From e2b5bb13769d2270b6f1c2159bc47041a0be39e6 Mon Sep 17 00:00:00 2001 From: Jonny Ervine Date: Tue, 13 May 2025 22:48:36 +0800 Subject: [PATCH] Update teleport --- .../.lint/auth-secondfactors-sso.yaml | 4 + .../.lint/auth-secondfactors-webauthn.yaml | 10 + teleport-cluster/Chart.yaml | 6 +- .../charts/teleport-operator/Chart.yaml | 4 +- .../resources.teleport.dev_botsv1.yaml | 146 +++++++++ ...esources.teleport.dev_provisiontokens.yaml | 32 ++ .../resources.teleport.dev_roles.yaml | 4 +- .../resources.teleport.dev_rolesv6.yaml | 2 +- .../resources.teleport.dev_rolesv7.yaml | 2 +- ...ces.teleport.dev_workloadidentitiesv1.yaml | 273 ++++++++++++++++ .../teleport-operator/templates/role.yaml | 4 + .../templates/auth/_config.common.tpl | 29 +- teleport-cluster/templates/auth/config.yaml | 16 + .../templates/auth/deployment.yaml | 29 +- .../templates/proxy/deployment.yaml | 25 +- .../auth_clusterrole_test.yaml.snap | 4 +- .../__snapshot__/auth_config_test.yaml.snap | 292 +++++++++++++++--- .../auth_deployment_test.yaml.snap | 118 ++++++- .../__snapshot__/proxy_config_test.yaml.snap | 4 +- .../proxy_deployment_test.yaml.snap | 168 ++++++++-- teleport-cluster/tests/auth_config_test.yaml | 38 ++- .../tests/auth_deployment_test.yaml | 98 ++++++ .../tests/proxy_deployment_test.yaml | 100 +++++- teleport-cluster/values.schema.json | 13 + teleport-cluster/values.yaml | 71 ++++- 25 files changed, 1367 insertions(+), 125 deletions(-) create mode 100644 teleport-cluster/.lint/auth-secondfactors-sso.yaml create mode 100644 teleport-cluster/.lint/auth-secondfactors-webauthn.yaml create mode 100644 teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml create mode 100644 teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml diff --git a/teleport-cluster/.lint/auth-secondfactors-sso.yaml b/teleport-cluster/.lint/auth-secondfactors-sso.yaml new file mode 100644 index 0000000..9c49c8b --- /dev/null +++ b/teleport-cluster/.lint/auth-secondfactors-sso.yaml @@ -0,0 +1,4 @@ +clusterName: helm-lint +authentication: + secondFactors: + - sso diff --git a/teleport-cluster/.lint/auth-secondfactors-webauthn.yaml b/teleport-cluster/.lint/auth-secondfactors-webauthn.yaml new file mode 100644 index 0000000..3693dd8 --- /dev/null +++ b/teleport-cluster/.lint/auth-secondfactors-webauthn.yaml @@ -0,0 +1,10 @@ +clusterName: helm-lint +authentication: + secondFactors: + - sso + - webauthn + webauthn: + attestationAllowedCas: + - "/etc/ssl/certs/ca-certificates.crt" + attestationDeniedCas: + - "/etc/ssl/certs/ca-certificates.crt" diff --git a/teleport-cluster/Chart.yaml b/teleport-cluster/Chart.yaml index c0622f6..97d66f1 100644 --- a/teleport-cluster/Chart.yaml +++ b/teleport-cluster/Chart.yaml @@ -1,13 +1,13 @@ apiVersion: v2 -appVersion: 17.2.7 +appVersion: 17.4.9 dependencies: - alias: operator name: teleport-operator repository: "" - version: 17.2.7 + version: 17.4.9 description: Teleport is an access platform for your infrastructure icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-cluster -version: 17.2.7 +version: 17.4.9 diff --git a/teleport-cluster/charts/teleport-operator/Chart.yaml b/teleport-cluster/charts/teleport-operator/Chart.yaml index af29aae..64d9260 100644 --- a/teleport-cluster/charts/teleport-operator/Chart.yaml +++ b/teleport-cluster/charts/teleport-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 17.2.7 +appVersion: 17.4.9 description: Teleport Operator provides management of select Teleport resources. icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport name: teleport-operator -version: 17.2.7 +version: 17.4.9 diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml new file mode 100644 index 0000000..599afe1 --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml @@ -0,0 +1,146 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportbotsv1.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportBotV1 + listKind: TeleportBotV1List + plural: teleportbotsv1 + shortNames: + - botv1 + - botsv1 + singular: teleportbotv1 + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: BotV1 is the Schema for the botsv1 API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Bot resource definition v1 from Teleport + properties: + max_session_ttl: + description: The max session TTL value for the bot's internal role. + Unless specified, bots may not request a value beyond the default + maximum TTL of 12 hours. This value may not be larger than 7 days + (168 hours). + format: duration + type: string + roles: + description: The roles that the bot should be able to impersonate. + items: + type: string + nullable: true + type: array + traits: + description: The traits that will be associated with the bot for the + purposes of role templating. Where multiple specified with the + same name, these will be merged by the server. + items: + properties: + name: + description: The name of the trait. This is what allows the + trait to be queried in role templates. + type: string + values: + description: The values associated with the named trait. + items: + type: string + nullable: true + type: array + type: object + nullable: true + type: array + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml index e42dc48..00ebc52 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml @@ -295,6 +295,12 @@ spec: will default to `gitlab.com` - but can be set to the domain of your self-hosted GitLab e.g `gitlab.example.com`. type: string + static_jwks: + description: StaticJWKS disables fetching of the GitLab signing + keys via the JWKS/OIDC endpoints, and allows them to be directly + specified. This allows joining from GitLab CI instances that + are not reachable by the Teleport Auth Service. + type: string type: object join_method: description: 'JoinMethod is the joining method required in order to @@ -330,6 +336,32 @@ spec: - `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.' type: string type: object + oracle: + description: Oracle allows the configuration of options specific to + the "oracle" join method. + nullable: true + properties: + allow: + description: Allow is a list of Rules, nodes using this token + must match one allow rule to use this token. + items: + properties: + parent_compartments: + items: + type: string + nullable: true + type: array + regions: + items: + type: string + nullable: true + type: array + tenancy: + type: string + type: object + nullable: true + type: array + type: object roles: description: Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml index 9e3a0f4..5b8d0cd 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml @@ -1376,7 +1376,7 @@ spec: type: string type: object request_access: - description: RequestAccess defines the request strategy (optional|note|always) + description: RequestAccess defines the request strategy (optional|reason|always) where optional is the default. type: string request_prompt: @@ -2849,7 +2849,7 @@ spec: type: string type: object request_access: - description: RequestAccess defines the request strategy (optional|note|always) + description: RequestAccess defines the request strategy (optional|reason|always) where optional is the default. type: string request_prompt: diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml index 5e1ff2a..dd182ab 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml @@ -1379,7 +1379,7 @@ spec: type: string type: object request_access: - description: RequestAccess defines the request strategy (optional|note|always) + description: RequestAccess defines the request strategy (optional|reason|always) where optional is the default. type: string request_prompt: diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml index fb68240..2f43956 100644 --- a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml @@ -1379,7 +1379,7 @@ spec: type: string type: object request_access: - description: RequestAccess defines the request strategy (optional|note|always) + description: RequestAccess defines the request strategy (optional|reason|always) where optional is the default. type: string request_prompt: diff --git a/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml new file mode 100644 index 0000000..ccf4beb --- /dev/null +++ b/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml @@ -0,0 +1,273 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: teleportworkloadidentitiesv1.resources.teleport.dev +spec: + group: resources.teleport.dev + names: + kind: TeleportWorkloadIdentityV1 + listKind: TeleportWorkloadIdentityV1List + plural: teleportworkloadidentitiesv1 + shortNames: + - workloadidentityv1 + - workloadidentitiesv1 + singular: teleportworkloadidentityv1 + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: WorkloadIdentityV1 is the Schema for the workloadidentitiesv1 + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkloadIdentity resource definition v1 from Teleport + properties: + rules: + description: The rules which are evaluated before the WorkloadIdentity + can be issued. + nullable: true + properties: + allow: + description: A list of rules used to determine if a WorkloadIdentity + can be issued. If none are provided, it will be considered a + pass. If any are provided, then at least one must pass for the + rules to be considered passed. + items: + properties: + conditions: + description: The conditions that must be met for this rule + to be considered passed. Mutually exclusive with expression. + items: + properties: + attribute: + description: The name of the attribute to evaluate + the condition against. + type: string + eq: + description: The attribute casted to a string must + be equal to the value. + nullable: true + properties: + value: + description: The value to compare the attribute + against. + type: string + type: object + in: + description: The attribute casted to a string must + be in the list of values. + nullable: true + properties: + values: + description: The list of values to compare the + attribute against. + items: + type: string + nullable: true + type: array + type: object + not_eq: + description: The attribute casted to a string must + not be equal to the value. + nullable: true + properties: + value: + description: The value to compare the attribute + against. + type: string + type: object + not_in: + description: The attribute casted to a string must + not be in the list of values. + nullable: true + properties: + values: + description: The list of values to compare the + attribute against. + items: + type: string + nullable: true + type: array + type: object + type: object + nullable: true + type: array + expression: + description: An expression written in Teleport's predicate + language that must evaluate to true for this rule to be + considered passed. Mutually exclusive with conditions. + type: string + type: object + nullable: true + type: array + type: object + spiffe: + description: Configuration pertaining to the issuance of SPIFFE-compatible + workload identity credentials. + nullable: true + properties: + hint: + description: A freeform text field which is provided to workloads + along with a credential produced by this WorkloadIdentity. This + can be used to provide additional context that can be used to + select between multiple credentials. + type: string + id: + description: The path of the SPIFFE ID that will be issued to + the workload. This should be prefixed with a forward-slash + ("/"). This field supports templating using attributes. + type: string + jwt: + description: Configuration specific to JWT-SVIDs. + nullable: true + properties: + extra_claims: + additionalProperties: true + description: Additional claims that will be added to the JWT. + nullable: true + type: object + maximum_ttl: + description: Control the maximum TTL of JWT-SVIDs issued using + this WorkloadIdentity. If a JWT-SVID is requested with + a TTL greater than this value, then the returned JWT-SVID + will have a TTL of this value. Defaults to 24 hours. The + maximum this value can be set to is 24 hours. + format: duration + type: string + type: object + x509: + description: Configuration specific to X509-SVIDs. + nullable: true + properties: + dns_sans: + description: The DNS Subject Alternative Names (SANs) that + should be included in an X509-SVID issued using this WorkloadIdentity. Each + entry in this list supports templating using attributes. + items: + type: string + nullable: true + type: array + maximum_ttl: + description: Control the maximum TTL of X509-SVIDs issued + using this WorkloadIdentity. If a X509-SVID is requested + with a TTL greater than this value, then the returned X509-SVID + will have a TTL of this value. Defaults to 24 hours. The + maximum this value can be set to is 14 days. + format: duration + type: string + subject_template: + description: Used to configure the Subject Distinguished Name + (DN) of the X509-SVID. In most circumstances, it is recommended + to prefer relying on the SPIFFE ID encoded in the URI SAN. + However, the Subject DN may be needed to support legacy + systems designed for X509 and not SPIFFE/WIMSE. If not + provided, the X509-SVID will be issued with an empty Subject + DN. + nullable: true + properties: + common_name: + description: Common Name (CN) - 2.5.4.3 If empty, the + RDN will be omitted from the DN. + type: string + organization: + description: Organization (O) - 2.5.4.10 If empty, the + RDN will be omitted from the DN. + type: string + organizational_unit: + description: Organizational Unit (OU) - 2.5.4.11 If empty, + the RDN will be omitted from the DN. + type: string + type: object + type: object + type: object + type: object + status: + description: Status defines the observed state of the Teleport resource + properties: + conditions: + description: Conditions represent the latest available observations + of an object's state + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + teleportResourceID: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/teleport-cluster/charts/teleport-operator/templates/role.yaml b/teleport-cluster/charts/teleport-operator/templates/role.yaml index 1b7c219..e6f073c 100644 --- a/teleport-cluster/charts/teleport-operator/templates/role.yaml +++ b/teleport-cluster/charts/teleport-operator/templates/role.yaml @@ -38,6 +38,10 @@ rules: - teleportopenssheiceserversv2/status - teleporttrustedclustersv2 - teleporttrustedclustersv2/status + - teleportbotsv1 + - teleportbotsv1/status + - teleportworkloadidentitiesv1 + - teleportworkloadidentitiesv1/status verbs: - get - list diff --git a/teleport-cluster/templates/auth/_config.common.tpl b/teleport-cluster/templates/auth/_config.common.tpl index cc50625..4f93a00 100644 --- a/teleport-cluster/templates/auth/_config.common.tpl +++ b/teleport-cluster/templates/auth/_config.common.tpl @@ -36,20 +36,33 @@ auth_service: {{- if $authentication.lockingMode }} locking_mode: "{{ $authentication.lockingMode }}" {{- end }} +{{- $hasWebauthnMFA := false }} +{{/* secondFactor takes precedence for backward compatibility, but new chart releases +should have second_factor unset and privilege second_factors instead. +Sadly, it is not possible to do a conversion between second_factor and second_factors +because of the "off" value. */}} {{- if $authentication.secondFactor }} - second_factor: "{{ $authentication.secondFactor }}" - {{- if not (or (eq $authentication.secondFactor "off") (eq $authentication.secondFactor "otp")) }} + second_factor: {{ $authentication.secondFactor | squote }} + {{- if has $authentication.secondFactor (list "webauthn" "on" "optional") }} + {{- $hasWebauthnMFA = true }} + {{- end }} +{{- else }} + second_factors: {{- toYaml $authentication.secondFactors | nindent 6 }} + {{- if has "webauthn" $authentication.secondFactors }} + {{- $hasWebauthnMFA = true }} + {{- end }} +{{- end }} +{{- if $hasWebauthnMFA }} webauthn: rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }} - {{- if $authentication.webauthn }} - {{- if $authentication.webauthn.attestationAllowedCas }} + {{- if $authentication.webauthn }} + {{- if $authentication.webauthn.attestationAllowedCas }} attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }} - {{- end }} - {{- if $authentication.webauthn.attestationDeniedCas }} + {{- end }} + {{- if $authentication.webauthn.attestationDeniedCas }} attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }} + {{- end }} {{- end }} - {{- end }} - {{- end }} {{- end }} {{- if .Values.sessionRecording }} session_recording: {{ .Values.sessionRecording | squote }} diff --git a/teleport-cluster/templates/auth/config.yaml b/teleport-cluster/templates/auth/config.yaml index d1c4bff..303052e 100644 --- a/teleport-cluster/templates/auth/config.yaml +++ b/teleport-cluster/templates/auth/config.yaml @@ -139,6 +139,22 @@ data: - read - update - delete + - resources: + - bot + verbs: + - list + - create + - read + - update + - delete + - resources: + - workload_identity + verbs: + - list + - create + - read + - update + - delete deny: {} version: v7 --- diff --git a/teleport-cluster/templates/auth/deployment.yaml b/teleport-cluster/templates/auth/deployment.yaml index aee44b6..5f03f38 100644 --- a/teleport-cluster/templates/auth/deployment.yaml +++ b/teleport-cluster/templates/auth/deployment.yaml @@ -1,6 +1,7 @@ {{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} {{- $replicated := gt (int $auth.highAvailability.replicaCount) 1 -}} {{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} +{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $auth.disableTopologySpreadConstraints) }} apiVersion: apps/v1 kind: Deployment metadata: @@ -55,6 +56,23 @@ spec: spec: {{- if $auth.nodeSelector }} nodeSelector: {{- toYaml $auth.nodeSelector | nindent 8 }} +{{- end }} +{{- if $topologySpreadConstraints }} + {{- if $auth.topologySpreadConstraints }} + topologySpreadConstraints: {{- toYaml $auth.topologySpreadConstraints | nindent 8 }} + {{- else }} + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }} + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }} + {{- end }} {{- end }} affinity: {{- if $auth.affinity }} @@ -177,15 +195,16 @@ spec: initialDelaySeconds: 5 # wait 5s for agent to start periodSeconds: 5 # poll health every 5s failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) - timeoutSeconds: {{ .Values.probeTimeoutSeconds }} + timeoutSeconds: {{ $auth.probeTimeoutSeconds }} readinessProbe: httpGet: path: /readyz port: diag - initialDelaySeconds: 5 # wait 5s for agent to register - periodSeconds: 5 # poll health every 5s - failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) - timeoutSeconds: {{ .Values.probeTimeoutSeconds }} + initialDelaySeconds: {{ $auth.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $auth.readinessProbe.periodSeconds }} + failureThreshold: {{$auth.readinessProbe.failureThreshold}} + successThreshold: {{$auth.readinessProbe.successThreshold}} + timeoutSeconds: {{ $auth.probeTimeoutSeconds }} lifecycle: # waiting during preStop ensures no new request will hit the Terminating pod # on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s) diff --git a/teleport-cluster/templates/proxy/deployment.yaml b/teleport-cluster/templates/proxy/deployment.yaml index 79bcd9c..0fd3e03 100644 --- a/teleport-cluster/templates/proxy/deployment.yaml +++ b/teleport-cluster/templates/proxy/deployment.yaml @@ -1,6 +1,7 @@ {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} {{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}} {{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} +{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $proxy.disableTopologySpreadConstraints) }} # Deployment is {{ if not $replicable }}not {{end}}replicable {{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }} {{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }} @@ -61,6 +62,23 @@ spec: spec: {{- if $proxy.nodeSelector }} nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }} +{{- end }} +{{- if $topologySpreadConstraints }} + {{- if $proxy.topologySpreadConstraints }} + topologySpreadConstraints: {{- toYaml $proxy.topologySpreadConstraints | nindent 8 }} + {{- else }} + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }} + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }} + {{- end }} {{- end }} affinity: {{- if $proxy.affinity }} @@ -224,9 +242,10 @@ spec: httpGet: path: /readyz port: diag - initialDelaySeconds: 5 # wait 5s for agent to register - periodSeconds: 5 # poll health every 5s - failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) + initialDelaySeconds: {{ $proxy.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $proxy.readinessProbe.periodSeconds }} + failureThreshold: {{$proxy.readinessProbe.failureThreshold}} + successThreshold: {{$proxy.readinessProbe.successThreshold}} timeoutSeconds: {{ $proxy.probeTimeoutSeconds }} lifecycle: # waiting during preStop ensures no new request will hit the Terminating pod diff --git a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap index e9c9f47..2e1442a 100644 --- a/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap @@ -8,8 +8,8 @@ adds operator permissions to ClusterRole: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 17.2.7 - helm.sh/chart: teleport-cluster-17.2.7 + app.kubernetes.io/version: 17.4.9 + helm.sh/chart: teleport-cluster-17.4.9 teleport.dev/majorVersion: "17" name: RELEASE-NAME rules: diff --git a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap index 2c775df..f95406d 100644 --- a/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap @@ -24,7 +24,9 @@ configures access monitoring when its values are set: workgroup: example_access_monitoring_workgroup authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -101,7 +103,9 @@ keeps the session_recording type even when it's "off": auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -137,7 +141,9 @@ matches snapshot for acme-off.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-cluster-name @@ -172,7 +178,9 @@ matches snapshot for acme-on.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-acme-cluster @@ -207,7 +215,9 @@ matches snapshot for acme-uri-staging.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-acme-cluster @@ -243,7 +253,9 @@ matches snapshot for auth-connector-name.yaml: authentication: connector_name: okta local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -312,7 +324,9 @@ matches snapshot for auth-locking-mode.yaml: authentication: local_auth: true locking_mode: strict - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -377,13 +391,90 @@ matches snapshot for auth-passwordless.yaml: output: stderr severity: INFO version: v3 +matches snapshot for auth-secondfactors-sso.yaml: + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factors: + - sso + type: local + cluster_name: helm-lint + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: helm-lint + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + version: v3 +matches snapshot for auth-secondfactors-webauthn.yaml: + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factors: + - sso + - webauthn + type: local + webauthn: + attestation_allowed_cas: + - /etc/ssl/certs/ca-certificates.crt + attestation_denied_cas: + - /etc/ssl/certs/ca-certificates.crt + rp_id: helm-lint + cluster_name: helm-lint + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: helm-lint + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + version: v3 matches snapshot for auth-type-legacy.yaml: 1: | |- auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: github webauthn: rp_id: helm-lint @@ -418,7 +509,9 @@ matches snapshot for auth-type.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: github webauthn: rp_id: helm-lint @@ -531,7 +624,9 @@ matches snapshot for aws-dynamodb-autoscaling.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -582,7 +677,9 @@ matches snapshot for aws-ha-acme.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -628,7 +725,9 @@ matches snapshot for aws-ha-antiaffinity.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -674,7 +773,9 @@ matches snapshot for aws-ha-log.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -721,7 +822,9 @@ matches snapshot for aws-ha.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -767,7 +870,9 @@ matches snapshot for aws.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -813,7 +918,9 @@ matches snapshot for azure.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-azure-cluster @@ -856,7 +963,9 @@ matches snapshot for azure.yaml without pool_max_conn: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-azure-cluster @@ -899,7 +1008,9 @@ matches snapshot for existing-tls-secret-with-ca.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-cluster-name @@ -934,7 +1045,9 @@ matches snapshot for existing-tls-secret.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-cluster-name @@ -969,7 +1082,9 @@ matches snapshot for gcp-ha-acme.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-gcp-cluster @@ -1014,7 +1129,9 @@ matches snapshot for gcp-ha-antiaffinity.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-gcp-cluster @@ -1059,7 +1176,9 @@ matches snapshot for gcp-ha-log.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-gcp-cluster @@ -1105,7 +1224,9 @@ matches snapshot for gcp.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-gcp-cluster @@ -1150,7 +1271,9 @@ matches snapshot for initcontainers.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1185,7 +1308,9 @@ matches snapshot for kube-cluster-name.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -1220,7 +1345,9 @@ matches snapshot for log-basic.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-log-cluster @@ -1255,7 +1382,9 @@ matches snapshot for log-extra.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-log-cluster @@ -1290,7 +1419,9 @@ matches snapshot for log-legacy.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-log-cluster @@ -1325,7 +1456,9 @@ matches snapshot for priority-class-name.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1360,7 +1493,9 @@ matches snapshot for proxy-listener-mode-multiplex.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-proxy-listener-mode @@ -1395,7 +1530,9 @@ matches snapshot for proxy-listener-mode-separate.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-proxy-listener-mode @@ -1430,7 +1567,9 @@ matches snapshot for public-addresses.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1465,7 +1604,9 @@ matches snapshot for separate-mongo-listener.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1500,7 +1641,9 @@ matches snapshot for separate-postgres-listener.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1535,7 +1678,9 @@ matches snapshot for service.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1570,7 +1715,9 @@ matches snapshot for session-recording.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1606,7 +1753,9 @@ matches snapshot for standalone-customsize.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-standalone-cluster @@ -1643,7 +1792,9 @@ matches snapshot for standalone-existingpvc.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-standalone-cluster @@ -1680,7 +1831,9 @@ matches snapshot for tolerations.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-aws-cluster @@ -1724,7 +1877,9 @@ matches snapshot for version-override.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: test-cluster-name @@ -1762,7 +1917,9 @@ matches snapshot for volumes.yaml: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: helm-lint @@ -1791,6 +1948,39 @@ matches snapshot for volumes.yaml: output: stderr severity: INFO version: v3 +matches snapshot when both secondFactor and secondFactors are set.: + 1: | + |- + auth_service: + authentication: + local_auth: true + second_factor: "off" + type: local + cluster_name: helm-lint + enabled: true + proxy_listener_mode: separate + kubernetes_service: + enabled: true + kube_cluster_name: helm-lint + listen_addr: 0.0.0.0:3026 + public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026 + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + auth_server: 127.0.0.1:3025 + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + version: v3 sets clusterDomain on Configmap: 1: | apiVersion: v1 @@ -1812,7 +2002,9 @@ sets clusterDomain on Configmap: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: teleport.example.com @@ -1848,8 +2040,8 @@ sets clusterDomain on Configmap: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 17.2.7 - helm.sh/chart: teleport-cluster-17.2.7 + app.kubernetes.io/version: 17.4.9 + helm.sh/chart: teleport-cluster-17.4.9 teleport.dev/majorVersion: "17" name: RELEASE-NAME-auth namespace: NAMESPACE @@ -1859,7 +2051,9 @@ uses athena as primary backend when configured: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: teleport.example.com @@ -1904,7 +2098,9 @@ uses athena, dynamo, and stdout when everything is on: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: teleport.example.com @@ -1950,7 +2146,9 @@ uses dynamo as primary backend when configured: auth_service: authentication: local_auth: true - second_factor: "on" + second_factors: + - otp + - webauthn type: local webauthn: rp_id: teleport.example.com diff --git a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap index 8cd89fa..b794f09 100644 --- a/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -8,7 +8,7 @@ - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -25,7 +25,7 @@ port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3000 @@ -44,7 +44,8 @@ port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 volumeMounts: - mountPath: /etc/teleport name: config @@ -56,6 +57,23 @@ readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: auth-serviceaccount-token projected: @@ -141,7 +159,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -158,7 +176,7 @@ should set nodeSelector when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3000 @@ -177,7 +195,8 @@ should set nodeSelector when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 volumeMounts: - mountPath: /etc/teleport name: config @@ -192,6 +211,23 @@ should set nodeSelector when set in values: role: bastion serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: auth-serviceaccount-token projected: @@ -238,7 +274,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -255,7 +291,7 @@ should set resources when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3000 @@ -274,7 +310,8 @@ should set resources when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 resources: limits: cpu: 2 @@ -293,6 +330,23 @@ should set resources when set in values: readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: auth-serviceaccount-token projected: @@ -324,7 +378,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -341,7 +395,7 @@ should set securityContext when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3000 @@ -360,7 +414,8 @@ should set securityContext when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false privileged: false @@ -379,6 +434,23 @@ should set securityContext when set in values: readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: auth-serviceaccount-token projected: @@ -437,7 +509,7 @@ should use OSS image and not mount license when enterprise is not set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3000 @@ -456,7 +528,8 @@ should use OSS image and not mount license when enterprise is not set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 volumeMounts: - mountPath: /etc/teleport name: config @@ -468,6 +541,23 @@ should use OSS image and not mount license when enterprise is not set in values: readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: auth-serviceaccount-token projected: diff --git a/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap index 0e62a2a..ea0f9a9 100644 --- a/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap @@ -567,8 +567,8 @@ sets clusterDomain on Configmap: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 17.2.7 - helm.sh/chart: teleport-cluster-17.2.7 + app.kubernetes.io/version: 17.4.9 + helm.sh/chart: teleport-cluster-17.4.9 teleport.dev/majorVersion: "17" name: RELEASE-NAME-proxy namespace: NAMESPACE diff --git a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap index 845b369..26c8cfa 100644 --- a/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 17.2.7 - helm.sh/chart: teleport-cluster-17.2.7 + app.kubernetes.io/version: 17.4.9 + helm.sh/chart: teleport-cluster-17.4.9 teleport.dev/majorVersion: "17" name: RELEASE-NAME-proxy namespace: NAMESPACE @@ -26,7 +26,7 @@ sets clusterDomain on Deployment Pods: template: metadata: annotations: - checksum/config: 788cc751f0c48b48415714a674bdb771ba9a079091aa0bbe737447df2f94ec58 + checksum/config: da6155f69a526a5b92d4fa09d4b6658536bfab0d3e5435e2e898b77c1a30dbff kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: @@ -34,8 +34,8 @@ sets clusterDomain on Deployment Pods: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster - app.kubernetes.io/version: 17.2.7 - helm.sh/chart: teleport-cluster-17.2.7 + app.kubernetes.io/version: 17.4.9 + helm.sh/chart: teleport-cluster-17.4.9 teleport.dev/majorVersion: "17" spec: affinity: @@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -61,7 +61,7 @@ sets clusterDomain on Deployment Pods: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 @@ -89,7 +89,8 @@ sets clusterDomain on Deployment Pods: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 volumeMounts: - mountPath: /etc/teleport name: config @@ -105,10 +106,27 @@ sets clusterDomain on Deployment Pods: - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: @@ -137,7 +155,7 @@ should provision initContainer correctly when set in values: - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update resources: limits: @@ -201,7 +219,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -218,7 +236,7 @@ should set nodeSelector when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 @@ -246,7 +264,8 @@ should set nodeSelector when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 volumeMounts: - mountPath: /etc/teleport name: config @@ -262,13 +281,30 @@ should set nodeSelector when set in values: - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update nodeSelector: environment: security role: bastion serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: @@ -313,7 +349,7 @@ should set resources for wait-auth-update initContainer when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -330,7 +366,7 @@ should set resources for wait-auth-update initContainer when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 @@ -358,7 +394,8 @@ should set resources for wait-auth-update initContainer when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 resources: limits: cpu: 2 @@ -381,7 +418,7 @@ should set resources for wait-auth-update initContainer when set in values: - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update resources: limits: @@ -392,6 +429,23 @@ should set resources for wait-auth-update initContainer when set in values: memory: 256Mi serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: @@ -421,7 +475,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -438,7 +492,7 @@ should set resources when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 @@ -466,7 +520,8 @@ should set resources when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 resources: limits: cpu: 2 @@ -489,7 +544,7 @@ should set resources when set in values: - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update resources: limits: @@ -500,6 +555,23 @@ should set resources when set in values: memory: 256Mi serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: @@ -529,7 +601,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -546,7 +618,7 @@ should set securityContext for initContainers when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 @@ -574,7 +646,8 @@ should set securityContext for initContainers when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false privileged: false @@ -597,7 +670,7 @@ should set securityContext for initContainers when set in values: - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -608,6 +681,23 @@ should set securityContext for initContainers when set in values: runAsUser: 99 serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: @@ -637,7 +727,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -654,7 +744,7 @@ should set securityContext when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 @@ -682,7 +772,8 @@ should set securityContext when set in values: port: diag initialDelaySeconds: 5 periodSeconds: 5 - timeoutSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false privileged: false @@ -705,7 +796,7 @@ should set securityContext when set in values: - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 + image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -716,6 +807,23 @@ should set securityContext when set in values: runAsUser: 99 serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: diff --git a/teleport-cluster/tests/auth_config_test.yaml b/teleport-cluster/tests/auth_config_test.yaml index f3fdd0b..2712745 100644 --- a/teleport-cluster/tests/auth_config_test.yaml +++ b/teleport-cluster/tests/auth_config_test.yaml @@ -697,4 +697,40 @@ tests: - matchSnapshot: {} - matchRegex: path: data.teleport\.yaml - pattern: 'svc.test.com:3026' \ No newline at end of file + pattern: 'svc.test.com:3026' + + - it: matches snapshot for auth-secondfactors-webauthn.yaml + values: + - ../.lint/auth-secondfactors-webauthn.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: + path: data.teleport\.yaml + + - it: matches snapshot for auth-secondfactors-sso.yaml + values: + - ../.lint/auth-secondfactors-sso.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: + path: data.teleport\.yaml + + - it: matches snapshot when both secondFactor and secondFactors are set. + set: + clusterName: helm-lint + authentication: + secondFactor: "off" + secondFactors: ["otp", "webauthn"] + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: + path: data.teleport\.yaml diff --git a/teleport-cluster/tests/auth_deployment_test.yaml b/teleport-cluster/tests/auth_deployment_test.yaml index 49946a9..0b36bd5 100644 --- a/teleport-cluster/tests/auth_deployment_test.yaml +++ b/teleport-cluster/tests/auth_deployment_test.yaml @@ -923,3 +923,101 @@ tests: - equal: path: spec.template.metadata.labels.baz value: overridden + + - it: sets readinessProbe values on Deployment Pods + template: auth/deployment.yaml + set: + clusterName: helm-lint + readinessProbe: + initialDelaySeconds: 9 + periodSeconds: 10 + failureThreshold: 11 + successThreshold: 12 + auth: + # we test an auth-specific override + readinessProbe: + initialDelaySeconds: 13 + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].readinessProbe.failureThreshold + value: 11 + - equal: + path: spec.template.spec.containers[0].readinessProbe.successThreshold + value: 12 + - equal: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + value: 13 + + - it: sets topology spread constraints by default + template: auth/deployment.yaml + set: + clusterName: helm-lint + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/component: auth + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + + - it: removes topology spread constraints when disabled + template: auth/deployment.yaml + set: + clusterName: helm-lint + disableTopologySpreadConstraints: true + asserts: + - isEmpty: + path: spec.template.spec.topologySpreadConstraints + + - it: removes topology spread constraints when running on antique kubernetes + template: auth/deployment.yaml + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 17 + asserts: + - isEmpty: + path: spec.template.spec.topologySpreadConstraints + + - it: uses custom topology spread constraints when set + template: auth/deployment.yaml + set: + clusterName: helm-lint + topologySpreadConstraints: + - maxSkew: 2 + topologyKey: foobar + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: baz + # helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test. + capabilities: + majorVersion: 1 + minorVersion: 18 + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - maxSkew: 2 + topologyKey: foobar + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: baz diff --git a/teleport-cluster/tests/proxy_deployment_test.yaml b/teleport-cluster/tests/proxy_deployment_test.yaml index 8b10f19..3be38c7 100644 --- a/teleport-cluster/tests/proxy_deployment_test.yaml +++ b/teleport-cluster/tests/proxy_deployment_test.yaml @@ -1041,4 +1041,102 @@ tests: - matchSnapshot: {} - matchRegex: path: spec.template.spec.initContainers[0].command[3] - pattern: ".svc.test.com$" \ No newline at end of file + pattern: ".svc.test.com$" + + - it: sets readinessProbe values on Deployment Pods + template: proxy/deployment.yaml + set: + clusterName: helm-lint + readinessProbe: + initialDelaySeconds: 9 + periodSeconds: 10 + failureThreshold: 11 + successThreshold: 12 + proxy: + # we test an auth-specific override + readinessProbe: + initialDelaySeconds: 13 + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].readinessProbe.failureThreshold + value: 11 + - equal: + path: spec.template.spec.containers[0].readinessProbe.successThreshold + value: 12 + - equal: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + value: 13 + + - it: sets topology spread constraints by default + template: proxy/deployment.yaml + set: + clusterName: helm-lint + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-cluster + + - it: removes topology spread constraints when disabled + template: proxy/deployment.yaml + set: + clusterName: helm-lint + disableTopologySpreadConstraints: true + asserts: + - isEmpty: + path: spec.template.spec.topologySpreadConstraints + + - it: removes topology spread constraints when running on antique kubernetes + template: proxy/deployment.yaml + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 17 + asserts: + - isEmpty: + path: spec.template.spec.topologySpreadConstraints + + - it: uses custom topology spread constraints when set + template: proxy/deployment.yaml + set: + clusterName: helm-lint + topologySpreadConstraints: + - maxSkew: 2 + topologyKey: foobar + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: baz + # helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test. + capabilities: + majorVersion: 1 + minorVersion: 18 + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - maxSkew: 2 + topologyKey: foobar + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: baz diff --git a/teleport-cluster/values.schema.json b/teleport-cluster/values.schema.json index 6e3796c..cadc25b 100644 --- a/teleport-cluster/values.schema.json +++ b/teleport-cluster/values.schema.json @@ -126,6 +126,19 @@ ], "default": "otp" }, + "secondFactors": { + "$id": "#/properties/authentication/properties/secondFactors", + "type": "array", + "items": { + "type": "string", + "enum": [ + "otp", + "sso", + "webauthn" + ] + }, + "default": [] + }, "webauthn": { "$id": "#/properties/authentication/properties/webauthn", "type": "object", diff --git a/teleport-cluster/values.yaml b/teleport-cluster/values.yaml index 071801a..25c0acf 100644 --- a/teleport-cluster/values.yaml +++ b/teleport-cluster/values.yaml @@ -129,9 +129,11 @@ authentication: # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes. lockingMode: "" - # Second factor requirements for users of the Teleport cluster. + # DEPRECATED: Second factor requirements for users of the Teleport cluster. # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`. # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'. + # This field is kept for backward compatibility purposes, you should use + # `secondFactors` instead. # # WARNING: # If you set `publicAddr` for users to access the cluster under a domain different @@ -148,7 +150,29 @@ authentication: # "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". # # Changing the RP ID will invalidate all already registered webauthn second factors. - secondFactor: "on" + # secondFactor: "" + + # Second factor requirements for users of the Teleport cluster. + # Controls the `auth_config.authentication.second_factors` field in `teleport.yaml`. + # This is a list whose possible item values are item values are 'otp', 'sso' and 'webauthn'. + # This should be preferred over `secondFactor`. + # + # WARNING: + # If you set `publicAddr` for users to access the cluster under a domain different + # to clusterName you must manually set the webauthn Relying + # Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier + # If you don't, RP ID will default to `clusterName` and users will fail + # to register second factors. + # + # You can do this by setting the value + # `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`. + # + # RP ID must be both a valid domain, and part of the full domain users are connecting to. + # For example, if users are accessing the cluster with the domain + # "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". + # + # Changing the RP ID will invalidate all already registered webauthn second factors. + secondFactors: ["otp", "webauthn"] # (Optional) When using webauthn this allows to restrict which vendor and key models can be used. # webauthn: @@ -604,6 +628,30 @@ log: # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: {} +# Turns off the topology spread constraints. +# The feature is automatically turned off on Kubernetes versions below 1.18. +disableTopologySpreadConstraints: false + +# Pod topology spread constraints: +# https://kubernetes.io/fr/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +# When unset, the chart defaults to a soft topology spread constraint +# that tries to spread pods across hosts and zones. +# +# ``` +# topologySpreadConstraints +# - maxSkew: 1 +# topologyKey: kubernetes.io/hostname +# whenUnsatisfiable: ScheduleAnyway +# labelSelector: +# matchLabels: # dynamically computed +# - maxSkew: 1 +# topologyKey: topology.kubernetes.io/zone +# whenUnsatisfiable: ScheduleAnyway +# labelSelector: +# matchLabels: # dynamically computed +# ``` +topologySpreadConstraints: [] + # Affinity for pod assignment # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other. @@ -794,7 +842,24 @@ tolerations: [] # Timeouts for the readiness and liveness probes # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ -probeTimeoutSeconds: 1 +probeTimeoutSeconds: 5 + +# readinessProbe(object) -- configures the readiness probe settings. +# This can be tuned to keep proxy pods ready even when the auth is unavailable. +# +# The default values mark the pod unready after one minute of failing readiness probe. +readinessProbe: + # readinessProbe.initialDelaySeconds(int) -- controls the number of seconds after the container has started before + # liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + initialDelaySeconds: 5 + # readinessProbe.periodSeconds(int) -- controls how often (in seconds) to perform the probe. Minimum value is 1. + periodSeconds: 5 + # readinessProbe.failureThreshold(int) -- is the minimum consecutive failures for the probe to be considered failed + # after having succeeded. Minimum value is 1. + failureThreshold: 12 + # readinessProbe.successThreshold(int) -- is the minimum consecutive successes for the probe to be considered + # successful after having failed. Minimum value is 1. + successThreshold: 1 # Kubernetes termination grace period # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution