cluster -version: 14.3.0 +version: 15.0.1 diff --git a/teleport-cluster-14.3.0/README.md b/teleport-cluster-15.0.1/README.md similarity index 79% rename from teleport-cluster-14.3.0/README.md rename to teleport-cluster-15.0.1/README.md index 27e6235..b239357 100644 --- a/teleport-cluster-14.3.0/README.md +++ b/teleport-cluster-15.0.1/README.md @@ -1,13 +1,16 @@ # Teleport Cluster -This chart sets up a single node Teleport cluster. -It uses a persistent volume claim for storage. -Great for getting started with Teleport. +This chart sets up a Teleport cluster composed of at least 1 Proxy instance +and 1 Auth instance. When applicable, the chart will default to 2 pods to +provide high-availability. ## Important Notices - The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x -- Teleport does mutual TLS to authenticate clients. It currently does not support running behind a L7 LoadBalancer, like a Kubernetes `Ingress`. It requires being exposed through a L4 LoadBalancer (Kubernetes `Service`). +- Teleport does mutual TLS to authenticate clients. Establishing mTLS through a L7 + LoadBalancer, like a Kubernetes `Ingress` [requires ALPN support](https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies). + Exposing Teleport through a `Service` with type `LoadBalancer` is still recommended + because its the most flexible and least complex setup. ## Getting Started diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/.lint/annotations.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/annotations.yaml new file mode 100644 index 0000000..dc3a4c8 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/annotations.yaml @@ -0,0 +1,14 @@ +annotations: + deployment: + kubernetes.io/deployment: "test-annotation" + kubernetes.io/deployment-different: 3 + pod: + kubernetes.io/pod: "test-annotation" + kubernetes.io/pod-different: 4 + serviceAccount: + kubernetes.io/serviceaccount: "test-annotation" + kubernetes.io/serviceaccount-different: 6 + +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +teleportClusterName: "example.teleport.sh" diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/.lint/cloud-join.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/cloud-join.yaml new file mode 100644 index 0000000..16ba976 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/cloud-join.yaml @@ -0,0 +1,3 @@ +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +teleportClusterName: "example.teleport.sh" diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/.lint/disabled.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/disabled.yaml new file mode 100644 index 0000000..bc11441 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/disabled.yaml @@ -0,0 +1 @@ +enabled: false diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/.lint/existing-tls-ca.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/existing-tls-ca.yaml new file mode 100644 index 0000000..354a5e2 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/existing-tls-ca.yaml @@ -0,0 +1,6 @@ +tls: + existingCASecretName: helm-lint-existing-tls-secret-ca + +teleportAddress: "teleport.example.com:3080" +token: "my-operator-bot" +teleportClusterName: "teleport.example.com" diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/.lint/non-kubernetes-joining.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/non-kubernetes-joining.yaml new file mode 100644 index 0000000..4000fc8 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/non-kubernetes-joining.yaml @@ -0,0 +1,3 @@ +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +joinMethod: "iam" diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/.lint/resources.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/resources.yaml new file mode 100644 index 0000000..acf9ab5 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/.lint/resources.yaml @@ -0,0 +1,13 @@ +# These are just sample values to test the chart. +# They are not intended to be guidelines or suggestions for running teleport. +resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + +teleportAddress: "example.teleport.sh:443" +token: "my-operator-bot" +teleportClusterName: "example.teleport.sh" diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/Chart.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/Chart.yaml similarity index 85% rename from teleport-cluster-14.3.0/charts/teleport-operator/Chart.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/Chart.yaml index 08584e1..11eac1a 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster-15.0.1/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 14.3.0 +appVersion: 15.0.1 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/images/logos/logo-teleport-square.svg keywords: - Teleport name: teleport-operator -version: 14.3.0 +version: 15.0.1 diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/README.md b/teleport-cluster-15.0.1/charts/teleport-operator/README.md new file mode 100644 index 0000000..d0b87ed --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/README.md @@ -0,0 +1,28 @@ +# Teleport Operator + +This chart deploys the Teleport Kubernetes Operator. The operator allows to manage +Teleport resources from inside Kubernetes. + +## Important notice + +The chart version follows the Teleport and Teleport Kube Operator version. e.g. +chart v15.0.1 runs the operator version 15.0.1 by default. To control which +operator version is deployed, use the `--version` Helm flag. + +## Deployment + +The chart can be deployed in two ways: +- in standalone mode by running + ```shell + helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token + ``` + See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details. +- as a dependency of the `teleport-cluster` Helm chart by adding `--set operator.enabled=true`. See + [the operator within teleport-cluster chart guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-helm/). + +## Values and reference + +The `values.yaml` is documented through comment or via +[the reference docs](https://goteleport.com/docs/reference/helm-reference/teleport-operator/). + +Please make sure you are looking at the correct version when looking at the values reference. diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/templates/_helpers.tpl b/teleport-cluster-15.0.1/charts/teleport-operator/templates/_helpers.tpl new file mode 100644 index 0000000..39be389 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/templates/_helpers.tpl @@ -0,0 +1,77 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "teleport-cluster.operator.name" -}} + {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +This is a modified version of the default fully qualified app name helper. +We diverge by always honouring "nameOverride" when it's set, as opposed to the +default behaviour of shortening if `nameOverride` is included in chart name. +This is done to avoid naming conflicts when including th chart in `teleport-cluster` +*/}} +{{- define "teleport-cluster.operator.fullname" -}} + {{- if .Values.fullnameOverride }} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- if .Values.nameOverride }} + {{- printf "%s-%s" .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- if contains .Chart.Name .Release.Name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Create the name of the service account to use +if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name +*/}} +{{- define "teleport-cluster.operator.serviceAccountName" -}} +{{- coalesce .Values.serviceAccount.name (include "teleport-cluster.operator.fullname" .) -}} +{{- end -}} + +{{- define "teleport-cluster.version" -}} +{{- coalesce .Values.teleportVersionOverride .Chart.Version }} +{{- end -}} + +{{- define "teleport-cluster.majorVersion" -}} +{{- (semver (include "teleport-cluster.version" .)).Major -}} +{{- end -}} + +{{/* Operator selector labels */}} +{{- define "teleport-cluster.operator.selectorLabels" -}} +app.kubernetes.io/name: '{{ include "teleport-cluster.operator.name" . }}' +app.kubernetes.io/instance: '{{ .Release.Name }}' +app.kubernetes.io/component: 'operator' +{{- end -}} + +{{/* Operator all labels */}} +{{- define "teleport-cluster.operator.labels" -}} +{{ include "teleport-cluster.operator.selectorLabels" . }} +helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' +app.kubernetes.io/managed-by: '{{ .Release.Service }}' +app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}' +teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}' +{{- end -}} + +{{/* Teleport auth or proxy address */}} +{{- define "teleport-cluster.operator.teleportAddress" -}} +{{- $clusterAddr := include "teleport-cluster.auth.serviceFQDN" . -}} +{{- if empty $clusterAddr -}} + {{- required "The `teleportAddress` value is mandatory when deploying a standalone operator." .Values.teleportAddress -}} + {{- if and (eq .Values.joinMethod "kubernetes") (empty .Values.teleportClusterName) (not (hasSuffix ":3025" .Values.teleportAddress)) -}} + {{- fail "When joining using the Kubernetes JWKS join method, you must set the value `teleportClusterName`" -}} + {{- end -}} +{{- else -}} + {{- $clusterAddr | printf "%s:3025" -}} +{{- end -}} +{{- end -}} + +{{- /* This template is a placeholder. +If we are imported by the main chart "teleport-cluster" it is overridden*/ -}} +{{- define "teleport-cluster.auth.serviceFQDN" -}}{{- end }} diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/templates/deployment.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/deployment.yaml new file mode 100644 index 0000000..cd6d676 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/templates/deployment.yaml @@ -0,0 +1,155 @@ +{{- if .Values.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "teleport-cluster.operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }} + {{- if .Values.annotations.deployment }} + annotations: {{- toYaml .Values.annotations.deployment | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.highAvailability.replicaCount }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + selector: + matchLabels: {{- include "teleport-cluster.operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- if .Values.annotations.pod }} + annotations: {{- toYaml .Values.annotations.pod | nindent 8 }} + {{- end }} + labels: {{- include "teleport-cluster.operator.labels" . | nindent 8 }} + spec: + {{- if .Values.nodeSelector }} + nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: "operator" + image: '{{ .Values.image }}:{{ include "teleport-cluster.version" . }}' + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: + - /teleport-operator + - -auth-server + - '{{ include "teleport-cluster.operator.teleportAddress" . }}' + - -join-method + - '{{ .Values.joinMethod }}' + - -token + - '{{ .Values.token }}' + {{- if .Values.caPins }} + - -ca-pin + - '{{ join "," .Values.caPins }}' + {{- end }} + {{- if or (.Values.tls.existingCASecretName) (.Values.teleportClusterName) }} + env: + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} + {{- if .Values.teleportClusterName }} + - name: KUBERNETES_TOKEN_PATH + value: /var/run/secrets/teleport/serviceaccount/token + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + ports: + - name: op-metrics + containerPort: 8080 + protocol: TCP + - name: op-health + containerPort: 8081 + protocol: TCP + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: operator-serviceaccount-token + readOnly: true + {{- if .Values.teleportClusterName }} + - mountPath: /var/run/secrets/teleport/serviceaccount + name: bot-serviceaccount-token + readOnly: true + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} + automountServiceAccountToken: false + volumes: + # This projected token volume mimics the `automountServiceAccountToken` + # behaviour but defaults to a 1h TTL instead of 1y. + - name: operator-serviceaccount-token + projected: + sources: + - serviceAccountToken: + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.teleportClusterName }} + - name: bot-serviceaccount-token + projected: + sources: + - serviceAccountToken: + path: token + audience: "{{ .Values.teleportClusterName }}" + expirationSeconds: 600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: teleport-tls-ca + secret: + secretName: {{ .Values.tls.existingCASecretName }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "teleport-cluster.operator.serviceAccountName" . }} +{{- end }} diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml diff --git a/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_users.yaml similarity index 100% rename from teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml rename to teleport-cluster-15.0.1/charts/teleport-operator/templates/resources.teleport.dev_users.yaml diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/templates/role.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/role.yaml new file mode 100644 index 0000000..4d4e0eb --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/templates/role.yaml @@ -0,0 +1,55 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "teleport-cluster.operator.fullname" . }} + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "resources.teleport.dev" + resources: + - teleportroles + - teleportroles/status + - teleportrolesv6 + - teleportrolesv6/status + - teleportrolesv7 + - teleportrolesv7/status + - teleportusers + - teleportusers/status + - teleportgithubconnectors + - teleportgithubconnectors/status + - teleportoidcconnectors + - teleportoidcconnectors/status + - teleportsamlconnectors + - teleportsamlconnectors/status + - teleportloginrules + - teleportloginrules/status + - teleportprovisiontokens + - teleportprovisiontokens/status + - teleportoktaimportrules + - teleportoktaimportrules/status + - teleportaccesslists + - teleportaccesslists/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create +{{- end -}} +{{- end -}} diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/templates/rolebinding.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/rolebinding.yaml new file mode 100644 index 0000000..a3425b5 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "teleport-cluster.operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "teleport-cluster.operator.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "teleport-cluster.operator.serviceAccountName" . }} +{{- end }} +{{- end }} diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/templates/serviceaccount.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..13b3b0f --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.enabled }} +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "teleport-cluster.operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + {{- if .Values.annotations.serviceAccount }} + annotations: {{- toYaml .Values.annotations.serviceAccount | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/tests/deployment_test.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/tests/deployment_test.yaml new file mode 100644 index 0000000..56f8f51 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/tests/deployment_test.yaml @@ -0,0 +1,199 @@ +suite: Operator Deployment +templates: + - deployment.yaml +tests: + - it: creates no deployment when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + + - it: creates a deployment when operator is enabled + values: + - ../.lint/cloud-join.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + values: + - ../.lint/cloud-join.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + values: + - ../.lint/cloud-join.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: RELEASE-NAME-operator + + - it: sets annotations when specified + values: + - ../.lint/annotations.yaml + asserts: + # Pod annotations + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod + value: test-annotation + - equal: + path: spec.template.metadata.annotations.kubernetes\.io/pod-different + value: 4 + # Deployment annotations + - equal: + path: metadata.annotations.kubernetes\.io/deployment + value: test-annotation + - equal: + path: metadata.annotations.kubernetes\.io/deployment-different + value: 3 + + - it: should mount tls.existingCASecretName and set environment when set in values + values: + - ../.lint/existing-tls-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + + - it: mounts tokens through projected volumes + values: + - ../.lint/cloud-join.yaml + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - contains: + path: spec.template.spec.volumes + content: + name: operator-serviceaccount-token + projected: + sources: + - serviceAccountToken: + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: operator-serviceaccount-token + readOnly: true + + - it: should set imagePullPolicy when set in values + values: + - ../.lint/cloud-join.yaml + set: + imagePullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + + - it: should set resources when set in values + values: + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + + - it: should set security contexts by default + values: + - ../.lint/cloud-join.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + - equal: + path: spec.template.spec.securityContext + value: + seccompProfile: + type: RuntimeDefault + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + + - it: configures a dedicated token when kube JWKS joining + values: + - ../.lint/cloud-join.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: bot-serviceaccount-token + projected: + sources: + - serviceAccountToken: + audience: example.teleport.sh + expirationSeconds: 600 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.namespace + path: namespace + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /var/run/secrets/teleport/serviceaccount + name: bot-serviceaccount-token + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: KUBERNETES_TOKEN_PATH + value: /var/run/secrets/teleport/serviceaccount/token diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/tests/role_test.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/tests/role_test.yaml new file mode 100644 index 0000000..a0dce65 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/tests/role_test.yaml @@ -0,0 +1,43 @@ +suite: Operator Role +templates: + - role.yaml +tests: + - it: creates no role when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + + - it: creates no role when rbac.create is false + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: creates a role by default + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + asserts: + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-operator diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/tests/rolebinding_test.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/tests/rolebinding_test.yaml new file mode 100644 index 0000000..6794d90 --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/tests/rolebinding_test.yaml @@ -0,0 +1,43 @@ +suite: Operator RoleBinding +templates: + - rolebinding.yaml +tests: + - it: creates no RoleBinding when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + + - it: creates no RoleBinding when rbac.create is false + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: creates a RoleBinding by default + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + asserts: + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: RELEASE-NAME-operator diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/tests/serviceaccount_test.