jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update teleport

Browse Source
This commit is contained in:
Jonny Ervine 2025-05-13 22:48:36 +08:00
parent 7429da7f22
commit e2b5bb1376
25 changed files with 1367 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
teleport-cluster/.lint/auth-secondfactors-sso.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
secondFactors:
- sso

10
teleport-cluster/.lint/auth-secondfactors-webauthn.yaml Normal file
View File

@ -0,0 +1,10 @@
clusterName: helm-lint
authentication:
secondFactors:
- sso
- webauthn
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

6
teleport-cluster/Chart.yaml
View File

@ -1,13 +1,13 @@
apiVersion: v2
appVersion: 17.2.7
appVersion: 17.4.9
dependencies:
- alias: operator
name: teleport-operator
repository: ""
version: 17.2.7
version: 17.4.9
description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
name: teleport-cluster
version: 17.2.7
version: 17.4.9

4
teleport-cluster/charts/teleport-operator/Chart.yaml
View File

@ -1,8 +1,8 @@
apiVersion: v2
appVersion: 17.2.7
appVersion: 17.4.9
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
name: teleport-operator
version: 17.2.7
version: 17.4.9

146
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml Normal file
View File

@ -0,0 +1,146 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportbotsv1.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportBotV1
listKind: TeleportBotV1List
plural: teleportbotsv1
shortNames:
- botv1
- botsv1
singular: teleportbotv1
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: BotV1 is the Schema for the botsv1 API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Bot resource definition v1 from Teleport
properties:
max_session_ttl:
description: The max session TTL value for the bot's internal role.
Unless specified, bots may not request a value beyond the default
maximum TTL of 12 hours. This value may not be larger than 7 days
(168 hours).
format: duration
type: string
roles:
description: The roles that the bot should be able to impersonate.
items:
type: string
nullable: true
type: array
traits:
description: The traits that will be associated with the bot for the
purposes of role templating. Where multiple specified with the
same name, these will be merged by the server.
items:
properties:
name:
description: The name of the trait. This is what allows the
trait to be queried in role templates.
type: string
values:
description: The values associated with the named trait.
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

32
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
View File

@ -295,6 +295,12 @@ spec:
will default to `gitlab.com` - but can be set to the domain
of your self-hosted GitLab e.g `gitlab.example.com`.
type: string
static_jwks:
description: StaticJWKS disables fetching of the GitLab signing
keys via the JWKS/OIDC endpoints, and allows them to be directly
specified. This allows joining from GitLab CI instances that
are not reachable by the Teleport Auth Service.
type: string
type: object
join_method:
description: 'JoinMethod is the joining method required in order to
@ -330,6 +336,32 @@ spec:
- `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
type: string
type: object
oracle:
description: Oracle allows the configuration of options specific to
the "oracle" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
parent_compartments:
items:
type: string
nullable: true
type: array
regions:
items:
type: string
nullable: true
type: array
tenancy:
type: string
type: object
nullable: true
type: array
type: object
roles:
description: Roles is a list of roles associated with the token, that
will be converted to metadata in the SSH and X509 certificates issued

4
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
View File

@ -1376,7 +1376,7 @@ spec:
type: string
type: object
request_access:
description: RequestAccess defines the request strategy (optional|note|always)
description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:
@ -2849,7 +2849,7 @@ spec:
type: string
type: object
request_access:
description: RequestAccess defines the request strategy (optional|note|always)
description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:

2
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
View File

@ -1379,7 +1379,7 @@ spec:
type: string
type: object
request_access:
description: RequestAccess defines the request strategy (optional|note|always)
description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:

2
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
View File

@ -1379,7 +1379,7 @@ spec:
type: string
type: object
request_access:
description: RequestAccess defines the request strategy (optional|note|always)
description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:

273
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml Normal file
View File

@ -0,0 +1,273 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportworkloadidentitiesv1.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportWorkloadIdentityV1
listKind: TeleportWorkloadIdentityV1List
plural: teleportworkloadidentitiesv1
shortNames:
- workloadidentityv1
- workloadidentitiesv1
singular: teleportworkloadidentityv1
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: WorkloadIdentityV1 is the Schema for the workloadidentitiesv1
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: WorkloadIdentity resource definition v1 from Teleport
properties:
rules:
description: The rules which are evaluated before the WorkloadIdentity
can be issued.
nullable: true
properties:
allow:
description: A list of rules used to determine if a WorkloadIdentity
can be issued. If none are provided, it will be considered a
pass. If any are provided, then at least one must pass for the
rules to be considered passed.
items:
properties:
conditions:
description: The conditions that must be met for this rule
to be considered passed. Mutually exclusive with expression.
items:
properties:
attribute:
description: The name of the attribute to evaluate
the condition against.
type: string
eq:
description: The attribute casted to a string must
be equal to the value.
nullable: true
properties:
value:
description: The value to compare the attribute
against.
type: string
type: object
in:
description: The attribute casted to a string must
be in the list of values.
nullable: true
properties:
values:
description: The list of values to compare the
attribute against.
items:
type: string
nullable: true
type: array
type: object
not_eq:
description: The attribute casted to a string must
not be equal to the value.
nullable: true
properties:
value:
description: The value to compare the attribute
against.
type: string
type: object
not_in:
description: The attribute casted to a string must
not be in the list of values.
nullable: true
properties:
values:
description: The list of values to compare the
attribute against.
items:
type: string
nullable: true
type: array
type: object
type: object
nullable: true
type: array
expression:
description: An expression written in Teleport's predicate
language that must evaluate to true for this rule to be
considered passed. Mutually exclusive with conditions.
type: string
type: object
nullable: true
type: array
type: object
spiffe:
description: Configuration pertaining to the issuance of SPIFFE-compatible
workload identity credentials.
nullable: true
properties:
hint:
description: A freeform text field which is provided to workloads
along with a credential produced by this WorkloadIdentity. This
can be used to provide additional context that can be used to
select between multiple credentials.
type: string
id:
description: The path of the SPIFFE ID that will be issued to
the workload. This should be prefixed with a forward-slash
("/"). This field supports templating using attributes.
type: string
jwt:
description: Configuration specific to JWT-SVIDs.
nullable: true
properties:
extra_claims:
additionalProperties: true
description: Additional claims that will be added to the JWT.
nullable: true
type: object
maximum_ttl:
description: Control the maximum TTL of JWT-SVIDs issued using
this WorkloadIdentity. If a JWT-SVID is requested with
a TTL greater than this value, then the returned JWT-SVID
will have a TTL of this value. Defaults to 24 hours. The
maximum this value can be set to is 24 hours.
format: duration
type: string
type: object
x509:
description: Configuration specific to X509-SVIDs.
nullable: true
properties:
dns_sans:
description: The DNS Subject Alternative Names (SANs) that
should be included in an X509-SVID issued using this WorkloadIdentity. Each
entry in this list supports templating using attributes.
items:
type: string
nullable: true
type: array
maximum_ttl:
description: Control the maximum TTL of X509-SVIDs issued
using this WorkloadIdentity. If a X509-SVID is requested
with a TTL greater than this value, then the returned X509-SVID
will have a TTL of this value. Defaults to 24 hours. The
maximum this value can be set to is 14 days.
format: duration
type: string
subject_template:
description: Used to configure the Subject Distinguished Name
(DN) of the X509-SVID. In most circumstances, it is recommended
to prefer relying on the SPIFFE ID encoded in the URI SAN.
However, the Subject DN may be needed to support legacy
systems designed for X509 and not SPIFFE/WIMSE. If not
provided, the X509-SVID will be issued with an empty Subject
DN.
nullable: true
properties:
common_name:
description: Common Name (CN) - 2.5.4.3 If empty, the
RDN will be omitted from the DN.
type: string
organization:
description: Organization (O) - 2.5.4.10 If empty, the
RDN will be omitted from the DN.
type: string
organizational_unit:
description: Organizational Unit (OU) - 2.5.4.11 If empty,
the RDN will be omitted from the DN.
type: string
type: object
type: object
type: object
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