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/tests/serviceaccount_test.yaml new file mode 100644 index 0000000..38c7cae --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/tests/serviceaccount_test.yaml @@ -0,0 +1,63 @@ +suite: Operator ServiceAccount +templates: + - serviceaccount.yaml +tests: + - it: creates no ServiceAccount when operator is not enabled + values: + - ../.lint/disabled.yaml + asserts: + - hasDocuments: + count: 0 + - it: creates no ServiceAccount when rbac.create is false + set: + serviceAccount: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: creates a ServiceAccount by default + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: RELEASE-NAME-teleport-operator + + - it: shortens fullname if .Release.Name == .Chart.Name + release: + name: teleport-operator + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: teleport-operator + + - it: respects the nameOverride + set: + nameOverride: operator + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: RELEASE-NAME-operator + + - it: does not shorten fullname if .Release.Name == .Chart.Name but there's a nameOverride + release: + name: teleport-operator + set: + nameOverride: teleport-operator + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: teleport-operator-teleport-operator + + - it: names the ServiceAccount according to serviceAccount.name + set: + serviceAccount: + name: foobar + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: foobar diff --git a/teleport-cluster-15.0.1/charts/teleport-operator/values.yaml b/teleport-cluster-15.0.1/charts/teleport-operator/values.yaml new file mode 100644 index 0000000..54ccf3c --- /dev/null +++ b/teleport-cluster-15.0.1/charts/teleport-operator/values.yaml @@ -0,0 +1,201 @@ +# enabled(bool) -- controls if the operator should be enabled and deployed. +# +# - When `true`, the chart creates both the `CustomResourceDefinition` and operator `Deployment` Kubernetes resources. +# - When `false`, the chart creates the `CustomResourceDefinition` resources without the operator `Deployment`. +enabled: true + +# teleportAddress(string) -- is the address of the Teleport cluster whose resources +# are managed by the operator. The address must contain both the domain name and +# the port of the Teleport cluster. It can be either the address of the Auth Service +# or the Proxy Service. +# +# For example: +# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080` +# - joining an Auth: `teleport-auth.example.com:3025` +# - joining a Cloud-hosted Teleport: `example.teleport.sh:443` +teleportAddress: "" + +# caPins(list[string]) -- is a list of Teleport CA fingerprints that is used by the operator to +# validate the identity of the Teleport Auth server. This is only used when joining +# an Auth server directly (on port `3025`) and is ignored when joining through a Proxy +# (port `443` or `3080`). +caPins: [] + +# joinMethod(string) -- describes how the Teleport Kubernetes Operator joins the Teleport cluster. +# The operator does not store its Teleport-issued identity, it must be able to join the +# cluster again on each pod restart. To achieve this, it needs to use a delegated join +# method. `kubernetes` is the most common one. +joinMethod: "kubernetes" + +# teleportClusterName(string) -- is the name of the joined Teleport cluster. +# Setting this value is required when joining via the +# [Kubernetes JWKS](../../join-methods.mdx#kubernetes-jwks) join method. +teleportClusterName: "" + +# token(string) -- is the name of the token used by the operator to join the Teleport cluster. +token: "" + +# teleportVersionOverride(string) -- controls the Teleport Kubernetes Operator +# image version deployed by the chart. +# +# Normally, the version of the Teleport Kubernetes Operator matches the +# version of the chart. If you install chart version 15.0.0, you'll use +# Teleport Kubernetes Operator version 15.0.0. Upgrading the operator is +# done by upgrading the chart. +# +# +# `teleportVersionOverride` is intended for development and MUST NOT be +# used to control the Teleport version in a typical deployment. This +# chart is designed to run a specific Teleport version. You will face +# compatibility issues trying to run a different Teleport version with it. +# +# If you want to run Teleport version `X.Y.Z`, you should use +# `helm install --version X.Y.Z` instead. +# +# +teleportVersionOverride: "" + +nameOverride: "" +fullNameOverride: "" + +# image(string) -- sets the container image used for Teleport Kubernetes Operator +# pods run by the chart. +# +# You can override this to use your own Teleport Kubernetes Operator +# image rather than a Teleport-published image. +image: public.ecr.aws/gravitational/teleport-operator + +# annotations -- +annotations: + # annotations.deployment(object) -- contains the Kubernetes annotations + # put on the `Deployment` resource created by the chart. + deployment: {} + # annotations.pod(object) -- contains the Kubernetes annotations + # put on the `Pod` resources created by the chart. + pod: {} + # annotations.serviceAccount(object) -- contains the Kubernetes annotations + # put on the `Deployment` resource created by the chart. + serviceAccount: {} + +# serviceAccount -- +serviceAccount: + # serviceAccount.create(bool) -- controls if the chart should create the Kubernetes + # `ServiceAccount` resource for the operator. + # + # - When `true`, the chart creates a `ServiceAccount` resource for the operator. + # - When `false`, the chart does not create the `ServiceAccount` resource. + # The user is responsible for deploying and maintaining it separately. + # + # This value can be set to `false` when deploying in constrained environments + # where the user deploying the operator is not allowed to edit `ServiceAccount` + # resources. + create: true + # serviceAccount.name(string) -- controls the name of the operator Kubernetes `ServiceAccount`. + # The operator pods use by default a `ServiceAccount` named after the Helm chart release. + # This value overrides this behaviour, this is useful when `serviceAccount.create` + # is false and the operator must use an existing `ServiceAccount`. + name: "" + +# rbac -- +rbac: + # rbac.create(bool) -- controls if the chart should create RBAC Kubernetes resources. + # + # - When `true`, the chart creates both `Role` and `RoleBinding` resources for the operator. + # - When `false`, the chart does not create the `Role` and `RoleBinding` resources. + # The user is responsible for deploying and maintaining them separately. + # + # This value can be set to `false` when deploying in constrained environments + # where the user deploying the operator is not allowed to edit RBAC resources. + create: true + +# imagePullPolicy(string) -- sets the pull policy for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images) +# for more details. +imagePullPolicy: IfNotPresent + +# resources(object) -- sets the resource requests/limits for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) +# for more details. +resources: {} + +# priorityClassName(string) -- sets the priority class used by any pods created by the chart. +# The user is responsible for creating the `PriorityClass` resource before deploying the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) +# for more details. +priorityClassName: "" + +# tolerations(list) -- sets the tolerations for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +# for more details. +tolerations: [] + +# nodeSelector(object) -- sets the node selector for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +# for more details. +nodeSelector: {} + +# affinity(object) -- sets the affinities for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) +# for more details. +affinity: {} + +# imagePullSecrets(list) -- sets the image pull secrets for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod) +# for more details. +imagePullSecrets: [] + +# highAvailability -- +highAvailability: + # highAvailability.replicaCount(int) -- controls the amount of operator pod replicas deployed + # by the chart. + # + # When multiple pods are running, all pods join the Teleport cluster on + # startup but a single pod actively reconciles resources. + # + # The operator replicas elect a replica leader using + # [Kubernetes leases](https://kubernetes.io/docs/concepts/architecture/leases/). + # If the leader fails, its lease will expire and another replica will start + # reconciling resources. + replicaCount: 1 + +# tls -- +tls: + # tls.existingCASecretName(string) -- makes the operator pods trust an additional CA certificate. + # This is used to trust Proxy certificates if they're signed by a private CA. The operator + # trusts by default CAs part of Mozilla's Web PKI (the `ca-certificates` package). + # + # To use this value, you must create a Kubernetes `Secret` containing the CA + # certs in the same namespace as the Teleport Kubernetes Operator using a + # command such as: + # + # ```shell + # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem + # ``` + existingCASecretName: "" + +# podSecurityContext(object) -- sets the pod security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +# for more details. +# +# The default value supports running under the `restricted` +# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +podSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + +# securityContext(object) -- sets the container security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +# for more details. +# +# The default value supports running under the `restricted` +# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true diff --git a/teleport-cluster-14.3.0/templates/NOTES.txt b/teleport-cluster-15.0.1/templates/NOTES.txt similarity index 100% rename from teleport-cluster-14.3.0/templates/NOTES.txt rename to teleport-cluster-15.0.1/templates/NOTES.txt diff --git a/teleport-cluster-14.3.0/templates/_helpers.tpl b/teleport-cluster-15.0.1/templates/_helpers.tpl similarity index 77% rename from teleport-cluster-14.3.0/templates/_helpers.tpl rename to teleport-cluster-15.0.1/templates/_helpers.tpl index e5c2219..ba85279 100644 --- a/teleport-cluster-14.3.0/templates/_helpers.tpl +++ b/teleport-cluster-15.0.1/templates/_helpers.tpl @@ -89,3 +89,27 @@ teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}' {{- define "teleport-cluster.auth.serviceFQDN" -}} {{ include "teleport-cluster.auth.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local {{- end -}} + +{{/* Matches the operator template "teleport-cluster.operator.fullname" but can be + evaluated in a "teleport-cluster" context. */}} +{{- define "teleport-cluster.auth.operatorFullName" -}} +{{- if .Values.operator.fullnameOverride }} + {{- .Values.operator.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} + {{- if .Values.operator.nameOverride }} + {{- printf "%s-%s" .Release.Name .Values.operator.nameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- if contains "teleport-operator" .Release.Name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-%s" .Release.Name "teleport-operator" | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* Matches the operator template "teleport-cluster.operator.serviceAccountName" + but can be evaluated in a "teleport-cluster" context. */}} +{{- define "teleport-cluster.auth.operatorServiceAccountName" -}} +{{- coalesce .Values.operator.serviceAccount.name (include "teleport-cluster.auth.operatorFullName" .) -}} +{{- end -}} diff --git a/teleport-cluster-14.3.0/templates/auth/_config.aws.tpl b/teleport-cluster-15.0.1/templates/auth/_config.aws.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/_config.aws.tpl rename to teleport-cluster-15.0.1/templates/auth/_config.aws.tpl diff --git a/teleport-cluster-14.3.0/templates/auth/_config.azure.tpl b/teleport-cluster-15.0.1/templates/auth/_config.azure.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/_config.azure.tpl rename to teleport-cluster-15.0.1/templates/auth/_config.azure.tpl diff --git a/teleport-cluster-14.3.0/templates/auth/_config.common.tpl b/teleport-cluster-15.0.1/templates/auth/_config.common.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/_config.common.tpl rename to teleport-cluster-15.0.1/templates/auth/_config.common.tpl diff --git a/teleport-cluster-14.3.0/templates/auth/_config.gcp.tpl b/teleport-cluster-15.0.1/templates/auth/_config.gcp.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/_config.gcp.tpl rename to teleport-cluster-15.0.1/templates/auth/_config.gcp.tpl diff --git a/teleport-cluster-14.3.0/templates/auth/_config.scratch.tpl b/teleport-cluster-15.0.1/templates/auth/_config.scratch.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/_config.scratch.tpl rename to teleport-cluster-15.0.1/templates/auth/_config.scratch.tpl diff --git a/teleport-cluster-14.3.0/templates/auth/_config.standalone.tpl b/teleport-cluster-15.0.1/templates/auth/_config.standalone.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/_config.standalone.tpl rename to teleport-cluster-15.0.1/templates/auth/_config.standalone.tpl diff --git a/teleport-cluster-15.0.1/templates/auth/clusterrole.yaml b/teleport-cluster-15.0.1/templates/auth/clusterrole.yaml new file mode 100644 index 0000000..4d98efc --- /dev/null +++ b/teleport-cluster-15.0.1/templates/auth/clusterrole.yaml @@ -0,0 +1,27 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "authorization.k8s.io" + resources: + - selfsubjectaccessreviews + verbs: + - create +{{- end -}} diff --git a/teleport-cluster-14.3.0/templates/auth/clusterrolebinding.yaml b/teleport-cluster-15.0.1/templates/auth/clusterrolebinding.yaml similarity index 89% rename from teleport-cluster-14.3.0/templates/auth/clusterrolebinding.yaml rename to teleport-cluster-15.0.1/templates/auth/clusterrolebinding.yaml index ba39919..47a4f76 100644 --- a/teleport-cluster-14.3.0/templates/auth/clusterrolebinding.yaml +++ b/teleport-cluster-15.0.1/templates/auth/clusterrolebinding.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ .Release.Name }} + name: {{ .Release.Namespace }}-{{ .Release.Name }} labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -18,7 +18,7 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ .Release.Name }}-auth + name: {{ .Release.Namespace}}-{{ .Release.Name }}-auth labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/teleport-cluster-15.0.1/templates/auth/config.yaml b/teleport-cluster-15.0.1/templates/auth/config.yaml new file mode 100644 index 0000000..2e19cbf --- /dev/null +++ b/teleport-cluster-15.0.1/templates/auth/config.yaml @@ -0,0 +1,139 @@ +{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} +{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-auth + namespace: {{ .Release.Namespace }} + labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} +{{- if $auth.annotations.config }} + annotations: {{- toYaml $auth.annotations.config | nindent 4 }} +{{- end }} +data: +{{- if or $auth.createProxyToken .Values.operator.enabled }} + apply-on-startup.yaml: |2 + {{- if $auth.createProxyToken }} + --- + kind: token + version: v2 + metadata: + name: {{ .Release.Name }}-proxy + expires: "2050-01-01T00:00:00Z" + spec: + roles: [Proxy] + join_method: kubernetes + kubernetes: + allow: + - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}" + {{- end }} + {{- if .Values.operator.enabled }} + --- + kind: role + metadata: + description: Automatically generated role for bot operator + labels: + teleport.internal/bot: operator + name: bot-operator + spec: + allow: + impersonate: + roles: + - operator + rules: + - resources: + - cert_authority + verbs: + - readnosecrets + deny: {} + version: v7 + --- + kind: user + metadata: + labels: + teleport.internal/bot: operator + name: bot-operator + spec: + roles: + - bot-operator + version: v2 + --- + kind: role + metadata: + name: operator + spec: + allow: + rules: + - resources: + - role + verbs: + - list + - create + - read + - update + - delete + - resources: + - user + verbs: + - list + - create + - read + - update + - delete + - resources: + - auth_connector + verbs: + - list + - create + - read + - update + - delete + - resources: + - login_rule + verbs: + - list + - create + - read + - update + - delete + - resources: + - token + verbs: + - list + - create + - read + - update + - delete + - resources: + - okta_import_rule + verbs: + - list + - create + - read + - update + - delete + - resources: + - access_list + verbs: + - list + - create + - read + - update + - delete + deny: {} + version: v7 + --- + kind: token + version: v2 + metadata: + name: "{{ .Values.operator.token }}" + spec: + roles: [Bot] + join_method: kubernetes + bot_name: operator + kubernetes: + allow: + - service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.auth.operatorServiceAccountName" . }}" + {{- end }} +{{- end }} + teleport.yaml: |2 + {{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}} diff --git a/teleport-cluster-14.3.0/templates/auth/deployment.yaml b/teleport-cluster-15.0.1/templates/auth/deployment.yaml similarity index 89% rename from teleport-cluster-14.3.0/templates/auth/deployment.yaml rename to teleport-cluster-15.0.1/templates/auth/deployment.yaml index 699d135..dcc9bc4 100644 --- a/teleport-cluster-14.3.0/templates/auth/deployment.yaml +++ b/teleport-cluster-15.0.1/templates/auth/deployment.yaml @@ -231,45 +231,6 @@ spec: {{- if $auth.extraVolumeMounts }} {{- toYaml $auth.extraVolumeMounts | nindent 8 }} {{- end }} -{{- /* Operator uses '.Values' instead of '$auth' as it will likely be moved out of the auth pods */}} -{{- if .Values.operator.enabled }} - - name: "operator" - image: '{{ .Values.operator.image }}:{{ include "teleport-cluster.version" . }}' - imagePullPolicy: {{ .Values.imagePullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - ports: - - name: op-metrics - containerPort: 8080 - protocol: TCP - - name: op-health - containerPort: 8081 - protocol: TCP - {{- if .Values.operator.resources }} - resources: {{- toYaml .Values.operator.resources | nindent 10 }} - {{- end }} - volumeMounts: - - mountPath: /etc/teleport - name: "config" - readOnly: true - - mountPath: /var/lib/teleport - name: "data" - {{- if $projectedServiceAccountToken }} - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true - {{- end }} -{{ end }} {{- if $auth.extraContainers }} {{- toYaml $auth.extraContainers | nindent 6 }} {{- end }} diff --git a/teleport-cluster-14.3.0/templates/auth/pdb.yaml b/teleport-cluster-15.0.1/templates/auth/pdb.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/pdb.yaml rename to teleport-cluster-15.0.1/templates/auth/pdb.yaml diff --git a/teleport-cluster-14.3.0/templates/auth/predeploy_config.yaml b/teleport-cluster-15.0.1/templates/auth/predeploy_config.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/predeploy_config.yaml rename to teleport-cluster-15.0.1/templates/auth/predeploy_config.yaml diff --git a/teleport-cluster-14.3.0/templates/auth/predeploy_job.yaml b/teleport-cluster-15.0.1/templates/auth/predeploy_job.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/predeploy_job.yaml rename to teleport-cluster-15.0.1/templates/auth/predeploy_job.yaml diff --git a/teleport-cluster-14.3.0/templates/auth/pvc.yaml b/teleport-cluster-15.0.1/templates/auth/pvc.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/pvc.yaml rename to teleport-cluster-15.0.1/templates/auth/pvc.yaml diff --git a/teleport-cluster-14.3.0/templates/auth/service-previous-version.yaml b/teleport-cluster-15.0.1/templates/auth/service-previous-version.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/service-previous-version.yaml rename to teleport-cluster-15.0.1/templates/auth/service-previous-version.yaml diff --git a/teleport-cluster-14.3.0/templates/auth/service.yaml b/teleport-cluster-15.0.1/templates/auth/service.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/service.yaml rename to teleport-cluster-15.0.1/templates/auth/service.yaml diff --git a/teleport-cluster-14.3.0/templates/auth/serviceaccount.yaml b/teleport-cluster-15.0.1/templates/auth/serviceaccount.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/auth/serviceaccount.yaml rename to teleport-cluster-15.0.1/templates/auth/serviceaccount.yaml diff --git a/teleport-cluster-14.3.0/templates/podmonitor.yaml b/teleport-cluster-15.0.1/templates/podmonitor.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/podmonitor.yaml rename to teleport-cluster-15.0.1/templates/podmonitor.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/_config.aws.tpl b/teleport-cluster-15.0.1/templates/proxy/_config.aws.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/_config.aws.tpl rename to teleport-cluster-15.0.1/templates/proxy/_config.aws.tpl diff --git a/teleport-cluster-14.3.0/templates/proxy/_config.azure.tpl b/teleport-cluster-15.0.1/templates/proxy/_config.azure.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/_config.azure.tpl rename to teleport-cluster-15.0.1/templates/proxy/_config.azure.tpl diff --git a/teleport-cluster-14.3.0/templates/proxy/_config.common.tpl b/teleport-cluster-15.0.1/templates/proxy/_config.common.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/_config.common.tpl rename to teleport-cluster-15.0.1/templates/proxy/_config.common.tpl diff --git a/teleport-cluster-14.3.0/templates/proxy/_config.gcp.tpl b/teleport-cluster-15.0.1/templates/proxy/_config.gcp.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/_config.gcp.tpl rename to teleport-cluster-15.0.1/templates/proxy/_config.gcp.tpl diff --git a/teleport-cluster-14.3.0/templates/proxy/_config.scratch.tpl b/teleport-cluster-15.0.1/templates/proxy/_config.scratch.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/_config.scratch.tpl rename to teleport-cluster-15.0.1/templates/proxy/_config.scratch.tpl diff --git a/teleport-cluster-14.3.0/templates/proxy/_config.standalone.tpl b/teleport-cluster-15.0.1/templates/proxy/_config.standalone.tpl similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/_config.standalone.tpl rename to teleport-cluster-15.0.1/templates/proxy/_config.standalone.tpl diff --git a/teleport-cluster-14.3.0/templates/proxy/certificate.yaml b/teleport-cluster-15.0.1/templates/proxy/certificate.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/certificate.yaml rename to teleport-cluster-15.0.1/templates/proxy/certificate.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/config.yaml b/teleport-cluster-15.0.1/templates/proxy/config.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/config.yaml rename to teleport-cluster-15.0.1/templates/proxy/config.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/deployment.yaml b/teleport-cluster-15.0.1/templates/proxy/deployment.yaml similarity index 99% rename from teleport-cluster-14.3.0/templates/proxy/deployment.yaml rename to teleport-cluster-15.0.1/templates/proxy/deployment.yaml index 68cfbd5..0011b4c 100644 --- a/teleport-cluster-14.3.0/templates/proxy/deployment.yaml +++ b/teleport-cluster-15.0.1/templates/proxy/deployment.yaml @@ -1,5 +1,5 @@ {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} -{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName -}} +{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}} {{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} # Deployment is {{ if not $replicable }}not {{end}}replicable {{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }} diff --git a/teleport-cluster-14.3.0/templates/proxy/ingress.yaml b/teleport-cluster-15.0.1/templates/proxy/ingress.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/ingress.yaml rename to teleport-cluster-15.0.1/templates/proxy/ingress.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/pdb.yaml b/teleport-cluster-15.0.1/templates/proxy/pdb.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/pdb.yaml rename to teleport-cluster-15.0.1/templates/proxy/pdb.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/predeploy_config.yaml b/teleport-cluster-15.0.1/templates/proxy/predeploy_config.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/predeploy_config.yaml rename to teleport-cluster-15.0.1/templates/proxy/predeploy_config.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/predeploy_job.yaml b/teleport-cluster-15.0.1/templates/proxy/predeploy_job.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/predeploy_job.yaml rename to teleport-cluster-15.0.1/templates/proxy/predeploy_job.yaml diff --git a/teleport-cluster/templates/proxy/service-int.yaml b/teleport-cluster-15.0.1/templates/proxy/service-int.yaml similarity index 100% rename from teleport-cluster/templates/proxy/service-int.yaml rename to teleport-cluster-15.0.1/templates/proxy/service-int.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/service.yaml b/teleport-cluster-15.0.1/templates/proxy/service.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/service.yaml rename to teleport-cluster-15.0.1/templates/proxy/service.yaml diff --git a/teleport-cluster-14.3.0/templates/proxy/serviceaccount.yaml b/teleport-cluster-15.0.1/templates/proxy/serviceaccount.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/proxy/serviceaccount.yaml rename to teleport-cluster-15.0.1/templates/proxy/serviceaccount.yaml diff --git a/teleport-cluster-14.3.0/templates/psp.yaml b/teleport-cluster-15.0.1/templates/psp.yaml similarity index 100% rename from teleport-cluster-14.3.0/templates/psp.yaml rename to teleport-cluster-15.0.1/templates/psp.yaml diff --git a/teleport-cluster-14.3.0/tests/README.md b/teleport-cluster-15.0.1/tests/README.md similarity index 100% rename from teleport-cluster-14.3.0/tests/README.md rename to teleport-cluster-15.0.1/tests/README.md diff --git a/teleport-cluster-15.0.1/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/auth_clusterrole_test.yaml.snap new file mode 100644 index 0000000..58a9d76 --- /dev/null +++ b/teleport-cluster-15.0.1/tests/__snapshot__/auth_clusterrole_test.yaml.snap @@ -0,0 +1,27 @@ +adds operator permissions to ClusterRole: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: RELEASE-NAME + rules: + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/auth_config_test.yaml.snap similarity index 99% rename from teleport-cluster-14.3.0/tests/__snapshot__/auth_config_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/auth_config_test.yaml.snap index ed8eb56..bd5c995 100644 --- a/teleport-cluster-14.3.0/tests/__snapshot__/auth_config_test.yaml.snap +++ b/teleport-cluster-15.0.1/tests/__snapshot__/auth_config_test.yaml.snap @@ -1,6 +1,7 @@ adds a proxy token by default: 1: | | + --- kind: token version: v2 metadata: diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/auth_deployment_test.yaml.snap similarity index 91% rename from teleport-cluster-14.3.0/tests/__snapshot__/auth_deployment_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/auth_deployment_test.yaml.snap index d7b1104..d79acae 100644 --- a/teleport-cluster-14.3.0/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster-15.0.1/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -1,36 +1,3 @@ -should add an operator side-car when operator is enabled: - 1: | - image: public.ecr.aws/gravitational/teleport-operator:14.3.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: operator - ports: - - containerPort: 8080 - name: op-metrics - protocol: TCP - - containerPort: 8081 - name: op-health - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true ? should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName is set and persistence.enabled is false : 1: | @@ -41,7 +8,7 @@ should add an operator side-car when operator is enabled: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -174,7 +141,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -271,7 +238,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -357,7 +324,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/ingress_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/ingress_test.yaml.snap similarity index 100% rename from teleport-cluster-14.3.0/tests/__snapshot__/ingress_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/ingress_test.yaml.snap diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/predeploy_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/predeploy_test.yaml.snap similarity index 100% rename from teleport-cluster-14.3.0/tests/__snapshot__/predeploy_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/predeploy_test.yaml.snap diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/proxy_certificate_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/proxy_certificate_test.yaml.snap similarity index 100% rename from teleport-cluster-14.3.0/tests/__snapshot__/proxy_certificate_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/proxy_certificate_test.yaml.snap diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/proxy_config_test.yaml.snap similarity index 100% rename from teleport-cluster-14.3.0/tests/__snapshot__/proxy_config_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/proxy_config_test.yaml.snap diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/proxy_deployment_test.yaml.snap similarity index 92% rename from teleport-cluster-14.3.0/tests/__snapshot__/proxy_deployment_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/proxy_deployment_test.yaml.snap index 26489d6..ea3f3b7 100644 --- a/teleport-cluster-14.3.0/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster-15.0.1/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -4,8 +4,8 @@ should provision initContainer correctly when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update - args: - echo test @@ -62,7 +62,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -122,8 +122,8 @@ should set nodeSelector when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update nodeSelector: environment: security @@ -174,7 +174,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -241,8 +241,8 @@ should set resources when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -342,8 +342,8 @@ should set securityContext for initContainers when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -383,7 +383,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -450,8 +450,8 @@ should set securityContext when set in values: - teleport - wait - no-resolve - - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:14.3.0 + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/proxy_service_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/proxy_service_test.yaml.snap similarity index 100% rename from teleport-cluster-14.3.0/tests/__snapshot__/proxy_service_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/proxy_service_test.yaml.snap diff --git a/teleport-cluster-14.3.0/tests/__snapshot__/psp_test.yaml.snap b/teleport-cluster-15.0.1/tests/__snapshot__/psp_test.yaml.snap similarity index 100% rename from teleport-cluster-14.3.0/tests/__snapshot__/psp_test.yaml.snap rename to teleport-cluster-15.0.1/tests/__snapshot__/psp_test.yaml.snap diff --git a/teleport-cluster-14.3.0/tests/auth_clusterrole_test.yaml b/teleport-cluster-15.0.1/tests/auth_clusterrole_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/auth_clusterrole_test.yaml rename to teleport-cluster-15.0.1/tests/auth_clusterrole_test.yaml diff --git a/teleport-cluster-14.3.0/tests/auth_clusterrolebinding_test.yaml b/teleport-cluster-15.0.1/tests/auth_clusterrolebinding_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/auth_clusterrolebinding_test.yaml rename to teleport-cluster-15.0.1/tests/auth_clusterrolebinding_test.yaml diff --git a/teleport-cluster-14.3.0/tests/auth_config_test.yaml b/teleport-cluster-15.0.1/tests/auth_config_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/auth_config_test.yaml rename to teleport-cluster-15.0.1/tests/auth_config_test.yaml diff --git a/teleport-cluster-14.3.0/tests/auth_deployment_test.yaml b/teleport-cluster-15.0.1/tests/auth_deployment_test.yaml similarity index 96% rename from teleport-cluster-14.3.0/tests/auth_deployment_test.yaml rename to teleport-cluster-15.0.1/tests/auth_deployment_test.yaml index d838ca9..85526d7 100644 --- a/teleport-cluster-14.3.0/tests/auth_deployment_test.yaml +++ b/teleport-cluster-15.0.1/tests/auth_deployment_test.yaml @@ -536,17 +536,6 @@ tests: persistentVolumeClaim: claimName: RELEASE-NAME - - it: should add an operator side-car when operator is enabled - template: auth/deployment.yaml - values: - - ../.lint/operator.yaml - asserts: - - equal: - path: spec.template.spec.containers[1].name - value: operator - - matchSnapshot: - path: spec.template.spec.containers[1] - - it: should add named PersistentVolumeClaim as volume when in standalone mode, persistence.existingClaimName is set and persistence.enabled is true template: auth/deployment.yaml values: @@ -762,8 +751,6 @@ tests: template: auth/deployment.yaml set: clusterName: helm-lint - operator: - enabled: true capabilities: majorVersion: 1 minorVersion: 18 @@ -795,19 +782,11 @@ tests: mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true - - notContains: - path: spec.template.spec.containers[1].volumeMounts - content: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true - it: mounts tokens through projected volumes on newer Kubernetes versions template: auth/deployment.yaml set: clusterName: helm-lint - operator: - enabled: true capabilities: majorVersion: 1 minorVersion: 21 @@ -839,12 +818,6 @@ tests: mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true - - contains: - path: spec.template.spec.containers[1].volumeMounts - content: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: auth-serviceaccount-token - readOnly: true - it: should add the azure workload identity label to auth pods in azure mode template: auth/deployment.yaml diff --git a/teleport-cluster-14.3.0/tests/auth_pdb_test.yaml b/teleport-cluster-15.0.1/tests/auth_pdb_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/auth_pdb_test.yaml rename to teleport-cluster-15.0.1/tests/auth_pdb_test.yaml diff --git a/teleport-cluster-14.3.0/tests/auth_pvc_test.yaml b/teleport-cluster-15.0.1/tests/auth_pvc_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/auth_pvc_test.yaml rename to teleport-cluster-15.0.1/tests/auth_pvc_test.yaml diff --git a/teleport-cluster-14.3.0/tests/auth_serviceaccount_test.yaml b/teleport-cluster-15.0.1/tests/auth_serviceaccount_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/auth_serviceaccount_test.yaml rename to teleport-cluster-15.0.1/tests/auth_serviceaccount_test.yaml diff --git a/teleport-cluster-14.3.0/tests/ingress_test.yaml b/teleport-cluster-15.0.1/tests/ingress_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/ingress_test.yaml rename to teleport-cluster-15.0.1/tests/ingress_test.yaml diff --git a/teleport-cluster-14.3.0/tests/podmonitor_test.yaml b/teleport-cluster-15.0.1/tests/podmonitor_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/podmonitor_test.yaml rename to teleport-cluster-15.0.1/tests/podmonitor_test.yaml diff --git a/teleport-cluster-14.3.0/tests/predeploy_test.yaml b/teleport-cluster-15.0.1/tests/predeploy_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/predeploy_test.yaml rename to teleport-cluster-15.0.1/tests/predeploy_test.yaml diff --git a/teleport-cluster-14.3.0/tests/proxy_certificate_test.yaml b/teleport-cluster-15.0.1/tests/proxy_certificate_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/proxy_certificate_test.yaml rename to teleport-cluster-15.0.1/tests/proxy_certificate_test.yaml diff --git a/teleport-cluster-14.3.0/tests/proxy_config_test.yaml b/teleport-cluster-15.0.1/tests/proxy_config_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/proxy_config_test.yaml rename to teleport-cluster-15.0.1/tests/proxy_config_test.yaml diff --git a/teleport-cluster-14.3.0/tests/proxy_deployment_test.yaml b/teleport-cluster-15.0.1/tests/proxy_deployment_test.yaml similarity index 98% rename from teleport-cluster-14.3.0/tests/proxy_deployment_test.yaml rename to teleport-cluster-15.0.1/tests/proxy_deployment_test.yaml index c4cbfcc..2d6dda9 100644 --- a/teleport-cluster-14.3.0/tests/proxy_deployment_test.yaml +++ b/teleport-cluster-15.0.1/tests/proxy_deployment_test.yaml @@ -87,6 +87,18 @@ tests: path: spec.replicas value: 1 + - it: should have multiple replicas by default when an ingress is terminating TLS + template: proxy/deployment.yaml + set: + clusterName: helm-lint.example.com + proxyListenerMode: multiplex + ingress: + enabled: true + asserts: + - equal: + path: spec.replicas + value: 2 + - it: should set affinity when set in values template: proxy/deployment.yaml set: diff --git a/teleport-cluster-14.3.0/tests/proxy_pdb_test.yaml b/teleport-cluster-15.0.1/tests/proxy_pdb_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/proxy_pdb_test.yaml rename to teleport-cluster-15.0.1/tests/proxy_pdb_test.yaml diff --git a/teleport-cluster-14.3.0/tests/proxy_service_test.yaml b/teleport-cluster-15.0.1/tests/proxy_service_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/proxy_service_test.yaml rename to teleport-cluster-15.0.1/tests/proxy_service_test.yaml diff --git a/teleport-cluster-14.3.0/tests/proxy_serviceaccount_test.yaml b/teleport-cluster-15.0.1/tests/proxy_serviceaccount_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/proxy_serviceaccount_test.yaml rename to teleport-cluster-15.0.1/tests/proxy_serviceaccount_test.yaml diff --git a/teleport-cluster-14.3.0/tests/psp_test.yaml b/teleport-cluster-15.0.1/tests/psp_test.yaml similarity index 100% rename from teleport-cluster-14.3.0/tests/psp_test.yaml rename to teleport-cluster-15.0.1/tests/psp_test.yaml diff --git a/teleport-cluster-14.3.0/values.home.yaml b/teleport-cluster-15.0.1/values.home.yaml similarity index 100% rename from teleport-cluster-14.3.0/values.home.yaml rename to teleport-cluster-15.0.1/values.home.yaml diff --git a/teleport-cluster-14.3.0/values.schema.json b/teleport-cluster-15.0.1/values.schema.json similarity index 100% rename from teleport-cluster-14.3.0/values.schema.json rename to teleport-cluster-15.0.1/values.schema.json diff --git a/teleport-cluster-14.3.0/values.yaml b/teleport-cluster-15.0.1/values.yaml similarity index 97% rename from teleport-cluster-14.3.0/values.yaml rename to teleport-cluster-15.0.1/values.yaml index 045802f..e0d234f 100644 --- a/teleport-cluster-14.3.0/values.yaml +++ b/teleport-cluster-15.0.1/values.yaml @@ -264,6 +264,10 @@ operator: # memory: "1Gi" # limits: # memory: "1Gi" + joinMethod: "kubernetes" + token: "teleport-operator" + # This is needed to have a sensible name and predictible service account name. + nameOverride: operator # If true, create & use Pod Security Policy resources # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ @@ -442,7 +446,8 @@ azure: # is not supported with multiple replicas. # For proxy pods: # Proxy pods need to be provided a certificate to be replicated (either via -# `tls.existingSecretName` or via `highAvailability.certManager`). +# `tls.existingSecretName` or via `highAvailability.certManager`) or be exposed +# via an ingress (`ingress.enabled`). # If proxy pods are replicable, they will default to 2 replicas, # even if `highAvailability.replicaCount` is 1. To force a single proxy replica, # set `proxy.highAvailability.replicaCount: 1`. @@ -656,10 +661,20 @@ postStart: # Resources to request for the teleport container # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +# +# DANGER: Setting CPU limits is an anti-pattern and harmful in most cases. +# Unless you enabled [the Static CPU management policy](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy), +# a multithreaded workload with CPU limits will very likely not behave the way +# you expect when approaching its CPU limit. +# +# Teleport will become unstable once throttling starts. We recommend not to set CPU limits. +# See [the GitHub PR](https://github.com/gravitational/teleport/pull/36251) for technical details. resources: {} # requests: # cpu: "1" # memory: "2Gi" +# limits: +# memory: "2Gi" # Security context to add to the container securityContext: {} diff --git a/teleport-cluster/.lint/aws-access-monitoring.yaml b/teleport-cluster/.lint/aws-access-monitoring.yaml new file mode 100644 index 0000000..e4c0024 --- /dev/null +++ b/teleport-cluster/.lint/aws-access-monitoring.yaml @@ -0,0 +1,13 @@ +clusterName: test-aws-cluster +chartMode: aws +aws: + region: us-west-2 + backendTable: test-dynamodb-backend-table + sessionRecordingBucket: test-s3-session-storage-bucket + athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name' + + accessMonitoring: + enabled: true + reportResults: "s3://example-athena-long-term/report_results" + roleARN: "arn:aws:iam::123456789012:role/example_AccessMonitoringRole" + workgroup: "example_access_monitoring_workgroup" diff --git a/teleport-cluster/.lint/pod-security-context-empty.yaml b/teleport-cluster/.lint/pod-security-context-empty.yaml new file mode 100644 index 0000000..14ff546 --- /dev/null +++ b/teleport-cluster/.lint/pod-security-context-empty.yaml @@ -0,0 +1 @@ +clusterName: helm-lint diff --git a/teleport-cluster/.lint/pod-security-context.yaml b/teleport-cluster/.lint/pod-security-context.yaml new file mode 100644 index 0000000..50710c4 --- /dev/null +++ b/teleport-cluster/.lint/pod-security-context.yaml @@ -0,0 +1,7 @@ +clusterName: helm-lint +podSecurityContext: + fsGroup: 99 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 99 + runAsNonRoot: true + runAsUser: 99 diff --git a/teleport-cluster/.lint/session-recording-off.yaml b/teleport-cluster/.lint/session-recording-off.yaml new file mode 100644 index 0000000..20ee1ba --- /dev/null +++ b/teleport-cluster/.lint/session-recording-off.yaml @@ -0,0 +1,2 @@ +clusterName: helm-lint +sessionRecording: "off" diff --git a/teleport-cluster/Chart.yaml b/teleport-cluster/Chart.yaml index 8f4176c..004e4ec 100644 --- a/teleport-cluster/Chart.yaml +++ b/teleport-cluster/Chart.yaml @@ -1,14 +1,13 @@ apiVersion: v2 -appVersion: 15.0.1 +appVersion: 15.3.3 dependencies: - alias: operator - condition: installCRDs,operator.enabled name: teleport-operator repository: "" - version: 15.0.1 + version: 15.3.3 description: Teleport is an access platform for your infrastructure -icon: https://goteleport.com/images/logos/logo-teleport-square.svg +icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-cluster -version: 15.0.1 +version: 15.3.3 diff --git a/teleport-cluster/charts/teleport-operator/Chart.yaml b/teleport-cluster/charts/teleport-operator/Chart.yaml index 11eac1a..66ff53e 100644 --- a/teleport-cluster/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 15.0.1 +appVersion: 15.3.3 description: Teleport Operator provides management of select Teleport resources. -icon: https://goteleport.com/images/logos/logo-teleport-square.svg +icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-operator -version: 15.0.1 +version: 15.3.3 diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml new file mode 100644 index 0000000..f73fc63 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml @@ -0,0 +1,278 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportaccesslists.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportAccessList + listKind: TeleportAccessListList + plural: teleportaccesslists + shortNames: + - accesslist + - accesslists + singular: teleportaccesslist + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AccessList is the Schema for the accesslists API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AccessList resource definition v1 from Teleport + properties: + audit: + description: audit describes the frequency that this access list must + be audited. + nullable: true + properties: + next_audit_date: + description: next_audit_date is when the next audit date should + be done by. + format: date-time + type: string + notifications: + description: notifications is the configuration for notifying + users. + nullable: true + properties: + start: + description: start specifies when to start notifying users + that the next audit date is coming up. + format: duration + type: string + type: object + recurrence: + description: recurrence is the recurrence definition + nullable: true + properties: + day_of_month: + description: day_of_month is the day of month that reviews + will be scheduled on. Supported values are 0, 1, 15, and + 31. + x-kubernetes-int-or-string: true + frequency: + description: frequency is the frequency of reviews. This represents + the period in months between two reviews. Supported values + are 0, 1, 3, 6, and 12. + x-kubernetes-int-or-string: true + type: object + type: object + description: + description: description is an optional plaintext description of the + access list. + type: string + grants: + description: grants describes the access granted by membership to + this access list. + nullable: true + properties: + roles: + description: roles are the roles that are granted to users who + are members of the access list. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that are granted to users who + are members of the access list. + type: object + type: object + membership_requires: + description: membership_requires describes the requirements for a + user to be a member of the access list. For a membership to an access + list to be effective, the user must meet the requirements of Membership_requires + and must be in the members list. + nullable: true + properties: + roles: + description: roles are the user roles that must be present for + the user to obtain access. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that must be present for the + user to obtain access. + type: object + type: object + owner_grants: + description: owner_grants describes the access granted by owners to + this access list. + nullable: true + properties: + roles: + description: roles are the roles that are granted to users who + are members of the access list. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that are granted to users who + are members of the access list. + type: object + type: object + owners: + description: owners is a list of owners of the access list. + items: + properties: + description: + description: description is the plaintext description of the + owner and why they are an owner. + type: string + ineligible_status: + description: ineligible_status describes if this owner is eligible + or not and if not, describes how they're lacking eligibility. + x-kubernetes-int-or-string: true + name: + description: name is the username of the owner. + type: string + type: object + nullable: true + type: array + ownership_requires: + description: ownership_requires describes the requirements for a user + to be an owner of the access list. For ownership of an access list + to be effective, the user must meet the requirements of ownership_requires + and must be in the owners list. + nullable: true + properties: + roles: + description: roles are the user roles that must be present for + the user to obtain access. + items: + type: string + nullable: true + type: array + traits: + additionalProperties: + items: + type: string + type: array + description: traits are the traits that must be present for the + user to obtain access. + type: object + type: object + title: + description: title is a plaintext short description of the access + list. + type: string + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml similarity index 61% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml index 40bbc08..78f55c6 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml @@ -42,6 +42,20 @@ spec: client_id: description: ClientID is the Github OAuth app client ID. type: string + client_redirect_settings: + description: ClientRedirectSettings defines which client redirect + URLs are allowed for non-browser SSO logins other than the standard + localhost ones. + nullable: true + properties: + allowed_https_hostnames: + description: a list of hostnames allowed for https client redirect + URLs + items: + type: string + nullable: true + type: array + type: object client_secret: description: ClientSecret is the Github OAuth app client secret. type: string @@ -78,50 +92,49 @@ spec: type: array type: object status: - description: TeleportGithubConnectorStatus defines the observed state - of TeleportGithubConnector + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -135,11 +148,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml similarity index 62% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml index 7b5adc6..7b5928c 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml @@ -57,48 +57,49 @@ spec: type: object type: object status: + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -112,11 +113,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml similarity index 69% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml index 1dc0e16..aa3486d 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml @@ -67,6 +67,20 @@ spec: description: ClientID is the id of the authentication client (Teleport Auth server). type: string + client_redirect_settings: + description: ClientRedirectSettings defines which client redirect + URLs are allowed for non-browser SSO logins other than the standard + localhost ones. + nullable: true + properties: + allowed_https_hostnames: + description: a list of hostnames allowed for https client redirect + URLs + items: + type: string + nullable: true + type: array + type: object client_secret: description: ClientSecret is used to authenticate the client. type: string @@ -123,50 +137,49 @@ spec: type: string type: object status: - description: TeleportOIDCConnectorStatus defines the observed state of - TeleportOIDCConnector + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -180,11 +193,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml similarity index 69% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml index 071d628..f6077e4 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml @@ -95,48 +95,49 @@ spec: type: integer type: object status: + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -150,11 +151,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml new file mode 100644 index 0000000..c2d28a5 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml @@ -0,0 +1,262 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportopenssheiceserversv2.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportOpenSSHEICEServerV2 + listKind: TeleportOpenSSHEICEServerV2List + plural: teleportopenssheiceserversv2 + shortNames: + - openssheiceserverv2 + - openssheiceserversv2 + singular: teleportopenssheiceserverv2 + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Server hostname + jsonPath: .spec.hostname + name: Hostname + type: string + - description: Server address, with SSH port. + jsonPath: .spec.addr + name: Address + type: string + - description: The age of this resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: OpenSSHEICEServerV2 is the Schema for the openssheiceserversv2 + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OpenSSHEICEServer resource definition v2 from Teleport + properties: + addr: + description: Addr is a host:port address where this server can be + reached. + type: string + cloud_metadata: + description: CloudMetadata contains info about the cloud instance + the server is running on, if any. + nullable: true + properties: + aws: + description: AWSInfo contains attributes to match to an EC2 instance. + nullable: true + properties: + account_id: + description: AccountID is an AWS account ID. + type: string + instance_id: + description: InstanceID is an EC2 instance ID. + type: string + integration: + description: Integration is the integration name that added + this Node. When connecting to it, it will use this integration + to issue AWS API calls in order to set up the connection. + This includes sending an SSH Key and then opening a tunnel + (EC2 Instance Connect Endpoint) so Teleport can connect + to it. + type: string + region: + description: Region is the AWS EC2 Instance Region. + type: string + subnet_id: + description: SubnetID is the Subnet ID in use by the instance. + type: string + vpc_id: + description: VPCID is the AWS VPC ID where the Instance is + running. + type: string + type: object + type: object + hostname: + description: Hostname is server hostname + type: string + peer_addr: + description: PeerAddr is the address a proxy server is reachable at + by its peer proxies. + type: string + proxy_ids: + description: ProxyIDs is a list of proxy IDs this server is expected + to be connected to. + items: + type: string + nullable: true + type: array + public_addrs: + description: PublicAddrs is a list of public addresses where this + server can be reached. + items: + type: string + nullable: true + type: array + rotation: + description: Rotation specifies server rotation + properties: + current_id: + description: CurrentID is the ID of the rotation operation to + differentiate between rotation attempts. + type: string + grace_period: + description: GracePeriod is a period during which old and new + CA are valid for checking purposes, but only new CA is issuing + certificates. + format: duration + type: string + last_rotated: + description: LastRotated specifies the last time of the completed + rotation. + format: date-time + type: string + mode: + description: Mode sets manual or automatic rotation mode. + type: string + phase: + description: Phase is the current rotation phase. + type: string + schedule: + description: Schedule is a rotation schedule - used in automatic + mode to switch between phases. + properties: + standby: + description: Standby specifies time to switch to the "Standby" + phase. + format: date-time + type: string + update_clients: + description: UpdateClients specifies time to switch to the + "Update clients" phase + format: date-time + type: string + update_servers: + description: UpdateServers specifies time to switch to the + "Update servers" phase. + format: date-time + type: string + type: object + started: + description: Started is set to the time when rotation has been + started in case if the state of the rotation is "in_progress". + format: date-time + type: string + state: + description: State could be one of "init" or "in_progress". + type: string + type: object + use_tunnel: + description: UseTunnel indicates that connections to this server should + occur over a reverse tunnel. + type: boolean + version: + description: TeleportVersion is the teleport version that the server + is running on + type: string + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml new file mode 100644 index 0000000..d9aaf70 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml @@ -0,0 +1,261 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportopensshserversv2.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportOpenSSHServerV2 + listKind: TeleportOpenSSHServerV2List + plural: teleportopensshserversv2 + shortNames: + - opensshserverv2 + - opensshserversv2 + singular: teleportopensshserverv2 + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Server hostname + jsonPath: .spec.hostname + name: Hostname + type: string + - description: Server address, with SSH port. + jsonPath: .spec.addr + name: Address + type: string + - description: The age of this resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: OpenSSHServerV2 is the Schema for the opensshserversv2 API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OpenSSHServer resource definition v2 from Teleport + properties: + addr: + description: Addr is a host:port address where this server can be + reached. + type: string + cloud_metadata: + description: CloudMetadata contains info about the cloud instance + the server is running on, if any. + nullable: true + properties: + aws: + description: AWSInfo contains attributes to match to an EC2 instance. + nullable: true + properties: + account_id: + description: AccountID is an AWS account ID. + type: string + instance_id: + description: InstanceID is an EC2 instance ID. + type: string + integration: + description: Integration is the integration name that added + this Node. When connecting to it, it will use this integration + to issue AWS API calls in order to set up the connection. + This includes sending an SSH Key and then opening a tunnel + (EC2 Instance Connect Endpoint) so Teleport can connect + to it. + type: string + region: + description: Region is the AWS EC2 Instance Region. + type: string + subnet_id: + description: SubnetID is the Subnet ID in use by the instance. + type: string + vpc_id: + description: VPCID is the AWS VPC ID where the Instance is + running. + type: string + type: object + type: object + hostname: + description: Hostname is server hostname + type: string + peer_addr: + description: PeerAddr is the address a proxy server is reachable at + by its peer proxies. + type: string + proxy_ids: + description: ProxyIDs is a list of proxy IDs this server is expected + to be connected to. + items: + type: string + nullable: true + type: array + public_addrs: + description: PublicAddrs is a list of public addresses where this + server can be reached. + items: + type: string + nullable: true + type: array + rotation: + description: Rotation specifies server rotation + properties: + current_id: + description: CurrentID is the ID of the rotation operation to + differentiate between rotation attempts. + type: string + grace_period: + description: GracePeriod is a period during which old and new + CA are valid for checking purposes, but only new CA is issuing + certificates. + format: duration + type: string + last_rotated: + description: LastRotated specifies the last time of the completed + rotation. + format: date-time + type: string + mode: + description: Mode sets manual or automatic rotation mode. + type: string + phase: + description: Phase is the current rotation phase. + type: string + schedule: + description: Schedule is a rotation schedule - used in automatic + mode to switch between phases. + properties: + standby: + description: Standby specifies time to switch to the "Standby" + phase. + format: date-time + type: string + update_clients: + description: UpdateClients specifies time to switch to the + "Update clients" phase + format: date-time + type: string + update_servers: + description: UpdateServers specifies time to switch to the + "Update servers" phase. + format: date-time + type: string + type: object + started: + description: Started is set to the time when rotation has been + started in case if the state of the rotation is "in_progress". + format: date-time + type: string + state: + description: State could be one of "init" or "in_progress". + type: string + type: object + use_tunnel: + description: UseTunnel indicates that connections to this server should + occur over a reverse tunnel. + type: boolean + version: + description: TeleportVersion is the teleport version that the server + is running on + type: string + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml similarity index 78% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml index dda4dd5..a325de7 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml @@ -15,7 +15,20 @@ spec: singular: teleportprovisiontoken scope: Namespaced versions: - - name: v2 + - additionalPrinterColumns: + - description: Token join method. + jsonPath: .spec.join_method + name: Join Method + type: string + - description: System roles granted by this token. + jsonPath: .spec.roles + name: System Roles + type: string + - description: The age of this resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 schema: openAPIV3Schema: description: ProvisionToken is the Schema for the provisiontokens API @@ -189,7 +202,7 @@ spec: enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise - for more information about customised issuer values. + for more information about customized issuer values. type: string type: object gitlab: @@ -328,52 +341,82 @@ spec: set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion. type: object + tpm: + description: TPM allows the configuration of options specific to the + "tpm" join method. + nullable: true + properties: + allow: + description: Allow is a list of Rules, the presented delegated + identity must match one allow rule to permit joining. + items: + properties: + description: + type: string + ek_certificate_serial: + type: string + ek_public_hash: + type: string + type: object + nullable: true + type: array + ekcert_allowed_cas: + description: EKCertAllowedCAs is a list of CA certificates that + will be used to validate TPM EKCerts. When specified, joining + TPMs must present an EKCert signed by one of the specified CAs. + TPMs that do not present an EKCert will be not permitted to + join. When unspecified, TPMs will be allowed to join with either + an EKCert or an EKPubHash. + items: + type: string + nullable: true + type: array + type: object type: object status: - description: TeleportProvisionTokenStatus defines the observed state of - TeleportProvisionToken + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -387,11 +430,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml similarity index 83% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml index f02463b..02dae56 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml @@ -86,6 +86,28 @@ spec: type: string nullable: true type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array db_roles: description: DatabaseRoles is a list of databases roles for automatic user creation. @@ -281,7 +303,7 @@ spec: a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an - external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. type: object claims_to_roles: @@ -474,6 +496,49 @@ spec: type: string type: object type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array windows_desktop_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -547,6 +612,28 @@ spec: type: string nullable: true type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array db_roles: description: DatabaseRoles is a list of databases roles for automatic user creation. @@ -742,7 +829,7 @@ spec: a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an - external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. type: object claims_to_roles: @@ -935,6 +1022,49 @@ spec: type: string type: object type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array windows_desktop_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -962,7 +1092,7 @@ spec: properties: mode: description: Mode is the type of extension to be used -- - currently critical-option is not supported + currently critical-option is not supported. 0 is "extension". x-kubernetes-int-or-string: true name: description: Name specifies the key to be used in the cert @@ -970,7 +1100,7 @@ spec: type: string type: description: Type represents the certificate type being - extended, only ssh is supported at this time. + extended, only ssh is supported at this time. 0 is "ssh". x-kubernetes-int-or-string: true value: description: Value specifies the value to be used in the @@ -995,7 +1125,8 @@ spec: type: boolean create_db_user_mode: description: CreateDatabaseUserMode allows users to be automatically - created on a database when not set to off. + created on a database when not set to off. 0 is "unspecified", + 1 is "off", 2 is "keep", 3 is "best_effort_drop". x-kubernetes-int-or-string: true create_desktop_user: description: CreateDesktopUser allows users to be automatically @@ -1007,7 +1138,9 @@ spec: type: boolean create_host_user_mode: description: CreateHostUserMode allows users to be automatically - created on a host when not set to off + created on a host when not set to off. 0 is "unspecified"; 1 + is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; + 4 is "insecure-drop". x-kubernetes-int-or-string: true desktop_clipboard: description: DesktopClipboard indicates whether clipboard sharing @@ -1118,7 +1251,8 @@ spec: type: string require_session_mfa: description: RequireMFAType is the type of MFA requirement enforced - for this user. + for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", + 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". x-kubernetes-int-or-string: true ssh_file_copy: description: SSHFileCopy indicates whether remote file operations @@ -1128,49 +1262,49 @@ spec: type: object type: object status: - description: TeleportRoleStatus defines the observed state of TeleportRole + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1184,11 +1318,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1283,6 +1418,28 @@ spec: type: string nullable: true type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array db_roles: description: DatabaseRoles is a list of databases roles for automatic user creation. @@ -1478,7 +1635,7 @@ spec: a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an - external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. type: object claims_to_roles: @@ -1671,6 +1828,49 @@ spec: type: string type: object type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array windows_desktop_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -1744,6 +1944,28 @@ spec: type: string nullable: true type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array db_roles: description: DatabaseRoles is a list of databases roles for automatic user creation. @@ -1939,7 +2161,7 @@ spec: a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an - external identity provider, to a plugin via {{ `{{external.trait_name}}` }} + external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. type: object claims_to_roles: @@ -2132,6 +2354,49 @@ spec: type: string type: object type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array windows_desktop_labels: additionalProperties: x-kubernetes-preserve-unknown-fields: true @@ -2159,7 +2424,7 @@ spec: properties: mode: description: Mode is the type of extension to be used -- - currently critical-option is not supported + currently critical-option is not supported. 0 is "extension". x-kubernetes-int-or-string: true name: description: Name specifies the key to be used in the cert @@ -2167,7 +2432,7 @@ spec: type: string type: description: Type represents the certificate type being - extended, only ssh is supported at this time. + extended, only ssh is supported at this time. 0 is "ssh". x-kubernetes-int-or-string: true value: description: Value specifies the value to be used in the @@ -2192,7 +2457,8 @@ spec: type: boolean create_db_user_mode: description: CreateDatabaseUserMode allows users to be automatically - created on a database when not set to off. + created on a database when not set to off. 0 is "unspecified", + 1 is "off", 2 is "keep", 3 is "best_effort_drop". x-kubernetes-int-or-string: true create_desktop_user: description: CreateDesktopUser allows users to be automatically @@ -2204,7 +2470,9 @@ spec: type: boolean create_host_user_mode: description: CreateHostUserMode allows users to be automatically - created on a host when not set to off + created on a host when not set to off. 0 is "unspecified"; 1 + is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; + 4 is "insecure-drop". x-kubernetes-int-or-string: true desktop_clipboard: description: DesktopClipboard indicates whether clipboard sharing @@ -2315,7 +2583,8 @@ spec: type: string require_session_mfa: description: RequireMFAType is the type of MFA requirement enforced - for this user. + for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", + 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". x-kubernetes-int-or-string: true ssh_file_copy: description: SSHFileCopy indicates whether remote file operations @@ -2325,49 +2594,49 @@ spec: type: object type: object status: - description: TeleportRoleStatus defines the observed state of TeleportRole + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2381,11 +2650,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml new file mode 100644 index 0000000..6600f60 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml @@ -0,0 +1,1355 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportrolesv6.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportRoleV6 + listKind: TeleportRoleV6List + plural: teleportrolesv6 + shortNames: + - rolev6 + - rolesv6 + singular: teleportrolev6 + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RoleV6 is the Schema for the rolesv6 API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Role resource definition v6 from Teleport + properties: + allow: + description: Allow is the set of conditions evaluated to grant access. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via `{{external.trait_name}}` + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + deny: + description: Deny is the set of conditions evaluated to deny access. + Deny takes priority over allow. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via `{{external.trait_name}}` + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + options: + description: Options is for OpenSSH options like agent forwarding. + properties: + cert_extensions: + description: CertExtensions specifies the key/values + items: + properties: + mode: + description: Mode is the type of extension to be used -- + currently critical-option is not supported. 0 is "extension". + x-kubernetes-int-or-string: true + name: + description: Name specifies the key to be used in the cert + extension. + type: string + type: + description: Type represents the certificate type being + extended, only ssh is supported at this time. 0 is "ssh". + x-kubernetes-int-or-string: true + value: + description: Value specifies the value to be used in the + cert extension. + type: string + type: object + nullable: true + type: array + cert_format: + description: CertificateFormat defines the format of the user + certificate to allow compatibility with older versions of OpenSSH. + type: string + client_idle_timeout: + description: ClientIdleTimeout sets disconnect clients on idle + timeout behavior, if set to 0 means do not disconnect, otherwise + is set to the idle duration. + format: duration + type: string + create_db_user: + description: CreateDatabaseUser enabled automatic database user + creation. + type: boolean + create_db_user_mode: + description: CreateDatabaseUserMode allows users to be automatically + created on a database when not set to off. 0 is "unspecified", + 1 is "off", 2 is "keep", 3 is "best_effort_drop". + x-kubernetes-int-or-string: true + create_desktop_user: + description: CreateDesktopUser allows users to be automatically + created on a Windows desktop + type: boolean + create_host_user: + description: CreateHostUser allows users to be automatically created + on a host + type: boolean + create_host_user_mode: + description: CreateHostUserMode allows users to be automatically + created on a host when not set to off. 0 is "unspecified"; 1 + is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; + 4 is "insecure-drop". + x-kubernetes-int-or-string: true + desktop_clipboard: + description: DesktopClipboard indicates whether clipboard sharing + is allowed between the user's workstation and the remote desktop. + It defaults to true unless explicitly set to false. + type: boolean + desktop_directory_sharing: + description: DesktopDirectorySharing indicates whether directory + sharing is allowed between the user's workstation and the remote + desktop. It defaults to false unless explicitly set to true. + type: boolean + device_trust_mode: + description: DeviceTrustMode is the device authorization mode + used for the resources associated with the role. See DeviceTrust.Mode. + Reserved for future use, not yet used by Teleport. + type: string + disconnect_expired_cert: + description: DisconnectExpiredCert sets disconnect clients on + expired certificates. + type: boolean + enhanced_recording: + description: BPF defines what events to record for the BPF-based + session recorder. + items: + type: string + nullable: true + type: array + forward_agent: + description: ForwardAgent is SSH agent forwarding. + type: boolean + idp: + description: IDP is a set of options related to accessing IdPs + within Teleport. Requires Teleport Enterprise. + nullable: true + properties: + saml: + description: SAML are options related to the Teleport SAML + IdP. + nullable: true + properties: + enabled: + description: Enabled is set to true if this option allows + access to the Teleport SAML IdP. + type: boolean + type: object + type: object + lock: + description: Lock specifies the locking mode (strict|best_effort) + to be applied with the role. + type: string + max_connections: + description: MaxConnections defines the maximum number of concurrent + connections a user may hold. + format: int64 + type: integer + max_kubernetes_connections: + description: MaxKubernetesConnections defines the maximum number + of concurrent Kubernetes sessions a user may hold. + format: int64 + type: integer + max_session_ttl: + description: MaxSessionTTL defines how long a SSH session can + last for. + format: duration + type: string + max_sessions: + description: MaxSessions defines the maximum number of concurrent + sessions per connection. + format: int64 + type: integer + permit_x11_forwarding: + description: PermitX11Forwarding authorizes use of X11 forwarding. + type: boolean + pin_source_ip: + description: PinSourceIP forces the same client IP for certificate + generation and usage + type: boolean + port_forwarding: + description: PortForwarding defines if the certificate will have + "permit-port-forwarding" in the certificate. PortForwarding + is "yes" if not set, that's why this is a pointer + type: boolean + record_session: + description: RecordDesktopSession indicates whether desktop access + sessions should be recorded. It defaults to true unless explicitly + set to false. + nullable: true + properties: + default: + description: Default indicates the default value for the services. + type: string + desktop: + description: Desktop indicates whether desktop sessions should + be recorded. It defaults to true unless explicitly set to + false. + type: boolean + ssh: + description: SSH indicates the session mode used on SSH sessions. + type: string + type: object + request_access: + description: RequestAccess defines the access request strategy + (optional|note|always) where optional is the default. + type: string + request_prompt: + description: RequestPrompt is an optional message which tells + users what they aught to request. + type: string + require_session_mfa: + description: RequireMFAType is the type of MFA requirement enforced + for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", + 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". + x-kubernetes-int-or-string: true + ssh_file_copy: + description: SSHFileCopy indicates whether remote file operations + via SCP or SFTP are allowed over an SSH session. It defaults + to true unless explicitly set to false. + type: boolean + type: object + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml new file mode 100644 index 0000000..525c5fb --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml @@ -0,0 +1,1355 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportrolesv7.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportRoleV7 + listKind: TeleportRoleV7List + plural: teleportrolesv7 + shortNames: + - rolev7 + - rolesv7 + singular: teleportrolev7 + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RoleV7 is the Schema for the rolesv7 API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Role resource definition v7 from Teleport + properties: + allow: + description: Allow is the set of conditions evaluated to grant access. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via `{{external.trait_name}}` + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + deny: + description: Deny is the set of conditions evaluated to deny access. + Deny takes priority over allow. + properties: + app_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: AppLabels is a map of labels used as part of the + RBAC system. + type: object + app_labels_expression: + description: AppLabelsExpression is a predicate expression used + to allow/deny access to Apps. + type: string + aws_role_arns: + description: AWSRoleARNs is a list of AWS role ARNs this role + is allowed to assume. + items: + type: string + nullable: true + type: array + azure_identities: + description: AzureIdentities is a list of Azure identities this + role is allowed to assume. + items: + type: string + nullable: true + type: array + cluster_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: ClusterLabels is a map of node labels (used to dynamically + grant access to clusters). + type: object + cluster_labels_expression: + description: ClusterLabelsExpression is a predicate expression + used to allow/deny access to remote Teleport clusters. + type: string + db_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseLabels are used in RBAC system to allow/deny + access to databases. + type: object + db_labels_expression: + description: DatabaseLabelsExpression is a predicate expression + used to allow/deny access to Databases. + type: string + db_names: + description: DatabaseNames is a list of database names this role + is allowed to connect to. + items: + type: string + nullable: true + type: array + db_permissions: + description: DatabasePermissions specifies a set of permissions + that will be granted to the database user when using automatic + database user provisioning. + items: + properties: + match: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Match is a list of object labels that must + be matched for the permission to be granted. + type: object + permissions: + description: Permission is the list of string representations + of the permission to be given, e.g. SELECT, INSERT, UPDATE, + ... + items: + type: string + nullable: true + type: array + type: object + type: array + db_roles: + description: DatabaseRoles is a list of databases roles for automatic + user creation. + items: + type: string + nullable: true + type: array + db_service_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: DatabaseServiceLabels are used in RBAC system to + allow/deny access to Database Services. + type: object + db_service_labels_expression: + description: DatabaseServiceLabelsExpression is a predicate expression + used to allow/deny access to Database Services. + type: string + db_users: + description: DatabaseUsers is a list of databases users this role + is allowed to connect as. + items: + type: string + nullable: true + type: array + desktop_groups: + description: DesktopGroups is a list of groups for created desktop + users to be added to + items: + type: string + nullable: true + type: array + gcp_service_accounts: + description: GCPServiceAccounts is a list of GCP service accounts + this role is allowed to assume. + items: + type: string + nullable: true + type: array + group_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: GroupLabels is a map of labels used as part of the + RBAC system. + type: object + group_labels_expression: + description: GroupLabelsExpression is a predicate expression used + to allow/deny access to user groups. + type: string + host_groups: + description: HostGroups is a list of groups for created users + to be added to + items: + type: string + nullable: true + type: array + host_sudoers: + description: HostSudoers is a list of entries to include in a + users sudoer file + items: + type: string + nullable: true + type: array + impersonate: + description: Impersonate specifies what users and roles this role + is allowed to impersonate by issuing certificates or other possible + means. + nullable: true + properties: + roles: + description: Roles is a list of resources this role is allowed + to impersonate + items: + type: string + nullable: true + type: array + users: + description: Users is a list of resources this role is allowed + to impersonate, could be an empty list or a Wildcard pattern + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + join_sessions: + description: JoinSessions specifies policies to allow users to + join other sessions. + items: + properties: + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is a list of permitted participant modes + for this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + roles: + description: Roles is a list of roles that you can join + the session of. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + kubernetes_groups: + description: KubeGroups is a list of kubernetes groups + items: + type: string + nullable: true + type: array + kubernetes_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: KubernetesLabels is a map of kubernetes cluster labels + used for RBAC. + type: object + kubernetes_labels_expression: + description: KubernetesLabelsExpression is a predicate expression + used to allow/deny access to kubernetes clusters. + type: string + kubernetes_resources: + description: KubernetesResources is the Kubernetes Resources this + Role grants access to. + items: + properties: + kind: + description: Kind specifies the Kubernetes Resource type. + At the moment only "pod" is supported. + type: string + name: + description: Name is the resource name. It supports wildcards. + type: string + namespace: + description: Namespace is the resource namespace. It supports + wildcards. + type: string + verbs: + description: Verbs are the allowed Kubernetes verbs for + the following resource. + items: + type: string + nullable: true + type: array + type: object + type: array + kubernetes_users: + description: KubeUsers is an optional kubernetes users to impersonate + items: + type: string + nullable: true + type: array + logins: + description: Logins is a list of *nix system logins. + items: + type: string + nullable: true + type: array + node_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: NodeLabels is a map of node labels (used to dynamically + grant access to nodes). + type: object + node_labels_expression: + description: NodeLabelsExpression is a predicate expression used + to allow/deny access to SSH nodes. + type: string + request: + nullable: true + properties: + annotations: + additionalProperties: + items: + type: string + type: array + description: Annotations is a collection of annotations to + be programmatically appended to pending access requests + at the time of their creation. These annotations serve as + a mechanism to propagate extra information to plugins. Since + these annotations support variable interpolation syntax, + they also offer a mechanism for forwarding claims from an + external identity provider, to a plugin via `{{external.trait_name}}` + style substitutions. + type: object + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + max_duration: + description: MaxDuration is the amount of time the access + will be granted for. If this is zero, the default duration + is used. + format: duration + type: string + roles: + description: Roles is the name of roles which will match the + request rule. + items: + type: string + nullable: true + type: array + search_as_roles: + description: SearchAsRoles is a list of extra roles which + should apply to a user while they are searching for resources + as part of a Resource Access Request, and defines the underlying + roles which will be requested as part of any Resource Access + Request. + items: + type: string + nullable: true + type: array + suggested_reviewers: + description: SuggestedReviewers is a list of reviewer suggestions. These + can be teleport usernames, but that is not a requirement. + items: + type: string + nullable: true + type: array + thresholds: + description: Thresholds is a list of thresholds, one of which + must be met in order for reviews to trigger a state-transition. If + no thresholds are provided, a default threshold of 1 for + approval and denial is used. + items: + properties: + approve: + description: Approve is the number of matching approvals + needed for state-transition. + format: int32 + type: integer + deny: + description: Deny is the number of denials needed for + state-transition. + format: int32 + type: integer + filter: + description: Filter is an optional predicate used to + determine which reviews count toward this threshold. + type: string + name: + description: Name is the optional human-readable name + of the threshold. + type: string + type: object + type: array + type: object + require_session_join: + description: RequireSessionJoin specifies policies for required + users to start a session. + items: + properties: + count: + description: Count is the amount of people that need to + be matched for this policy to be fulfilled. + format: int32 + type: integer + filter: + description: Filter is a predicate that determines what + users count towards this policy. + type: string + kinds: + description: Kinds are the session kinds this policy applies + to. + items: + type: string + nullable: true + type: array + modes: + description: Modes is the list of modes that may be used + to fulfill this policy. + items: + type: string + nullable: true + type: array + name: + description: Name is the name of the policy. + type: string + on_leave: + description: OnLeave is the behaviour that's used when the + policy is no longer fulfilled for a live session. + type: string + type: object + nullable: true + type: array + review_requests: + description: ReviewRequests defines conditions for submitting + access reviews. + nullable: true + properties: + claims_to_roles: + description: ClaimsToRoles specifies a mapping from claims + (traits) to teleport roles. + items: + properties: + claim: + description: Claim is a claim name. + type: string + roles: + description: Roles is a list of static teleport roles + to match. + items: + type: string + nullable: true + type: array + value: + description: Value is a claim value to match. + type: string + type: object + type: array + preview_as_roles: + description: PreviewAsRoles is a list of extra roles which + should apply to a reviewer while they are viewing a Resource + Access Request for the purposes of viewing details such + as the hostname and labels of requested resources. + items: + type: string + nullable: true + type: array + roles: + description: Roles is the name of roles which may be reviewed. + items: + type: string + nullable: true + type: array + where: + description: Where is an optional predicate which further + limits which requests are reviewable. + type: string + type: object + rules: + description: Rules is a list of rules and their access levels. + Rules are a high level construct used for access control. + items: + properties: + actions: + description: Actions specifies optional actions taken when + this rule matches + items: + type: string + nullable: true + type: array + resources: + description: Resources is a list of resources + items: + type: string + nullable: true + type: array + verbs: + description: Verbs is a list of verbs + items: + type: string + nullable: true + type: array + where: + description: Where specifies optional advanced matcher + type: string + type: object + type: array + spiffe: + description: SPIFFE is used to allow or deny access to a role + holder to generating a SPIFFE SVID. + items: + properties: + dns_sans: + description: 'DNSSANs specifies matchers for the SPIFFE + ID DNS SANs. Each requested DNS SAN is compared against + all matchers configured and if any match, the condition + is considered to be met. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: *.example.com would + match foo.example.com' + items: + type: string + nullable: true + type: array + ip_sans: + description: 'IPSANs specifies matchers for the SPIFFE ID + IP SANs. Each requested IP SAN is compared against all + matchers configured and if any match, the condition is + considered to be met. The matchers should be specified + using CIDR notation, it supports IPv4 and IPv6. Examples: + - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - + 10.0.0.42/32 would match only 10.0.0.42' + items: + type: string + nullable: true + type: array + path: + description: 'Path specifies a matcher for the SPIFFE ID + path. It should not include the trust domain and should + start with a leading slash. The matcher by default allows + ''*'' to be used to indicate zero or more of any character. + Prepend ''^'' and append ''$'' to instead switch to matching + using the Go regex syntax. Example: - /svc/foo/*/bar + would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would + match /svc/foo/baz/bar' + type: string + type: object + nullable: true + type: array + windows_desktop_labels: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: WindowsDesktopLabels are used in the RBAC system + to allow/deny access to Windows desktops. + type: object + windows_desktop_labels_expression: + description: WindowsDesktopLabelsExpression is a predicate expression + used to allow/deny access to Windows desktops. + type: string + windows_desktop_logins: + description: WindowsDesktopLogins is a list of desktop login names + allowed/denied for Windows desktops. + items: + type: string + nullable: true + type: array + type: object + options: + description: Options is for OpenSSH options like agent forwarding. + properties: + cert_extensions: + description: CertExtensions specifies the key/values + items: + properties: + mode: + description: Mode is the type of extension to be used -- + currently critical-option is not supported. 0 is "extension". + x-kubernetes-int-or-string: true + name: + description: Name specifies the key to be used in the cert + extension. + type: string + type: + description: Type represents the certificate type being + extended, only ssh is supported at this time. 0 is "ssh". + x-kubernetes-int-or-string: true + value: + description: Value specifies the value to be used in the + cert extension. + type: string + type: object + nullable: true + type: array + cert_format: + description: CertificateFormat defines the format of the user + certificate to allow compatibility with older versions of OpenSSH. + type: string + client_idle_timeout: + description: ClientIdleTimeout sets disconnect clients on idle + timeout behavior, if set to 0 means do not disconnect, otherwise + is set to the idle duration. + format: duration + type: string + create_db_user: + description: CreateDatabaseUser enabled automatic database user + creation. + type: boolean + create_db_user_mode: + description: CreateDatabaseUserMode allows users to be automatically + created on a database when not set to off. 0 is "unspecified", + 1 is "off", 2 is "keep", 3 is "best_effort_drop". + x-kubernetes-int-or-string: true + create_desktop_user: + description: CreateDesktopUser allows users to be automatically + created on a Windows desktop + type: boolean + create_host_user: + description: CreateHostUser allows users to be automatically created + on a host + type: boolean + create_host_user_mode: + description: CreateHostUserMode allows users to be automatically + created on a host when not set to off. 0 is "unspecified"; 1 + is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; + 4 is "insecure-drop". + x-kubernetes-int-or-string: true + desktop_clipboard: + description: DesktopClipboard indicates whether clipboard sharing + is allowed between the user's workstation and the remote desktop. + It defaults to true unless explicitly set to false. + type: boolean + desktop_directory_sharing: + description: DesktopDirectorySharing indicates whether directory + sharing is allowed between the user's workstation and the remote + desktop. It defaults to false unless explicitly set to true. + type: boolean + device_trust_mode: + description: DeviceTrustMode is the device authorization mode + used for the resources associated with the role. See DeviceTrust.Mode. + Reserved for future use, not yet used by Teleport. + type: string + disconnect_expired_cert: + description: DisconnectExpiredCert sets disconnect clients on + expired certificates. + type: boolean + enhanced_recording: + description: BPF defines what events to record for the BPF-based + session recorder. + items: + type: string + nullable: true + type: array + forward_agent: + description: ForwardAgent is SSH agent forwarding. + type: boolean + idp: + description: IDP is a set of options related to accessing IdPs + within Teleport. Requires Teleport Enterprise. + nullable: true + properties: + saml: + description: SAML are options related to the Teleport SAML + IdP. + nullable: true + properties: + enabled: + description: Enabled is set to true if this option allows + access to the Teleport SAML IdP. + type: boolean + type: object + type: object + lock: + description: Lock specifies the locking mode (strict|best_effort) + to be applied with the role. + type: string + max_connections: + description: MaxConnections defines the maximum number of concurrent + connections a user may hold. + format: int64 + type: integer + max_kubernetes_connections: + description: MaxKubernetesConnections defines the maximum number + of concurrent Kubernetes sessions a user may hold. + format: int64 + type: integer + max_session_ttl: + description: MaxSessionTTL defines how long a SSH session can + last for. + format: duration + type: string + max_sessions: + description: MaxSessions defines the maximum number of concurrent + sessions per connection. + format: int64 + type: integer + permit_x11_forwarding: + description: PermitX11Forwarding authorizes use of X11 forwarding. + type: boolean + pin_source_ip: + description: PinSourceIP forces the same client IP for certificate + generation and usage + type: boolean + port_forwarding: + description: PortForwarding defines if the certificate will have + "permit-port-forwarding" in the certificate. PortForwarding + is "yes" if not set, that's why this is a pointer + type: boolean + record_session: + description: RecordDesktopSession indicates whether desktop access + sessions should be recorded. It defaults to true unless explicitly + set to false. + nullable: true + properties: + default: + description: Default indicates the default value for the services. + type: string + desktop: + description: Desktop indicates whether desktop sessions should + be recorded. It defaults to true unless explicitly set to + false. + type: boolean + ssh: + description: SSH indicates the session mode used on SSH sessions. + type: string + type: object + request_access: + description: RequestAccess defines the access request strategy + (optional|note|always) where optional is the default. + type: string + request_prompt: + description: RequestPrompt is an optional message which tells + users what they aught to request. + type: string + require_session_mfa: + description: RequireMFAType is the type of MFA requirement enforced + for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", + 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". + x-kubernetes-int-or-string: true + ssh_file_copy: + description: SSHFileCopy indicates whether remote file operations + via SCP or SFTP are allowed over an SSH session. It defaults + to true unless explicitly set to false. + type: boolean + type: object + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml similarity index 68% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml index c86cc91..97db5f5 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml @@ -82,6 +82,20 @@ spec: description: Cert is the identity provider certificate PEM. IDP signs responses using this certificate. type: string + client_redirect_settings: + description: ClientRedirectSettings defines which client redirect + URLs are allowed for non-browser SSO logins other than the standard + localhost ones. + nullable: true + properties: + allowed_https_hostnames: + description: a list of hostnames allowed for https client redirect + URLs + items: + type: string + nullable: true + type: array + type: object display: description: Display controls how this connector is displayed. type: string @@ -120,50 +134,49 @@ spec: type: string type: object status: - description: TeleportSAMLConnectorStatus defines the observed state of - TeleportSAMLConnector + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -177,11 +190,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml similarity index 68% rename from teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml rename to teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml index 7e41bac..afd2483 100644 --- a/teleport-cluster-14.3.0/charts/teleport-operator/templates/resources.teleport.dev_users.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml @@ -15,7 +15,16 @@ spec: singular: teleportuser scope: Namespaced versions: - - name: v2 + - additionalPrinterColumns: + - description: List of Teleport roles granted to the user. + jsonPath: .spec.roles + name: Roles + type: string + - description: The age of this resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 schema: openAPIV3Schema: description: User is the Schema for the users API @@ -106,49 +115,49 @@ spec: type: array type: object status: - description: TeleportUserStatus defines the observed state of TeleportUser + description: Status defines the observed state of the Teleport resource properties: conditions: description: Conditions represent the latest available observations of an object's state items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -162,11 +171,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/teleport-cluster/charts/teleport-operator/templates/_helpers.tpl b/teleport-cluster/charts/teleport-operator/templates/_helpers.tpl index 39be389..3da8bed 100644 --- a/teleport-cluster/charts/teleport-operator/templates/_helpers.tpl +++ b/teleport-cluster/charts/teleport-operator/templates/_helpers.tpl @@ -57,6 +57,7 @@ helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' app.kubernetes.io/managed-by: '{{ .Release.Service }}' app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}' teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}' +teleport.dev/release: '{{ include "teleport-cluster.operator.namespacedRelease" . }}' {{- end -}} {{/* Teleport auth or proxy address */}} @@ -75,3 +76,56 @@ teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}' {{- /* This template is a placeholder. If we are imported by the main chart "teleport-cluster" it is overridden*/ -}} {{- define "teleport-cluster.auth.serviceFQDN" -}}{{- end }} + +{{- /* This templates returns "true" or "false" describing if the CRDs should be deployed. +If we have an explicit requirement ("always" or "never") things are easy. +If we don't we check if the operator is enabled. +However, we cannot just trash the CRDs if the operator is disabled, this causes +a mass CR deletion and users will shoot themselves in the foot whith this +(temporarily disabling the operator would cause havoc). +So we check if there's a CRD already deployed, it that's the case, we keep the CRDs. +*/ -}} +{{- define "teleport-cluster.operator.shouldInstallCRDs" -}} + {{- if eq .Values.installCRDs "always" -}} + true + {{- else if eq .Values.installCRDs "never" -}} + false + {{- else if eq .Values.installCRDs "dynamic" -}} + {{- if .Values.enabled -}} + true + {{- else -}} + {{- include "teleport-cluster.operator.checkExistingCRDs" . -}} + {{- end -}} + {{- else -}} + {{- fail ".Values.installCRDs must be 'never', 'always' or 'dynamic'." -}} + {{- end -}} +{{- end -}} + +{{- /* This template checks if a known CRD is depployed (rolev7) and owned by +the release. As CRDs are not namespaced, we must use a custom annotation to avoid +a conflict when two releases are deployed with the same name in different namespaces. */ -}} +{{- define "teleport-cluster.operator.checkExistingCRDs" -}} + {{ $existingCRD := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "teleportrolesv7.resources.teleport.dev"}} + {{- if not $existingCRD -}} + false + {{- else -}} + {{- $release := index $existingCRD.metadata.labels "teleport.dev/release" }} + {{- if eq $release (include "teleport-cluster.operator.namespacedRelease" .) -}} + true + {{- else -}} + false + {{- end -}} + {{- end -}} +{{- end -}} + +{{- /* This is a custom label containing the namespaced release. +This is used to avoid conflicts for non-namespaced resources like CRDs. */ -}} +{{- define "teleport-cluster.operator.namespacedRelease" -}} + {{ .Release.Namespace }}_{{ .Release.Name }} +{{- end -}} + +{{- /* This is the object merged with CRDs manifests to enrich them (add labels). */ -}} +{{- define "teleport-cluster.operator.crdOverrides" -}} +metadata: + labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }} +{{- end -}} diff --git a/teleport-cluster/charts/teleport-operator/templates/crds.yaml b/teleport-cluster/charts/teleport-operator/templates/crds.yaml new file mode 100644 index 0000000..5217aaa --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/templates/crds.yaml @@ -0,0 +1,24 @@ +{{- /* This template iterates over every CRD in the `operator-crds/` directory +and creates them if needed. It also adds common labels, like any other +Helm-deployed resource. + +We cannot rely on the "crds/" Helm directory as Helm's startegy is "fire and forget". +We have no way to update the CRDs after the initial deployment. As Teleport keeps +adding new field to existing CRs, we need a deployment strategy that supports +updating CRDs. + +The obvious solution would be to have a separate chart for CRs but we wanted to +have everything functional in a single "helm install", hence the rube goldberg +mechanism to try to guess what to do with the CRDs (see the implementation of +shouldInstallCRDs in _helpers.yaml for more details). */ -}} +{{- if eq (include "teleport-cluster.operator.shouldInstallCRDs" . ) "true" -}} +{{ $currentScope := .}} +{{ range $path, $_ := .Files.Glob "operator-crds/*" }} + {{- with $currentScope}} + {{- $crd := (.Files.Get $path | fromYaml) -}} + {{- $injectedCRD := mustMergeOverwrite $crd (include "teleport-cluster.operator.crdOverrides" $currentScope | fromYaml) -}} + {{- toYaml $injectedCRD -}} + {{- end }} +--- +{{ end }} +{{- end -}} diff --git a/teleport-cluster/charts/teleport-operator/templates/role.yaml b/teleport-cluster/charts/teleport-operator/templates/role.yaml index 4d4e0eb..666c2ae 100644 --- a/teleport-cluster/charts/teleport-operator/templates/role.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/role.yaml @@ -31,6 +31,10 @@ rules: - teleportoktaimportrules/status - teleportaccesslists - teleportaccesslists/status + - teleportopensshserversv2 + - teleportopensshserversv2/status + - teleportopenssheiceserversv2 + - teleportopenssheiceserversv2/status verbs: - get - list diff --git a/teleport-cluster/charts/teleport-operator/tests/crds_test.yaml b/teleport-cluster/charts/teleport-operator/tests/crds_test.yaml new file mode 100644 index 0000000..13097bd --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/tests/crds_test.yaml @@ -0,0 +1,44 @@ +suite: Operator CRDs +templates: + - crds.yaml +tests: + - it: creates no CRDs when installCRDs is "never" + set: + installCRDs: "never" + enabled: true + asserts: + - hasDocuments: + count: 0 + - it: creates CRDs when installCRDs is "always" + set: + installCRDs: "always" + enabled: false + asserts: + - containsDocument: + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: teleportrolesv7.resources.teleport.dev + - it: labels CRDs + set: + installCRDs: "always" + enabled: false + asserts: + - equal: + path: metadata.labels.[teleport.dev/release] + value: NAMESPACE_RELEASE-NAME + - it: creates CRDs when installCRDs is "dynamic" and operator enabled + set: + installCRDs: "dynamic" + enabled: true + asserts: + - containsDocument: + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: teleportrolesv7.resources.teleport.dev + - it: creates no CRDs when installCRDs is "dynamic" and operator disabled (and no existing CRD) + set: + installCRDs: "dynamic" + enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/teleport-cluster/charts/teleport-operator/values.yaml b/teleport-cluster/charts/teleport-operator/values.yaml index 54ccf3c..c213d58 100644 --- a/teleport-cluster/charts/teleport-operator/values.yaml +++ b/teleport-cluster/charts/teleport-operator/values.yaml @@ -4,6 +4,18 @@ # - When `false`, the chart creates the `CustomResourceDefinition` resources without the operator `Deployment`. enabled: true +# installCRDs(string) -- controls if the chart should install the CRDs. +# There are 3 possible values: dynamic, always, never. +# +# - "dynamic" means the CRDs are installed if the operator is enabled or if +# the CRDs are already present in the cluster. The presence check is here to +# avoid all CRDs to be removed if you temporarily disable the operator. +# Removing CRDs triggers a cascading deletion, which removes CRs, and all the +# related resources in Teleport. +# - "always" means the CRDs are always installed +# - "never" means the CRDs are never installed +installCRDs: "dynamic" + # teleportAddress(string) -- is the address of the Teleport cluster whose resources # are managed by the operator. The address must contain both the domain name and # the port of the Teleport cluster. It can be either the address of the Auth Service diff --git a/teleport-cluster/templates/auth/_config.aws.tpl b/teleport-cluster/templates/auth/_config.aws.tpl index 9fb0863..3d04106 100644 --- a/teleport-cluster/templates/auth/_config.aws.tpl +++ b/teleport-cluster/templates/auth/_config.aws.tpl @@ -1,17 +1,17 @@ {{- define "teleport-cluster.auth.config.aws" -}} -{{ include "teleport-cluster.auth.config.common" . }} +{{ mustMergeOverwrite (include "teleport-cluster.auth.config.common" . | fromYaml) (include "teleport-cluster.auth.config.aws.overrides" . | fromYaml) | toYaml }} +{{- end -}} + +{{- define "teleport-cluster.auth.config.aws.overrides" -}} +teleport: storage: type: dynamodb region: {{ required "aws.region is required in chart values" .Values.aws.region }} table_name: {{ required "aws.backendTable is required in chart values" .Values.aws.backendTable }} - {{- if .Values.aws.auditLogMirrorOnStdout }} - audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}', 'stdout://'] - {{- else }} - audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}'] - {{- end }} + audit_events_uri: {{- include "teleport-cluster.auth.config.aws.audit" . | nindent 4 }} audit_sessions_uri: s3://{{ required "aws.sessionRecordingBucket is required in chart values" .Values.aws.sessionRecordingBucket }} continuous_backups: {{ required "aws.backups is required in chart values" .Values.aws.backups }} - {{- if .Values.aws.dynamoAutoScaling }} + {{- if .Values.aws.dynamoAutoScaling }} auto_scaling: true billing_mode: provisioned read_min_capacity: {{ required "aws.readMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMinCapacity }} @@ -20,7 +20,41 @@ write_min_capacity: {{ required "aws.writeMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMinCapacity }} write_max_capacity: {{ required "aws.writeMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMaxCapacity }} write_target_value: {{ required "aws.writeTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.writeTargetValue }} - {{- else }} + {{- else }} auto_scaling: false + {{- end }} + {{- if .Values.aws.accessMonitoring.enabled }} + {{- if not .Values.aws.athenaURL }} + {{- fail "AccessMonitoring requires an Athena Event backend" }} {{- end }} +auth_service: + access_monitoring: + enabled: true + report_results: {{ .Values.aws.accessMonitoring.reportResults | quote }} + role_arn: {{ .Values.aws.accessMonitoring.roleARN | quote }} + workgroup: {{ .Values.aws.accessMonitoring.workgroup | quote }} + {{- end }} +{{- end -}} + +{{- define "teleport-cluster.auth.config.aws.audit" -}} + {{- if and .Values.aws.auditLogTable (not .Values.aws.athenaURL) -}} +- 'dynamodb://{{.Values.aws.auditLogTable}}' + {{- else if and (not .Values.aws.auditLogTable) .Values.aws.athenaURL -}} +- {{ .Values.aws.athenaURL | quote }} + {{- else if and .Values.aws.auditLogTable .Values.aws.athenaURL -}} + {{- if eq .Values.aws.auditLogPrimaryBackend "dynamo" -}} +- 'dynamodb://{{.Values.aws.auditLogTable}}' +- {{ .Values.aws.athenaURL | quote }} + {{- else if eq .Values.aws.auditLogPrimaryBackend "athena" -}} +- {{ .Values.aws.athenaURL | quote }} +- 'dynamodb://{{.Values.aws.auditLogTable}}' + {{- else -}} + {{- fail "Both Dynamo and Athena audit backends are enabled. You must specify the primary backend by setting `aws.auditLogPrimaryBackend` to either 'dynamo' or 'athena'." -}} + {{- end -}} + {{- else -}} + {{- fail "You need an audit backend. In AWS mode, you must set at least one of `aws.auditLogTable` (Dynamo) and `aws.athenaURL` (Athena)." -}} + {{- end -}} + {{- if .Values.aws.auditLogMirrorOnStdout }} +- 'stdout://' + {{- end -}} {{- end -}} diff --git a/teleport-cluster/templates/auth/_config.common.tpl b/teleport-cluster/templates/auth/_config.common.tpl index bdfda15..fbfdb50 100644 --- a/teleport-cluster/templates/auth/_config.common.tpl +++ b/teleport-cluster/templates/auth/_config.common.tpl @@ -49,7 +49,7 @@ auth_service: {{- end }} {{- end }} {{- if .Values.sessionRecording }} - session_recording: {{ .Values.sessionRecording }} + session_recording: {{ .Values.sessionRecording | squote }} {{- end }} {{- if .Values.proxyListenerMode }} proxy_listener_mode: {{ .Values.proxyListenerMode }} diff --git a/teleport-cluster/templates/auth/clusterrole.yaml b/teleport-cluster/templates/auth/clusterrole.yaml index 4d98efc..a1b77ad 100644 --- a/teleport-cluster/templates/auth/clusterrole.yaml +++ b/teleport-cluster/templates/auth/clusterrole.yaml @@ -1,8 +1,14 @@ {{- if .Values.rbac.create -}} +{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ .Release.Name }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.clusterRole }} + {{- toYaml $auth.extraLabels.clusterRole | nindent 4 }} + {{- end }} rules: - apiGroups: - "" diff --git a/teleport-cluster/templates/auth/clusterrolebinding.yaml b/teleport-cluster/templates/auth/clusterrolebinding.yaml index 47a4f76..97867d1 100644 --- a/teleport-cluster/templates/auth/clusterrolebinding.yaml +++ b/teleport-cluster/templates/auth/clusterrolebinding.yaml @@ -1,9 +1,14 @@ {{- if .Values.rbac.create -}} +{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Release.Namespace }}-{{ .Release.Name }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.clusterRoleBinding }} + {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -19,7 +24,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Release.Namespace}}-{{ .Release.Name }}-auth - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.clusterRoleBinding }} + {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/teleport-cluster/templates/auth/config.yaml b/teleport-cluster/templates/auth/config.yaml index 2e19cbf..99fe59e 100644 --- a/teleport-cluster/templates/auth/config.yaml +++ b/teleport-cluster/templates/auth/config.yaml @@ -5,7 +5,11 @@ kind: ConfigMap metadata: name: {{ .Release.Name }}-auth namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.config }} + {{- toYaml $auth.extraLabels.config | nindent 4 }} + {{- end }} {{- if $auth.annotations.config }} annotations: {{- toYaml $auth.annotations.config | nindent 4 }} {{- end }} @@ -119,6 +123,14 @@ data: - read - update - delete + - resources: + - node + verbs: + - list + - create + - read + - update + - delete deny: {} version: v7 --- diff --git a/teleport-cluster/templates/auth/deployment.yaml b/teleport-cluster/templates/auth/deployment.yaml index dcc9bc4..7dc0901 100644 --- a/teleport-cluster/templates/auth/deployment.yaml +++ b/teleport-cluster/templates/auth/deployment.yaml @@ -9,6 +9,9 @@ metadata: labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} app: {{ .Release.Name }} + {{- if $auth.extraLabels.deployment }} + {{- toYaml $auth.extraLabels.deployment | nindent 4 }} + {{- end }} {{- if $auth.annotations.deployment }} annotations: {{- toYaml $auth.annotations.deployment | nindent 4 }} {{- end }} @@ -43,6 +46,9 @@ spec: labels: {{- include "teleport-cluster.auth.labels" . | nindent 8 }} app: {{ .Release.Name }} + {{- if $auth.extraLabels.pod }} + {{- toYaml $auth.extraLabels.pod | nindent 8 }} + {{- end }} {{- if eq $auth.chartMode "azure"}} azure.workload.identity/use: "true" {{- end }} @@ -287,6 +293,9 @@ spec: {{- end }} {{- if $auth.priorityClassName }} priorityClassName: {{ $auth.priorityClassName }} +{{- end }} +{{- if $auth.podSecurityContext }} + securityContext: {{- toYaml $auth.podSecurityContext | nindent 8 }} {{- end }} serviceAccountName: {{ include "teleport-cluster.auth.serviceAccountName" . }} terminationGracePeriodSeconds: {{ $auth.terminationGracePeriodSeconds }} diff --git a/teleport-cluster/templates/auth/pdb.yaml b/teleport-cluster/templates/auth/pdb.yaml index 0109589..02983f7 100644 --- a/teleport-cluster/templates/auth/pdb.yaml +++ b/teleport-cluster/templates/auth/pdb.yaml @@ -9,7 +9,11 @@ kind: PodDisruptionBudget metadata: name: {{ .Release.Name }}-auth namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.podDisruptionBudget }} + {{- toYaml $auth.extraLabels.podDisruptionBudget | nindent 4 }} + {{- end }} spec: minAvailable: {{ $auth.highAvailability.podDisruptionBudget.minAvailable }} selector: diff --git a/teleport-cluster/templates/auth/predeploy_config.yaml b/teleport-cluster/templates/auth/predeploy_config.yaml index 1419440..e866df4 100644 --- a/teleport-cluster/templates/auth/predeploy_config.yaml +++ b/teleport-cluster/templates/auth/predeploy_config.yaml @@ -6,7 +6,11 @@ kind: ConfigMap metadata: name: {{ .Release.Name }}-auth-test namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.config }} + {{- toYaml $auth.extraLabels.config | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "4" diff --git a/teleport-cluster/templates/auth/predeploy_job.yaml b/teleport-cluster/templates/auth/predeploy_job.yaml index a03225d..a8edf70 100644 --- a/teleport-cluster/templates/auth/predeploy_job.yaml +++ b/teleport-cluster/templates/auth/predeploy_job.yaml @@ -5,7 +5,11 @@ kind: Job metadata: name: {{ .Release.Name }}-auth-test namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.labels" . | nindent 4 }} + {{- if $auth.extraLabels.job }} + {{- toYaml $auth.extraLabels.job | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "5" diff --git a/teleport-cluster/templates/auth/pvc.yaml b/teleport-cluster/templates/auth/pvc.yaml index 640e3eb..8d2c07c 100644 --- a/teleport-cluster/templates/auth/pvc.yaml +++ b/teleport-cluster/templates/auth/pvc.yaml @@ -9,7 +9,11 @@ kind: PersistentVolumeClaim metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.persistentVolumeClaim }} + {{- toYaml $auth.extraLabels.persistentVolumeClaim | nindent 4 }} + {{- end }} spec: accessModes: - ReadWriteOnce diff --git a/teleport-cluster/templates/auth/service-previous-version.yaml b/teleport-cluster/templates/auth/service-previous-version.yaml index 75b4b06..9f17d27 100644 --- a/teleport-cluster/templates/auth/service-previous-version.yaml +++ b/teleport-cluster/templates/auth/service-previous-version.yaml @@ -1,9 +1,14 @@ +{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} apiVersion: v1 kind: Service metadata: name: {{ include "teleport-cluster.auth.previousVersionServiceName" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.service }} + {{- toYaml $auth.extraLabels.service | nindent 4 }} + {{- end }} spec: # This is a headless service. Resolving it will return the list of all auth pods running the previous major version # Proxies should not connect to auth pods from the previous major version @@ -20,7 +25,11 @@ kind: Service metadata: name: {{ include "teleport-cluster.auth.currentVersionServiceName" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.service }} + {{- toYaml $auth.extraLabels.service | nindent 4 }} + {{- end }} spec: # This is a headless service. Resolving it will return the list of all auth pods running the current major version clusterIP: "None" diff --git a/teleport-cluster/templates/auth/service.yaml b/teleport-cluster/templates/auth/service.yaml index e5175fb..6e45b48 100644 --- a/teleport-cluster/templates/auth/service.yaml +++ b/teleport-cluster/templates/auth/service.yaml @@ -4,7 +4,11 @@ kind: Service metadata: name: {{ include "teleport-cluster.auth.serviceName" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.service }} + {{- toYaml $auth.extraLabels.service | nindent 4 }} + {{- end }} {{- if $auth.annotations.service }} annotations: {{- toYaml $auth.annotations.service | nindent 4 }} {{- end }} diff --git a/teleport-cluster/templates/auth/serviceaccount.yaml b/teleport-cluster/templates/auth/serviceaccount.yaml index 2ee2e1a..0eb96f0 100644 --- a/teleport-cluster/templates/auth/serviceaccount.yaml +++ b/teleport-cluster/templates/auth/serviceaccount.yaml @@ -5,6 +5,11 @@ kind: ServiceAccount metadata: name: {{ template "teleport-cluster.auth.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- include "teleport-cluster.auth.labels" . | nindent 4 }} + {{- if $auth.extraLabels.serviceAccount }} + {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }} + {{- end }} {{- if or $auth.annotations.serviceAccount $auth.azure.clientID }} annotations: {{- if $auth.annotations.serviceAccount }} diff --git a/teleport-cluster/templates/proxy/certificate.yaml b/teleport-cluster/templates/proxy/certificate.yaml index d2a4dbd..7693722 100644 --- a/teleport-cluster/templates/proxy/certificate.yaml +++ b/teleport-cluster/templates/proxy/certificate.yaml @@ -22,7 +22,8 @@ kind: Certificate metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} spec: secretName: teleport-tls {{- if $proxy.highAvailability.certManager.addCommonName }} @@ -36,8 +37,13 @@ spec: name: {{ required "highAvailability.certManager.issuerName is required in chart values" $proxy.highAvailability.certManager.issuerName }} kind: {{ required "highAvailability.certManager.issuerKind is required in chart values" $proxy.highAvailability.certManager.issuerKind }} group: {{ required "highAvailability.certManager.issuerGroup is required in chart values" $proxy.highAvailability.certManager.issuerGroup }} - {{- with $proxy.annotations.certSecret }} + {{- if or $proxy.annotations.certSecret $proxy.extraLabels.certSecret }} secretTemplate: + {{- with $proxy.annotations.certSecret }} annotations: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with $proxy.extraLabels.certSecret }} + labels: {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} {{- end }} diff --git a/teleport-cluster/templates/proxy/config.yaml b/teleport-cluster/templates/proxy/config.yaml index 8cd7788..9154ef0 100644 --- a/teleport-cluster/templates/proxy/config.yaml +++ b/teleport-cluster/templates/proxy/config.yaml @@ -8,6 +8,11 @@ kind: ConfigMap metadata: name: {{ .Release.Name }}-proxy namespace: {{ .Release.Namespace }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.config }} + {{- toYaml $proxy.extraLabels.config | nindent 4 }} + {{- end }} {{- if $proxy.annotations.config }} annotations: {{- toYaml $proxy.annotations.config | nindent 4 }} {{- end }} diff --git a/teleport-cluster/templates/proxy/deployment.yaml b/teleport-cluster/templates/proxy/deployment.yaml index 0011b4c..fc55fdd 100644 --- a/teleport-cluster/templates/proxy/deployment.yaml +++ b/teleport-cluster/templates/proxy/deployment.yaml @@ -13,7 +13,11 @@ kind: Deployment metadata: name: {{ .Release.Name }}-proxy namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.deployment }} + {{- toYaml $proxy.extraLabels.deployment | nindent 4 }} + {{- end }} {{- if $proxy.annotations.deployment }} annotations: {{- toYaml $proxy.annotations.deployment | nindent 4 }} {{- end }} @@ -49,7 +53,11 @@ spec: {{- if $proxy.annotations.pod }} {{- toYaml $proxy.annotations.pod | nindent 8 }} {{- end }} - labels: {{- include "teleport-cluster.proxy.labels" . | nindent 8 }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 8 }} + {{- if $proxy.extraLabels.pod }} + {{- toYaml $proxy.extraLabels.pod | nindent 8 }} + {{- end }} spec: {{- if $proxy.nodeSelector }} nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }} @@ -109,6 +117,17 @@ spec: - wait - no-resolve - '{{ include "teleport-cluster.auth.previousVersionServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local' +# propagating through the limits from the main resources section would double the requested amounts +# and may prevent scheduling on the cluster. as such, we hardcode small limits for this tiny container. +{{- if $proxy.resources }} + resources: + requests: + cpu: 0.1 + memory: 256Mi + limits: + cpu: 1 + memory: 512Mi +{{- end }} {{- if $proxy.securityContext }} securityContext: {{- toYaml $proxy.securityContext | nindent 12 }} {{- end }} @@ -305,6 +324,9 @@ spec: {{- end }} {{- if $proxy.priorityClassName }} priorityClassName: {{ $proxy.priorityClassName }} +{{- end }} +{{- if $proxy.podSecurityContext }} + securityContext: {{- toYaml $proxy.podSecurityContext | nindent 8 }} {{- end }} serviceAccountName: {{ include "teleport-cluster.proxy.serviceAccountName" . }} terminationGracePeriodSeconds: {{ $proxy.terminationGracePeriodSeconds }} diff --git a/teleport-cluster/templates/proxy/ingress.yaml b/teleport-cluster/templates/proxy/ingress.yaml index e0a2e38..82ddea2 100644 --- a/teleport-cluster/templates/proxy/ingress.yaml +++ b/teleport-cluster/templates/proxy/ingress.yaml @@ -23,7 +23,11 @@ kind: Ingress metadata: name: {{ .Release.Name }}-proxy namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.ingress }} + {{- toYaml $proxy.extraLabels.ingress | nindent 4 }} + {{- end }} {{- if $proxy.annotations.ingress }} annotations: {{- toYaml $proxy.annotations.ingress | nindent 4 }} {{- end }} diff --git a/teleport-cluster/templates/proxy/pdb.yaml b/teleport-cluster/templates/proxy/pdb.yaml index f220031..2d19843 100644 --- a/teleport-cluster/templates/proxy/pdb.yaml +++ b/teleport-cluster/templates/proxy/pdb.yaml @@ -9,7 +9,11 @@ kind: PodDisruptionBudget metadata: name: {{ .Release.Name }}-proxy namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.podDisruptionBudget }} + {{- toYaml $proxy.extraLabels.podDisruptionBudget | nindent 4 }} + {{- end }} spec: minAvailable: {{ $proxy.highAvailability.podDisruptionBudget.minAvailable }} selector: diff --git a/teleport-cluster/templates/proxy/predeploy_config.yaml b/teleport-cluster/templates/proxy/predeploy_config.yaml index 6e2d374..4ef166a 100644 --- a/teleport-cluster/templates/proxy/predeploy_config.yaml +++ b/teleport-cluster/templates/proxy/predeploy_config.yaml @@ -6,6 +6,11 @@ kind: ConfigMap metadata: name: {{ .Release.Name }}-proxy-test namespace: {{ .Release.Namespace }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.config }} + {{- toYaml $proxy.extraLabels.config | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "4" diff --git a/teleport-cluster/templates/proxy/predeploy_job.yaml b/teleport-cluster/templates/proxy/predeploy_job.yaml index e0fb551..a0d8547 100644 --- a/teleport-cluster/templates/proxy/predeploy_job.yaml +++ b/teleport-cluster/templates/proxy/predeploy_job.yaml @@ -5,7 +5,11 @@ kind: Job metadata: name: {{ .Release.Name }}-proxy-test namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.job }} + {{- toYaml $proxy.extraLabels.job | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "5" diff --git a/teleport-cluster/templates/proxy/service.yaml b/teleport-cluster/templates/proxy/service.yaml index b7e9c27..4b453e5 100644 --- a/teleport-cluster/templates/proxy/service.yaml +++ b/teleport-cluster/templates/proxy/service.yaml @@ -9,7 +9,11 @@ kind: Service metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} - labels: {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.service }} + {{- toYaml $proxy.extraLabels.service | nindent 4 }} + {{- end }} {{- if (or ($proxy.annotations.service) (eq $proxy.chartMode "aws")) }} annotations: {{- if and (eq $proxy.chartMode "aws") (not $proxy.ingress.enabled) }} diff --git a/teleport-cluster/templates/proxy/serviceaccount.yaml b/teleport-cluster/templates/proxy/serviceaccount.yaml index 66a9c4b..7f5ecd8 100644 --- a/teleport-cluster/templates/proxy/serviceaccount.yaml +++ b/teleport-cluster/templates/proxy/serviceaccount.yaml @@ -5,6 +5,11 @@ kind: ServiceAccount metadata: name: {{ include "teleport-cluster.proxy.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- include "teleport-cluster.proxy.labels" . | nindent 4 }} + {{- if $proxy.extraLabels.serviceAccount }} + {{- toYaml $proxy.extraLabels.serviceAccount | nindent 4 }} + {{- end }} {{- if $proxy.annotations.serviceAccount }} annotations: {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }} {{- end -}} diff --git a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap index 58a9d76..1ba2acd 100644 --- a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap @@ -3,6 +3,14 @@ adds operator permissions to ClusterRole: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: teleport-cluster + app.kubernetes.io/version: 15.3.3 + helm.sh/chart: teleport-cluster-15.3.3 + teleport.dev/majorVersion: "15" name: RELEASE-NAME rules: - apiGroups: diff --git a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap index bd5c995..d10c26b 100644 --- a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap @@ -13,6 +13,124 @@ adds a proxy token by default: kubernetes: allow: - service_account: "NAMESPACE:RELEASE-NAME-proxy" +configures access monitoring when its values are set: + 1: | + |- + auth_service: + access_monitoring: + enabled: true + report_results: s3://example-athena-long-term/report_results + role_arn: arn:aws:iam::123456789012:role/example_AccessMonitoringRole + workgroup: example_access_monitoring_workgroup + authentication: + local_auth: true + second_factor: "on" + type: local + webauthn: + rp_id: test-aws-cluster + cluster_name: test-aws-cluster + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: test-aws-cluster + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + storage: + audit_events_uri: + - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name + audit_sessions_uri: s3://test-s3-session-storage-bucket + auto_scaling: false + continuous_backups: false + region: us-west-2 + table_name: test-dynamodb-backend-table + type: dynamodb + version: v3 +keeps the second factor type even when it's "off": + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factor: "off" + type: local + cluster_name: helm-lint + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: helm-lint + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + version: v3 +keeps the session_recording type even when it's "off": + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factor: "on" + type: local + webauthn: + rp_id: helm-lint + cluster_name: helm-lint + enabled: true + proxy_listener_mode: separate + session_recording: "off" + kubernetes_service: + enabled: true + kube_cluster_name: helm-lint + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + version: v3 matches snapshot for acme-off.yaml: 1: | |- @@ -1673,3 +1791,139 @@ matches snapshot for volumes.yaml: output: stderr severity: INFO version: v3 +uses athena as primary backend when configured: + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factor: "on" + type: local + webauthn: + rp_id: teleport.example.com + cluster_name: teleport.example.com + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: teleport.example.com + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + storage: + audit_events_uri: + - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name + - dynamodb://my-dynamodb-table + audit_sessions_uri: s3://asd + auto_scaling: false + continuous_backups: false + region: asd + table_name: asd + type: dynamodb + version: v3 +uses athena, dynamo, and stdout when everything is on: + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factor: "on" + type: local + webauthn: + rp_id: teleport.example.com + cluster_name: teleport.example.com + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: teleport.example.com + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + storage: + audit_events_uri: + - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name + - dynamodb://my-dynamodb-table + - stdout:// + audit_sessions_uri: s3://asd + auto_scaling: false + continuous_backups: false + region: asd + table_name: asd + type: dynamodb + version: v3 +uses dynamo as primary backend when configured: + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factor: "on" + type: local + webauthn: + rp_id: teleport.example.com + cluster_name: teleport.example.com + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: teleport.example.com + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + storage: + audit_events_uri: + - dynamodb://my-dynamodb-table + - athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name + audit_sessions_uri: s3://asd + auto_scaling: false + continuous_backups: false + region: asd + table_name: asd + type: dynamodb + version: v3 diff --git a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap index d79acae..247e617 100644 --- a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -8,7 +8,7 @@ - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -141,7 +141,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -238,7 +238,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -324,7 +324,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap index ea3f3b7..c9ae167 100644 --- a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -5,8 +5,15 @@ should provision initContainer correctly when set in values: - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 name: wait-auth-update + resources: + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 0.1 + memory: 256Mi - args: - echo test image: alpine @@ -62,7 +69,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -123,7 +130,7 @@ should set nodeSelector when set in values: - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 name: wait-auth-update nodeSelector: environment: security @@ -166,7 +173,7 @@ should set required affinity when highAvailability.requireAntiAffinity is set: values: - proxy topologyKey: kubernetes.io/hostname -should set resources when set in values: +should set resources for wait-auth-update initContainer when set in values: 1: | affinity: podAntiAffinity: null @@ -174,7 +181,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -242,8 +249,123 @@ should set resources when set in values: - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 name: wait-auth-update + resources: + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 0.1 + memory: 256Mi + serviceAccountName: RELEASE-NAME-proxy + terminationGracePeriodSeconds: 60 + volumes: + - name: proxy-serviceaccount-token + projected: + sources: + - serviceAccountToken: + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.namespace + path: namespace + - configMap: + name: RELEASE-NAME-proxy + name: config + - emptyDir: {} + name: data +should set resources when set in values: + 1: | + affinity: + podAntiAffinity: null + automountServiceAccountToken: false + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - teleport + - wait + - duration + - 30s + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3080 + name: tls + protocol: TCP + - containerPort: 3023 + name: sshproxy + protocol: TCP + - containerPort: 3024 + name: sshtun + protocol: TCP + - containerPort: 3026 + name: kube + protocol: TCP + - containerPort: 3036 + name: mysql + protocol: TCP + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: proxy-serviceaccount-token + readOnly: true + initContainers: + - command: + - teleport + - wait + - no-resolve + - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 + name: wait-auth-update + resources: + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 0.1 + memory: 256Mi serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 volumes: @@ -275,7 +397,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -343,7 +465,7 @@ should set securityContext for initContainers when set in values: - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -383,7 +505,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -451,7 +573,7 @@ should set securityContext when set in values: - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 + image: public.ecr.aws/gravitational/teleport-distroless:15.3.3 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/teleport-cluster/tests/auth_clusterrole_test.yaml b/teleport-cluster/tests/auth_clusterrole_test.yaml index 6e26d74..a3ab5d8 100644 --- a/teleport-cluster/tests/auth_clusterrole_test.yaml +++ b/teleport-cluster/tests/auth_clusterrole_test.yaml @@ -17,3 +17,20 @@ tests: - isKind: of: ClusterRole - matchSnapshot: {} + - it: sets extraLabels on ClusterRole + set: + extraLabels: + clusterRole: + foo: bar + baz: override-me + auth: + extraLabels: + clusterRole: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/auth_clusterrolebinding_test.yaml b/teleport-cluster/tests/auth_clusterrolebinding_test.yaml index 45117b1..2ac15aa 100644 --- a/teleport-cluster/tests/auth_clusterrolebinding_test.yaml +++ b/teleport-cluster/tests/auth_clusterrolebinding_test.yaml @@ -18,3 +18,21 @@ tests: content: kind: ServiceAccount name: "helm-lint" + + - it: sets extraLabels on ClusterRoleBindings + set: + extraLabels: + clusterRoleBinding: + foo: bar + baz: override-me + auth: + extraLabels: + clusterRoleBinding: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/auth_config_test.yaml b/teleport-cluster/tests/auth_config_test.yaml index ea2ed14..185b453 100644 --- a/teleport-cluster/tests/auth_config_test.yaml +++ b/teleport-cluster/tests/auth_config_test.yaml @@ -510,3 +510,180 @@ tests: - matchRegex: path: data.teleport\.yaml pattern: 'billing_mode: provisioned' + + - it: fails when no audit backend is configured + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + asserts: + - failedTemplate: + errorMessage: "You need an audit backend. In AWS mode, you must set at least one of `aws.auditLogTable` (Dynamo) and `aws.athenaURL` (Athena)." + + - it: configures dynamo when dynamo is set + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + auditLogTable: my-dynamodb-table + asserts: + - matchRegex: + path: data.teleport\.yaml + pattern: '- dynamodb://my-dynamodb-table' + + - it: configures athena when athenaURL is set + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name' + asserts: + - matchRegex: + path: data.teleport\.yaml + pattern: '- athena://db.table' + + - it: configures dynamo and stdout when dynamo is set and mirroring is on + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + auditLogTable: my-dynamodb-table + auditLogMirrorOnStdout: true + asserts: + - matchRegex: + path: data.teleport\.yaml + pattern: '- dynamodb://my-dynamodb-table' + - matchRegex: + path: data.teleport\.yaml + pattern: '- stdout://' + + - it: fails when both athena and dynamo are set but no order is specified + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + auditLogTable: my-dynamodb-table + athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name' + asserts: + - failedTemplate: + errorMessage: "Both Dynamo and Athena audit backends are enabled. You must specify the primary backend by setting `aws.auditLogPrimaryBackend` to either 'dynamo' or 'athena'." + + - it: uses athena as primary backend when configured + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + auditLogTable: my-dynamodb-table + athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name' + auditLogPrimaryBackend: "athena" + asserts: + - matchSnapshot: + path: data.teleport\.yaml + + - it: uses dynamo as primary backend when configured + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + auditLogTable: my-dynamodb-table + athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name' + auditLogPrimaryBackend: "dynamo" + asserts: + - matchSnapshot: + path: data.teleport\.yaml + + - it: uses athena, dynamo, and stdout when everything is on + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + auditLogTable: my-dynamodb-table + athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name' + auditLogPrimaryBackend: "athena" + auditLogMirrorOnStdout: true + asserts: + - matchSnapshot: + path: data.teleport\.yaml + + - it: keeps the second factor type even when it's "off" + set: + clusterName: helm-lint + authentication: + secondFactor: 'off' + asserts: + - matchSnapshot: + path: data.teleport\.yaml + + - it: fails if access monitoring is enabled without athena + set: + chartMode: aws + clusterName: "teleport.example.com" + aws: + region: asd + backendTable: asd + sessionRecordingBucket: asd + auditLogTable: my-dynamodb-table + accessMonitoring: + enabled: true + asserts: + - failedTemplate: + errorMessage: "AccessMonitoring requires an Athena Event backend" + + - it: configures access monitoring when its values are set + values: + - ../.lint/aws-access-monitoring.yaml + asserts: + - matchSnapshot: + path: data.teleport\.yaml + + - it: sets extraLabels on Configmap + values: + - ../.lint/annotations.yaml + set: + extraLabels: + config: + foo: bar + baz: override-me + auth: + extraLabels: + config: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden + + - it: keeps the session_recording type even when it's "off" + set: + clusterName: helm-lint + sessionRecording: 'off' + asserts: + - matchSnapshot: + path: data.teleport\.yaml diff --git a/teleport-cluster/tests/auth_deployment_test.yaml b/teleport-cluster/tests/auth_deployment_test.yaml index 85526d7..6f15854 100644 --- a/teleport-cluster/tests/auth_deployment_test.yaml +++ b/teleport-cluster/tests/auth_deployment_test.yaml @@ -3,7 +3,7 @@ templates: - auth/deployment.yaml - auth/config.yaml tests: - - it: sets Statefulset annotations when specified + - it: sets Deployment annotations when specified template: auth/deployment.yaml values: - ../.lint/annotations.yaml @@ -126,6 +126,35 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should set podSecurityContext when set in values + template: auth/deployment.yaml + values: + - ../.lint/pod-security-context.yaml + asserts: + - equal: + path: spec.template.spec.securityContext.fsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.fsGroupChangePolicy + value: OnRootMismatch + - equal: + path: spec.template.spec.securityContext.runAsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.runAsUser + value: 99 + + - it: should not set podSecurityContext when is empty object (default value) + template: auth/deployment.yaml + values: + - ../.lint/pod-security-context-empty.yaml + asserts: + - isNull: + path: spec.template.spec.securityContext + - it: should set securityContext when set in values template: auth/deployment.yaml values: @@ -828,3 +857,45 @@ tests: - equal: path: spec.template.metadata.labels.azure\.workload\.identity/use value: "true" + + - it: sets extraLabels on Deployment + template: auth/deployment.yaml + values: + - ../.lint/annotations.yaml + set: + extraLabels: + deployment: + foo: bar + baz: override-me + auth: + extraLabels: + deployment: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden + + - it: sets extraLabels on Deployment Pods + template: auth/deployment.yaml + values: + - ../.lint/annotations.yaml + set: + extraLabels: + pod: + foo: bar + baz: override-me + auth: + extraLabels: + pod: + baz: overridden + asserts: + - equal: + path: spec.template.metadata.labels.foo + value: bar + - equal: + path: spec.template.metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/auth_pdb_test.yaml b/teleport-cluster/tests/auth_pdb_test.yaml index 0ef9aad..a424eeb 100644 --- a/teleport-cluster/tests/auth_pdb_test.yaml +++ b/teleport-cluster/tests/auth_pdb_test.yaml @@ -21,3 +21,23 @@ tests: - equal: path: spec.minAvailable value: 2 + + - it: sets extraLabels on PodDisruptionBudget + values: + - ../.lint/pdb.yaml + set: + extraLabels: + podDisruptionBudget: + foo: bar + baz: override-me + auth: + extraLabels: + podDisruptionBudget: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/auth_pvc_test.yaml b/teleport-cluster/tests/auth_pvc_test.yaml index 3fbd87c..2742f22 100644 --- a/teleport-cluster/tests/auth_pvc_test.yaml +++ b/teleport-cluster/tests/auth_pvc_test.yaml @@ -85,3 +85,22 @@ tests: asserts: - hasDocuments: count: 0 + + - it: sets extraLabels on PersistentVolumeClaim + set: + chartMode: standalone + extraLabels: + persistentVolumeClaim: + foo: bar + baz: override-me + auth: + extraLabels: + persistentVolumeClaim: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/auth_serviceaccount_test.yaml b/teleport-cluster/tests/auth_serviceaccount_test.yaml index 532407f..49e2799 100644 --- a/teleport-cluster/tests/auth_serviceaccount_test.yaml +++ b/teleport-cluster/tests/auth_serviceaccount_test.yaml @@ -30,3 +30,23 @@ tests: - equal: path: metadata.annotations.azure\.workload\.identity/client-id value: "1234" + + - it: sets extraLabels on ServiceAccount + values: + - ../.lint/annotations.yaml + set: + extraLabels: + serviceAccount: + foo: bar + baz: override-me + auth: + extraLabels: + serviceAccount: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/ingress_test.yaml b/teleport-cluster/tests/ingress_test.yaml index b750167..c0f7756 100644 --- a/teleport-cluster/tests/ingress_test.yaml +++ b/teleport-cluster/tests/ingress_test.yaml @@ -536,3 +536,23 @@ tests: value: helm-lint-tls-secret - matchSnapshot: path: spec.tls + + - it: sets extraLabels on Ingress + values: + - ../.lint/ingress.yaml + set: + extraLabels: + ingress: + foo: bar + baz: override-me + proxy: + extraLabels: + ingress: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/predeploy_test.yaml b/teleport-cluster/tests/predeploy_test.yaml index fb32cfa..50a1bdb 100644 --- a/teleport-cluster/tests/predeploy_test.yaml +++ b/teleport-cluster/tests/predeploy_test.yaml @@ -109,3 +109,82 @@ tests: value: myRegistryKeySecretName - matchSnapshot: path: spec.template.spec.imagePullSecrets + + - it: should set extraLabels on auth predeploy job when set in values + template: auth/predeploy_job.yaml + set: + clusterName: helm-lint + extraLabels: + job: + foo: bar + baz: override-me + auth: + extraLabels: + job: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden + + - it: should set extraLabels on auth predeploy config when set in values + template: auth/predeploy_config.yaml + set: + clusterName: helm-lint + extraLabels: + config: + foo: bar + baz: override-me + auth: + extraLabels: + config: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden + - it: should set extraLabels on proxy predeploy job when set in values + template: proxy/predeploy_job.yaml + set: + clusterName: helm-lint + extraLabels: + job: + foo: bar + baz: override-me + proxy: + extraLabels: + job: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden + + - it: should set extraLabels on proxy predeploy config when set in values + template: proxy/predeploy_config.yaml + set: + clusterName: helm-lint + extraLabels: + config: + foo: bar + baz: override-me + proxy: + extraLabels: + config: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/proxy_certificate_test.yaml b/teleport-cluster/tests/proxy_certificate_test.yaml index 3d50476..0d54f2f 100644 --- a/teleport-cluster/tests/proxy_certificate_test.yaml +++ b/teleport-cluster/tests/proxy_certificate_test.yaml @@ -192,3 +192,23 @@ tests: - notEqual: path: spec.dnsNames[4] value: "teleport.test.com" + + - it: sets extraLabels on Certificate Secret + values: + - ../.lint/cert-manager.yaml + set: + extraLabels: + certSecret: + foo: bar + baz: override-me + proxy: + extraLabels: + certSecret: + baz: overridden + asserts: + - equal: + path: spec.secretTemplate.labels.foo + value: bar + - equal: + path: spec.secretTemplate.labels.baz + value: overridden diff --git a/teleport-cluster/tests/proxy_config_test.yaml b/teleport-cluster/tests/proxy_config_test.yaml index 02bc186..eda7660 100644 --- a/teleport-cluster/tests/proxy_config_test.yaml +++ b/teleport-cluster/tests/proxy_config_test.yaml @@ -256,3 +256,23 @@ tests: - notMatchRegex: path: data.teleport\.yaml pattern: 'proxy_protocol:' + + - it: sets extraLabels on Configmap + values: + - ../.lint/annotations.yaml + set: + extraLabels: + config: + foo: bar + baz: override-me + proxy: + extraLabels: + config: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/proxy_deployment_test.yaml b/teleport-cluster/tests/proxy_deployment_test.yaml index 2d6dda9..486bc87 100644 --- a/teleport-cluster/tests/proxy_deployment_test.yaml +++ b/teleport-cluster/tests/proxy_deployment_test.yaml @@ -164,6 +164,35 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should set podSecurityContext when set in values + template: proxy/deployment.yaml + values: + - ../.lint/pod-security-context.yaml + asserts: + - equal: + path: spec.template.spec.securityContext.fsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.fsGroupChangePolicy + value: OnRootMismatch + - equal: + path: spec.template.spec.securityContext.runAsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.runAsUser + value: 99 + + - it: should not set podSecurityContext when is empty object (default value) + template: proxy/deployment.yaml + values: + - ../.lint/pod-security-context-empty.yaml + asserts: + - isNull: + path: spec.template.spec.securityContext + - it: should set securityContext when set in values template: proxy/deployment.yaml values: @@ -224,6 +253,25 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should set resources for wait-auth-update initContainer when set in values + template: proxy/deployment.yaml + values: + - ../.lint/resources.yaml + asserts: + - equal: + path: spec.template.spec.initContainers[0].resources.requests.cpu + value: 0.1 + - equal: + path: spec.template.spec.initContainers[0].resources.requests.memory + value: 256Mi + - equal: + path: spec.template.spec.initContainers[0].resources.limits.cpu + value: 1 + - equal: + path: spec.template.spec.initContainers[0].resources.limits.memory + value: 512Mi + - matchSnapshot: + path: spec.template.spec - it: should not set securityContext for initContainers when is empty object (default value) template: proxy/deployment.yaml @@ -939,3 +987,45 @@ tests: mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true + + - it: sets extraLabels on Deployment + template: proxy/deployment.yaml + values: + - ../.lint/annotations.yaml + set: + extraLabels: + deployment: + foo: bar + baz: override-me + proxy: + extraLabels: + deployment: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden + + - it: sets extraLabels on Deployment Pods + template: proxy/deployment.yaml + values: + - ../.lint/annotations.yaml + set: + extraLabels: + pod: + foo: bar + baz: override-me + proxy: + extraLabels: + pod: + baz: overridden + asserts: + - equal: + path: spec.template.metadata.labels.foo + value: bar + - equal: + path: spec.template.metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/proxy_pdb_test.yaml b/teleport-cluster/tests/proxy_pdb_test.yaml index 851a0a7..e324504 100644 --- a/teleport-cluster/tests/proxy_pdb_test.yaml +++ b/teleport-cluster/tests/proxy_pdb_test.yaml @@ -21,3 +21,23 @@ tests: - equal: path: spec.minAvailable value: 2 + + - it: sets extraLabels on PodDisruptionBudget + values: + - ../.lint/pdb.yaml + set: + extraLabels: + podDisruptionBudget: + foo: bar + baz: override-me + proxy: + extraLabels: + podDisruptionBudget: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/proxy_service_test.yaml b/teleport-cluster/tests/proxy_service_test.yaml index 29ed547..2ef67c7 100644 --- a/teleport-cluster/tests/proxy_service_test.yaml +++ b/teleport-cluster/tests/proxy_service_test.yaml @@ -379,3 +379,23 @@ tests: asserts: - matchSnapshot: path: spec.ports + + - it: sets extraLabels on Service + values: + - ../.lint/annotations.yaml + set: + extraLabels: + service: + foo: bar + baz: override-me + proxy: + extraLabels: + service: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/tests/proxy_serviceaccount_test.yaml b/teleport-cluster/tests/proxy_serviceaccount_test.yaml index 14ec87f..70198bd 100644 --- a/teleport-cluster/tests/proxy_serviceaccount_test.yaml +++ b/teleport-cluster/tests/proxy_serviceaccount_test.yaml @@ -20,3 +20,23 @@ tests: - equal: path: metadata.name value: "helm-lint-proxy" + + - it: sets extraLabels on ServiceAccount + values: + - ../.lint/annotations.yaml + set: + extraLabels: + serviceAccount: + foo: bar + baz: override-me + proxy: + extraLabels: + serviceAccount: + baz: overridden + asserts: + - equal: + path: metadata.labels.foo + value: bar + - equal: + path: metadata.labels.baz + value: overridden diff --git a/teleport-cluster/values.schema.json b/teleport-cluster/values.schema.json index 675f9b5..657ae94 100644 --- a/teleport-cluster/values.schema.json +++ b/teleport-cluster/values.schema.json @@ -943,6 +943,11 @@ "type": "object", "default": {} }, + "podSecurityContext": { + "$id": "#/properties/podSecurityContext", + "type": "object", + "default": {} + }, "securityContext": { "$id": "#/properties/securityContext", "type": "object", diff --git a/teleport-cluster/values.yaml b/teleport-cluster/values.yaml index e0d234f..9779193 100644 --- a/teleport-cluster/values.yaml +++ b/teleport-cluster/values.yaml @@ -276,7 +276,10 @@ operator: podSecurityPolicy: enabled: true -# Labels is a map of key-value pairs about this cluster +# Labels is a map of key-value pairs about this cluster. Those labels are used +# in Teleport to access the Kuebrnetes cluster. They must not be confused with +# `extraLabels` which are additional labels to add on Kubernetes resources +# created by the Helm chart. labels: {} # Mode to deploy the chart in. The default is "standalone". Options: @@ -348,9 +351,34 @@ aws: # The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist. # The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. # This MUST NOT be the same table name as used for 'backendTable' as the schemas are different. + # + # If you are using the Athena backend, you don't need to set this value. + # If you set this value, audit logs will be sent both to the Athena and DynamoDB + # backends, this is useful when migrating backends. + # If both `aws.athenaURL` and `aws.auditLogTable` (DynamoDB) are set, the + # `aws.auditLogPrimaryBackend` value configures which backend is used for querying. + # Teleport queries the audit backend to display the audit log in the web UI, export events + # using the audit log collector, or perform any action that needs to inspect past audit events. auditLogTable: "" # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors) auditLogMirrorOnStdout: false + # auditLogPrimaryBackend controls which backend is used for queries when multiple + # audit backends are enabled. This setting has no effect when a single audit + # log backend is enabled.This setting is used when migrating from DynamoDB to + # Athena. + # + # Possible values are `dynamo` and `athena`. + auditLogPrimaryBackend: "" + # athenaURL contains the Athena audit log backend configuration + # When this value is set, Teleport will export events to the Athena audit backend. + # + # To use the Athena audit backend, you must set up the required infrastructure + # (S3 buckets, SQS queue, AthenaDB, IAM roles and permissions, ...). + # The requirements are described in the documentation: https://goteleport.com/docs/reference/backends/#athena + # + # If both `aws.athenaURL` and `aws.auditLogTable` (DynamoDB) are set, the + # `aws.auditLogPrimaryBackend` value configures which backend is used for querying. + athenaURL: "" # The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist. # The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets. sessionRecordingBucket: "" @@ -358,6 +386,10 @@ aws: backups: false # Whether Teleport should configure DynamoDB's autoscaling. + # + # WARNING: DynamoDB autoscaling is no longer recommended. Teleport now + # defaults to "on demand" DynamoDB billing, which has more reliable performance. + # # Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling. # See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling dynamoAutoScaling: false @@ -371,6 +403,20 @@ aws: writeMaxCapacity: null # Integer writeTargetValue: null # Float + # accessMonitoring configures the Access Monitoring feature of the Auth Service. + # Using this features requires setting up specific AWS infrastructure as described + # in https://goteleport.com/docs/access-controls/access-monitoring/#configuration + # The Terraform example code will output the chart values for this section. + accessMonitoring: + enabled: false + # reportResults is the bucket uri where query results are reported. + # Example: "s3://example-athena-long-term/report_results" + reportResults: "" + # roleARN is the ARN of the role that is assumed to run the reports. + roleARN: "" + # workgroup is the Athena workgroup in which Teleport runs queries. + workgroup: "" + ################################################## # GCP-specific settings (only used in "gcp" mode) ################################################## @@ -573,6 +619,44 @@ annotations: # Annotations for the Ingress object ingress: {} +# extraLabels -- contains additional Kubernetes labels to apply on the resources +# created by the chart. +# See [the Kubernetes label documentation +# ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +# for more information. +# +# Note: for PodMonitor labels, see `podMonitor.additionalLabels` instead. +extraLabels: + # extraLabels.certSecret(object) -- are labels to set on the certificate secret + # generated by cert-manager v1.5+ when `highAvailability.certManager.enabled` + # is true. + certSecret: {} + # extraLabels.clusterRole(object) -- are labels to set on the ClusterRole. + clusterRole: {} + # extraLabels.clusterRoleBinding(object) -- are labels to set on the ClusterRoleBinding. + clusterRoleBinding: {} + # extraLabels.role(object) -- are labels to set on the Role. + config: {} + # extraLabels.deployment(object) -- are labels to set on the Deployment. + deployment: {} + # extraLabels.ingress(object) -- are labels to set on the Ingress. + ingress: {} + # extraLabels.job(object) -- are labels to set on the Job run by the Helm hook. + job: {} + # extraLabels.persistentVolumeClaim(object) -- are labels to set on the PersistentVolumeClaim. + persistentVolumeClaim: {} + # extraLabels.pod(object) -- are labels to set on the Pods created by the + # Deployment. + pod: {} + # extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget. + podDisruptionBudget: {} + # extraLabels.secret(object) -- are labels to set on the Secret. + secret: {} + # extraLabels.service(object) -- are labels to set on the Service. + service: {} + # extraLabels.serviceAccount(object) -- are labels to set on the ServiceAccount. + serviceAccount: {} + # Kubernetes service account to create/use. serviceAccount: # Specifies whether a ServiceAccount should be created @@ -676,6 +760,10 @@ resources: {} # limits: # memory: "2Gi" +# Pod security context for any pods created by the chart +podSecurityContext: {} + # fsGroup: 65532 + # Security context to add to the container securityContext: {} # runAsUser: 99