4
teleport-cluster/charts/teleport-operator/templates/role.yaml
View File

@ -38,6 +38,10 @@ rules:
- teleportopenssheiceserversv2/status
- teleporttrustedclustersv2
- teleporttrustedclustersv2/status
- teleportbotsv1
- teleportbotsv1/status
- teleportworkloadidentitiesv1
- teleportworkloadidentitiesv1/status
verbs:
- get
- list

29
teleport-cluster/templates/auth/_config.common.tpl
View File

@ -36,20 +36,33 @@ auth_service:
{{- if $authentication.lockingMode }}
locking_mode: "{{ $authentication.lockingMode }}"
{{- end }}
{{- $hasWebauthnMFA := false }}
{{/* secondFactor takes precedence for backward compatibility, but new chart releases
should have second_factor unset and privilege second_factors instead.
Sadly, it is not possible to do a conversion between second_factor and second_factors
because of the "off" value. */}}
{{- if $authentication.secondFactor }}
second_factor: "{{ $authentication.secondFactor }}"
{{- if not (or (eq $authentication.secondFactor "off") (eq $authentication.secondFactor "otp")) }}
second_factor: {{ $authentication.secondFactor | squote }}
{{- if has $authentication.secondFactor (list "webauthn" "on" "optional") }}
{{- $hasWebauthnMFA = true }}
{{- end }}
{{- else }}
second_factors: {{- toYaml $authentication.secondFactors | nindent 6 }}
{{- if has "webauthn" $authentication.secondFactors }}
{{- $hasWebauthnMFA = true }}
{{- end }}
{{- end }}
{{- if $hasWebauthnMFA }}
webauthn:
rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if $authentication.webauthn }}
{{- if $authentication.webauthn.attestationAllowedCas }}
{{- if $authentication.webauthn }}
{{- if $authentication.webauthn.attestationAllowedCas }}
attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }}
{{- end }}
{{- if $authentication.webauthn.attestationDeniedCas }}
{{- end }}
{{- if $authentication.webauthn.attestationDeniedCas }}
attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.sessionRecording }}
session_recording: {{ .Values.sessionRecording | squote }}

16
teleport-cluster/templates/auth/config.yaml
View File

@ -139,6 +139,22 @@ data:
- read
- update
- delete
- resources:
- bot
verbs:
- list
- create
- read
- update
- delete
- resources:
- workload_identity
verbs:
- list
- create
- read
- update
- delete
deny: {}
version: v7
---

29
teleport-cluster/templates/auth/deployment.yaml
View File

@ -1,6 +1,7 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- $replicated := gt (int $auth.highAvailability.replicaCount) 1 -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $auth.disableTopologySpreadConstraints) }}
apiVersion: apps/v1
kind: Deployment
metadata:
@ -55,6 +56,23 @@ spec:
spec:
{{- if $auth.nodeSelector }}
nodeSelector: {{- toYaml $auth.nodeSelector | nindent 8 }}
{{- end }}
{{- if $topologySpreadConstraints }}
{{- if $auth.topologySpreadConstraints }}
topologySpreadConstraints: {{- toYaml $auth.topologySpreadConstraints | nindent 8 }}
{{- else }}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }}
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }}
{{- end }}
{{- end }}
affinity:
{{- if $auth.affinity }}
@ -177,15 +195,16 @@ spec:
initialDelaySeconds: 5 # wait 5s for agent to start
periodSeconds: 5 # poll health every 5s
failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
timeoutSeconds: {{ .Values.probeTimeoutSeconds }}
timeoutSeconds: {{ $auth.probeTimeoutSeconds }}
readinessProbe:
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to register
periodSeconds: 5 # poll health every 5s
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s)
timeoutSeconds: {{ .Values.probeTimeoutSeconds }}
initialDelaySeconds: {{ $auth.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ $auth.readinessProbe.periodSeconds }}
failureThreshold: {{$auth.readinessProbe.failureThreshold}}
successThreshold: {{$auth.readinessProbe.successThreshold}}
timeoutSeconds: {{ $auth.probeTimeoutSeconds }}
lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod
# on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)

25
teleport-cluster/templates/proxy/deployment.yaml
View File

@ -1,6 +1,7 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $proxy.disableTopologySpreadConstraints) }}
# Deployment is {{ if not $replicable }}not {{end}}replicable
{{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
{{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }}
@ -61,6 +62,23 @@ spec:
spec:
{{- if $proxy.nodeSelector }}
nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }}
{{- end }}
{{- if $topologySpreadConstraints }}
{{- if $proxy.topologySpreadConstraints }}
topologySpreadConstraints: {{- toYaml $proxy.topologySpreadConstraints | nindent 8 }}
{{- else }}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }}
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }}
{{- end }}
{{- end }}
affinity:
{{- if $proxy.affinity }}
@ -224,9 +242,10 @@ spec:
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to register
periodSeconds: 5 # poll health every 5s
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s)
initialDelaySeconds: {{ $proxy.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ $proxy.readinessProbe.periodSeconds }}
failureThreshold: {{$proxy.readinessProbe.failureThreshold}}
successThreshold: {{$proxy.readinessProbe.successThreshold}}
timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod

4
teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
View File

@ -8,8 +8,8 @@ adds operator permissions to ClusterRole:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7
helm.sh/chart: teleport-cluster-17.2.7
app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17"
name: RELEASE-NAME
rules:

292
teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
View File

@ -24,7 +24,9 @@ configures access monitoring when its values are set:
workgroup: example_access_monitoring_workgroup
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -101,7 +103,9 @@ keeps the session_recording type even when it's "off":
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -137,7 +141,9 @@ matches snapshot for acme-off.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-cluster-name
@ -172,7 +178,9 @@ matches snapshot for acme-on.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-acme-cluster
@ -207,7 +215,9 @@ matches snapshot for acme-uri-staging.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-acme-cluster
@ -243,7 +253,9 @@ matches snapshot for auth-connector-name.yaml:
authentication:
connector_name: okta
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -312,7 +324,9 @@ matches snapshot for auth-locking-mode.yaml:
authentication:
local_auth: true
locking_mode: strict
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -377,13 +391,90 @@ matches snapshot for auth-passwordless.yaml:
output: stderr
severity: INFO
version: v3
matches snapshot for auth-secondfactors-sso.yaml:
1: |
|-
auth_service:
authentication:
local_auth: true
second_factors:
- sso
type: local
cluster_name: helm-lint
enabled: true
proxy_listener_mode: separate
kubernetes_service:
enabled: true
kube_cluster_name: helm-lint
listen_addr: 0.0.0.0:3026
public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
proxy_service:
enabled: false
ssh_service:
enabled: false
teleport:
auth_server: 127.0.0.1:3025
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for auth-secondfactors-webauthn.yaml:
1: |
|-
auth_service:
authentication:
local_auth: true
second_factors:
- sso
- webauthn
type: local
webauthn:
attestation_allowed_cas:
- /etc/ssl/certs/ca-certificates.crt
attestation_denied_cas:
- /etc/ssl/certs/ca-certificates.crt
rp_id: helm-lint
cluster_name: helm-lint
enabled: true
proxy_listener_mode: separate
kubernetes_service:
enabled: true
kube_cluster_name: helm-lint
listen_addr: 0.0.0.0:3026
public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
proxy_service:
enabled: false
ssh_service:
enabled: false
teleport:
auth_server: 127.0.0.1:3025
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for auth-type-legacy.yaml:
1: |
|-
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: github
webauthn:
rp_id: helm-lint
@ -418,7 +509,9 @@ matches snapshot for auth-type.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: github
webauthn:
rp_id: helm-lint
@ -531,7 +624,9 @@ matches snapshot for aws-dynamodb-autoscaling.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -582,7 +677,9 @@ matches snapshot for aws-ha-acme.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -628,7 +725,9 @@ matches snapshot for aws-ha-antiaffinity.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -674,7 +773,9 @@ matches snapshot for aws-ha-log.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -721,7 +822,9 @@ matches snapshot for aws-ha.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -767,7 +870,9 @@ matches snapshot for aws.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -813,7 +918,9 @@ matches snapshot for azure.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-azure-cluster
@ -856,7 +963,9 @@ matches snapshot for azure.yaml without pool_max_conn:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-azure-cluster
@ -899,7 +1008,9 @@ matches snapshot for existing-tls-secret-with-ca.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-cluster-name
@ -934,7 +1045,9 @@ matches snapshot for existing-tls-secret.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-cluster-name
@ -969,7 +1082,9 @@ matches snapshot for gcp-ha-acme.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-gcp-cluster
@ -1014,7 +1129,9 @@ matches snapshot for gcp-ha-antiaffinity.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-gcp-cluster
@ -1059,7 +1176,9 @@ matches snapshot for gcp-ha-log.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-gcp-cluster
@ -1105,7 +1224,9 @@ matches snapshot for gcp.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-gcp-cluster
@ -1150,7 +1271,9 @@ matches snapshot for initcontainers.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1185,7 +1308,9 @@ matches snapshot for kube-cluster-name.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -1220,7 +1345,9 @@ matches snapshot for log-basic.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-log-cluster
@ -1255,7 +1382,9 @@ matches snapshot for log-extra.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-log-cluster
@ -1290,7 +1419,9 @@ matches snapshot for log-legacy.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-log-cluster
@ -1325,7 +1456,9 @@ matches snapshot for priority-class-name.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1360,7 +1493,9 @@ matches snapshot for proxy-listener-mode-multiplex.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-proxy-listener-mode
@ -1395,7 +1530,9 @@ matches snapshot for proxy-listener-mode-separate.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-proxy-listener-mode
@ -1430,7 +1567,9 @@ matches snapshot for public-addresses.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1465,7 +1604,9 @@ matches snapshot for separate-mongo-listener.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1500,7 +1641,9 @@ matches snapshot for separate-postgres-listener.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1535,7 +1678,9 @@ matches snapshot for service.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1570,7 +1715,9 @@ matches snapshot for session-recording.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1606,7 +1753,9 @@ matches snapshot for standalone-customsize.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-standalone-cluster
@ -1643,7 +1792,9 @@ matches snapshot for standalone-existingpvc.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-standalone-cluster
@ -1680,7 +1831,9 @@ matches snapshot for tolerations.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-aws-cluster
@ -1724,7 +1877,9 @@ matches snapshot for version-override.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: test-cluster-name
@ -1762,7 +1917,9 @@ matches snapshot for volumes.yaml:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: helm-lint
@ -1791,6 +1948,39 @@ matches snapshot for volumes.yaml:
output: stderr
severity: INFO
version: v3
matches snapshot when both secondFactor and secondFactors are set.:
1: |
|-
auth_service:
authentication:
local_auth: true
second_factor: "off"
type: local
cluster_name: helm-lint
enabled: true
proxy_listener_mode: separate
kubernetes_service:
enabled: true
kube_cluster_name: helm-lint
listen_addr: 0.0.0.0:3026
public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
proxy_service:
enabled: false
ssh_service:
enabled: false
teleport:
auth_server: 127.0.0.1:3025
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
sets clusterDomain on Configmap:
1: |
apiVersion: v1
@ -1812,7 +2002,9 @@ sets clusterDomain on Configmap:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: teleport.example.com
@ -1848,8 +2040,8 @@ sets clusterDomain on Configmap:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7
helm.sh/chart: teleport-cluster-17.2.7
app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17"
name: RELEASE-NAME-auth
namespace: NAMESPACE
@ -1859,7 +2051,9 @@ uses athena as primary backend when configured:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: teleport.example.com
@ -1904,7 +2098,9 @@ uses athena, dynamo, and stdout when everything is on:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: teleport.example.com
@ -1950,7 +2146,9 @@ uses dynamo as primary backend when configured:
auth_service:
authentication:
local_auth: true
second_factor: "on"
second_factors:
- otp
- webauthn
type: local
webauthn:
rp_id: teleport.example.com

118
teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
View File

@ -8,7 +8,7 @@
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -25,7 +25,7 @@
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3000
@ -44,7 +44,8 @@
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /etc/teleport
name: config
@ -56,6 +57,23 @@
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: auth-serviceaccount-token
projected:
@ -141,7 +159,7 @@ should set nodeSelector when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -158,7 +176,7 @@ should set nodeSelector when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3000
@ -177,7 +195,8 @@ should set nodeSelector when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /etc/teleport
name: config
@ -192,6 +211,23 @@ should set nodeSelector when set in values:
role: bastion
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: auth-serviceaccount-token
projected:
@ -238,7 +274,7 @@ should set resources when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -255,7 +291,7 @@ should set resources when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3000
@ -274,7 +310,8 @@ should set resources when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 2
@ -293,6 +330,23 @@ should set resources when set in values:
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: auth-serviceaccount-token
projected:
@ -324,7 +378,7 @@ should set securityContext when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -341,7 +395,7 @@ should set securityContext when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3000
@ -360,7 +414,8 @@ should set securityContext when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
privileged: false
@ -379,6 +434,23 @@ should set securityContext when set in values:
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: auth-serviceaccount-token
projected:
@ -437,7 +509,7 @@ should use OSS image and not mount license when enterprise is not set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3000
@ -456,7 +528,8 @@ should use OSS image and not mount license when enterprise is not set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /etc/teleport
name: config
@ -468,6 +541,23 @@ should use OSS image and not mount license when enterprise is not set in values:
readOnly: true
serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: auth-serviceaccount-token
projected:

4
teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
View File

@ -567,8 +567,8 @@ sets clusterDomain on Configmap:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7
helm.sh/chart: teleport-cluster-17.2.7
app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17"
name: RELEASE-NAME-proxy
namespace: NAMESPACE

168
teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
View File

@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7
helm.sh/chart: teleport-cluster-17.2.7
app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17"
name: RELEASE-NAME-proxy
namespace: NAMESPACE
@ -26,7 +26,7 @@ sets clusterDomain on Deployment Pods:
template:
metadata:
annotations:
checksum/config: 788cc751f0c48b48415714a674bdb771ba9a079091aa0bbe737447df2f94ec58
checksum/config: da6155f69a526a5b92d4fa09d4b6658536bfab0d3e5435e2e898b77c1a30dbff
kubernetes.io/pod: test-annotation
kubernetes.io/pod-different: 4
labels:
@ -34,8 +34,8 @@ sets clusterDomain on Deployment Pods:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7
helm.sh/chart: teleport-cluster-17.2.7
app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17"
spec:
affinity:
@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -61,7 +61,7 @@ sets clusterDomain on Deployment Pods:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3080
@ -89,7 +89,8 @@ sets clusterDomain on Deployment Pods:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /etc/teleport
name: config
@ -105,10 +106,27 @@ sets clusterDomain on Deployment Pods:
- wait
- no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: proxy-serviceaccount-token
projected:
@ -137,7 +155,7 @@ should provision initContainer correctly when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update
resources:
limits:
@ -201,7 +219,7 @@ should set nodeSelector when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -218,7 +236,7 @@ should set nodeSelector when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3080
@ -246,7 +264,8 @@ should set nodeSelector when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /etc/teleport
name: config
@ -262,13 +281,30 @@ should set nodeSelector when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update
nodeSelector:
environment: security
role: bastion
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: proxy-serviceaccount-token
projected:
@ -313,7 +349,7 @@ should set resources for wait-auth-update initContainer when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -330,7 +366,7 @@ should set resources for wait-auth-update initContainer when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3080
@ -358,7 +394,8 @@ should set resources for wait-auth-update initContainer when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 2
@ -381,7 +418,7 @@ should set resources for wait-auth-update initContainer when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update
resources:
limits:
@ -392,6 +429,23 @@ should set resources for wait-auth-update initContainer when set in values:
memory: 256Mi
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: proxy-serviceaccount-token
projected:
@ -421,7 +475,7 @@ should set resources when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -438,7 +492,7 @@ should set resources when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3080
@ -466,7 +520,8 @@ should set resources when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 2
@ -489,7 +544,7 @@ should set resources when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update
resources:
limits:
@ -500,6 +555,23 @@ should set resources when set in values:
memory: 256Mi
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: proxy-serviceaccount-token
projected:
@ -529,7 +601,7 @@ should set securityContext for initContainers when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -546,7 +618,7 @@ should set securityContext for initContainers when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3080
@ -574,7 +646,8 @@ should set securityContext for initContainers when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
privileged: false
@ -597,7 +670,7 @@ should set securityContext for initContainers when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
@ -608,6 +681,23 @@ should set securityContext for initContainers when set in values:
runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: proxy-serviceaccount-token
projected:
@ -637,7 +727,7 @@ should set securityContext when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -654,7 +744,7 @@ should set securityContext when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3080
@ -682,7 +772,8 @@ should set securityContext when set in values:
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
privileged: false
@ -705,7 +796,7 @@ should set securityContext when set in values:
- wait
- no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7
image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
@ -716,6 +807,23 @@ should set securityContext when set in values:
runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes:
- name: proxy-serviceaccount-token
projected:

38
teleport-cluster/tests/auth_config_test.yaml
View File

@ -697,4 +697,40 @@ tests:
- matchSnapshot: {}
- matchRegex:
path: data.teleport\.yaml
pattern: 'svc.test.com:3026'
pattern: 'svc.test.com:3026'
- it: matches snapshot for auth-secondfactors-webauthn.yaml
values:
- ../.lint/auth-secondfactors-webauthn.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-secondfactors-sso.yaml
values:
- ../.lint/auth-secondfactors-sso.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot when both secondFactor and secondFactors are set.
set:
clusterName: helm-lint
authentication:
secondFactor: "off"
secondFactors: ["otp", "webauthn"]
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml

98
teleport-cluster/tests/auth_deployment_test.yaml
View File

@ -923,3 +923,101 @@ tests:
- equal:
path: spec.template.metadata.labels.baz
value: overridden
- it: sets readinessProbe values on Deployment Pods
template: auth/deployment.yaml
set:
clusterName: helm-lint
readinessProbe:
initialDelaySeconds: 9
periodSeconds: 10
failureThreshold: 11
successThreshold: 12
auth:
# we test an auth-specific override
readinessProbe:
initialDelaySeconds: 13
asserts:
- equal:
path: spec.template.spec.containers[0].readinessProbe.periodSeconds
value: 10
- equal:
path: spec.template.spec.containers[0].readinessProbe.failureThreshold
value: 11
- equal:
path: spec.template.spec.containers[0].readinessProbe.successThreshold
value: 12
- equal:
path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
value: 13
- it: sets topology spread constraints by default
template: auth/deployment.yaml
set:
clusterName: helm-lint
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- it: removes topology spread constraints when disabled
template: auth/deployment.yaml
set:
clusterName: helm-lint
disableTopologySpreadConstraints: true
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: removes topology spread constraints when running on antique kubernetes
template: auth/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 17
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: uses custom topology spread constraints when set
template: auth/deployment.yaml
set:
clusterName: helm-lint
topologySpreadConstraints:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz
# helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test.
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz

100
teleport-cluster/tests/proxy_deployment_test.yaml
View File

@ -1041,4 +1041,102 @@ tests:
- matchSnapshot: {}
- matchRegex:
path: spec.template.spec.initContainers[0].command[3]
pattern: ".svc.test.com$"
pattern: ".svc.test.com$"
- it: sets readinessProbe values on Deployment Pods
template: proxy/deployment.yaml
set:
clusterName: helm-lint
readinessProbe:
initialDelaySeconds: 9
periodSeconds: 10
failureThreshold: 11
successThreshold: 12
proxy:
# we test an auth-specific override
readinessProbe:
initialDelaySeconds: 13
asserts:
- equal:
path: spec.template.spec.containers[0].readinessProbe.periodSeconds
value: 10
- equal:
path: spec.template.spec.containers[0].readinessProbe.failureThreshold
value: 11
- equal:
path: spec.template.spec.containers[0].readinessProbe.successThreshold
value: 12
- equal:
path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
value: 13
- it: sets topology spread constraints by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- it: removes topology spread constraints when disabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint
disableTopologySpreadConstraints: true
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: removes topology spread constraints when running on antique kubernetes
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 17
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: uses custom topology spread constraints when set
template: proxy/deployment.yaml
set:
clusterName: helm-lint
topologySpreadConstraints:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz
# helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test.
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz

13
teleport-cluster/values.schema.json
View File

@ -126,6 +126,19 @@
],
"default": "otp"
},
"secondFactors": {
"$id": "#/properties/authentication/properties/secondFactors",
"type": "array",
"items": {
"type": "string",
"enum": [
"otp",
"sso",
"webauthn"
]
},
"default": []
},
"webauthn": {
"$id": "#/properties/authentication/properties/webauthn",
"type": "object",

71
teleport-cluster/values.yaml
View File

@ -129,9 +129,11 @@ authentication:
# See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
lockingMode: ""
# Second factor requirements for users of the Teleport cluster.
# DEPRECATED: Second factor requirements for users of the Teleport cluster.
# Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
# Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
# This field is kept for backward compatibility purposes, you should use
# `secondFactors` instead.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
@ -148,7 +150,29 @@ authentication:
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
secondFactor: "on"
# secondFactor: ""
# Second factor requirements for users of the Teleport cluster.
# Controls the `auth_config.authentication.second_factors` field in `teleport.yaml`.
# This is a list whose possible item values are item values are 'otp', 'sso' and 'webauthn'.
# This should be preferred over `secondFactor`.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
secondFactors: ["otp", "webauthn"]
# (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
# webauthn:
@ -604,6 +628,30 @@ log:
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
nodeSelector: {}
# Turns off the topology spread constraints.
# The feature is automatically turned off on Kubernetes versions below 1.18.
disableTopologySpreadConstraints: false
# Pod topology spread constraints:
# https://kubernetes.io/fr/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# When unset, the chart defaults to a soft topology spread constraint
# that tries to spread pods across hosts and zones.
#
# ```
# topologySpreadConstraints
# - maxSkew: 1
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels: # dynamically computed
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels: # dynamically computed
# ```
topologySpreadConstraints: []
# Affinity for pod assignment
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
@ -794,7 +842,24 @@ tolerations: []
# Timeouts for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1
probeTimeoutSeconds: 5
# readinessProbe(object) -- configures the readiness probe settings.
# This can be tuned to keep proxy pods ready even when the auth is unavailable.
#
# The default values mark the pod unready after one minute of failing readiness probe.
readinessProbe:
# readinessProbe.initialDelaySeconds(int) -- controls the number of seconds after the container has started before
# liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
initialDelaySeconds: 5
# readinessProbe.periodSeconds(int) -- controls how often (in seconds) to perform the probe. Minimum value is 1.
periodSeconds: 5
# readinessProbe.failureThreshold(int) -- is the minimum consecutive failures for the probe to be considered failed
# after having succeeded. Minimum value is 1.
failureThreshold: 12
# readinessProbe.successThreshold(int) -- is the minimum consecutive successes for the probe to be considered
# successful after having failed. Minimum value is 1.
successThreshold: 1
# Kubernetes termination grace period
# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution