jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update teleport

Browse Source
This commit is contained in:
Jonny Ervine 2025-05-13 22:48:36 +08:00
parent 7429da7f22
commit e2b5bb1376
25 changed files with 1367 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
teleport-cluster/.lint/auth-secondfactors-sso.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
secondFactors:
- sso

10
teleport-cluster/.lint/auth-secondfactors-webauthn.yaml Normal file
View File

@ -0,0 +1,10 @@
clusterName: helm-lint
authentication:
secondFactors:
- sso
- webauthn
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

6
teleport-cluster/Chart.yaml
View File

@ -1,13 +1,13 @@
apiVersion: v2 apiVersion: v2
appVersion: 17.2.7 appVersion: 17.4.9
dependencies: dependencies:
- alias: operator - alias: operator
name: teleport-operator name: teleport-operator
repository: "" repository: ""
version: 17.2.7 version: 17.4.9
description: Teleport is an access platform for your infrastructure description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/static/teleport-symbol-bimi.svg icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords: keywords:
- Teleport - Teleport
name: teleport-cluster name: teleport-cluster
version: 17.2.7 version: 17.4.9

4
teleport-cluster/charts/teleport-operator/Chart.yaml
View File

@ -1,8 +1,8 @@
apiVersion: v2 apiVersion: v2
appVersion: 17.2.7 appVersion: 17.4.9
description: Teleport Operator provides management of select Teleport resources. description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/static/teleport-symbol-bimi.svg icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords: keywords:
- Teleport - Teleport
name: teleport-operator name: teleport-operator
version: 17.2.7 version: 17.4.9

146
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml Normal file
View File

@ -0,0 +1,146 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportbotsv1.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportBotV1
listKind: TeleportBotV1List
plural: teleportbotsv1
shortNames:
- botv1
- botsv1
singular: teleportbotv1
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: BotV1 is the Schema for the botsv1 API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Bot resource definition v1 from Teleport
properties:
max_session_ttl:
description: The max session TTL value for the bot's internal role.
Unless specified, bots may not request a value beyond the default
maximum TTL of 12 hours. This value may not be larger than 7 days
(168 hours).
format: duration
type: string
roles:
description: The roles that the bot should be able to impersonate.
items:
type: string
nullable: true
type: array
traits:
description: The traits that will be associated with the bot for the
purposes of role templating. Where multiple specified with the
same name, these will be merged by the server.
items:
properties:
name:
description: The name of the trait. This is what allows the
trait to be queried in role templates.
type: string
values:
description: The values associated with the named trait.
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

32
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml
View File

@ -295,6 +295,12 @@ spec:
will default to `gitlab.com` - but can be set to the domain will default to `gitlab.com` - but can be set to the domain
of your self-hosted GitLab e.g `gitlab.example.com`. of your self-hosted GitLab e.g `gitlab.example.com`.
type: string type: string
static_jwks:
description: StaticJWKS disables fetching of the GitLab signing
keys via the JWKS/OIDC endpoints, and allows them to be directly
specified. This allows joining from GitLab CI instances that
are not reachable by the Teleport Auth Service.
type: string
type: object type: object
join_method: join_method:
description: 'JoinMethod is the joining method required in order to description: 'JoinMethod is the joining method required in order to
@ -330,6 +336,32 @@ spec:
- `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.' - `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
type: string type: string
type: object type: object
oracle:
description: Oracle allows the configuration of options specific to
the "oracle" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
parent_compartments:
items:
type: string
nullable: true
type: array
regions:
items:
type: string
nullable: true
type: array
tenancy:
type: string
type: object
nullable: true
type: array
type: object
roles: roles:
description: Roles is a list of roles associated with the token, that description: Roles is a list of roles associated with the token, that
will be converted to metadata in the SSH and X509 certificates issued will be converted to metadata in the SSH and X509 certificates issued

4
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
View File

@ -1376,7 +1376,7 @@ spec:
type: string type: string
type: object type: object
request_access: request_access:
description: RequestAccess defines the request strategy (optional|note|always) description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default. where optional is the default.
type: string type: string
request_prompt: request_prompt:
@ -2849,7 +2849,7 @@ spec:
type: string type: string
type: object type: object
request_access: request_access:
description: RequestAccess defines the request strategy (optional|note|always) description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default. where optional is the default.
type: string type: string
request_prompt: request_prompt:

2
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
View File

@ -1379,7 +1379,7 @@ spec:
type: string type: string
type: object type: object
request_access: request_access:
description: RequestAccess defines the request strategy (optional|note|always) description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default. where optional is the default.
type: string type: string
request_prompt: request_prompt:

2
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
View File

@ -1379,7 +1379,7 @@ spec:
type: string type: string
type: object type: object
request_access: request_access:
description: RequestAccess defines the request strategy (optional|note|always) description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default. where optional is the default.
type: string type: string
request_prompt: request_prompt:

273
teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_workloadidentitiesv1.yaml Normal file
View File

@ -0,0 +1,273 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportworkloadidentitiesv1.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportWorkloadIdentityV1
listKind: TeleportWorkloadIdentityV1List
plural: teleportworkloadidentitiesv1
shortNames:
- workloadidentityv1
- workloadidentitiesv1
singular: teleportworkloadidentityv1
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: WorkloadIdentityV1 is the Schema for the workloadidentitiesv1
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: WorkloadIdentity resource definition v1 from Teleport
properties:
rules:
description: The rules which are evaluated before the WorkloadIdentity
can be issued.
nullable: true
properties:
allow:
description: A list of rules used to determine if a WorkloadIdentity
can be issued. If none are provided, it will be considered a
pass. If any are provided, then at least one must pass for the
rules to be considered passed.
items:
properties:
conditions:
description: The conditions that must be met for this rule
to be considered passed. Mutually exclusive with expression.
items:
properties:
attribute:
description: The name of the attribute to evaluate
the condition against.
type: string
eq:
description: The attribute casted to a string must
be equal to the value.
nullable: true
properties:
value:
description: The value to compare the attribute
against.
type: string
type: object
in:
description: The attribute casted to a string must
be in the list of values.
nullable: true
properties:
values:
description: The list of values to compare the
attribute against.
items:
type: string
nullable: true
type: array
type: object
not_eq:
description: The attribute casted to a string must
not be equal to the value.
nullable: true
properties:
value:
description: The value to compare the attribute
against.
type: string
type: object
not_in:
description: The attribute casted to a string must
not be in the list of values.
nullable: true
properties:
values:
description: The list of values to compare the
attribute against.
items:
type: string
nullable: true
type: array
type: object
type: object
nullable: true
type: array
expression:
description: An expression written in Teleport's predicate
language that must evaluate to true for this rule to be
considered passed. Mutually exclusive with conditions.
type: string
type: object
nullable: true
type: array
type: object
spiffe:
description: Configuration pertaining to the issuance of SPIFFE-compatible
workload identity credentials.
nullable: true
properties:
hint:
description: A freeform text field which is provided to workloads
along with a credential produced by this WorkloadIdentity. This
can be used to provide additional context that can be used to
select between multiple credentials.
type: string
id:
description: The path of the SPIFFE ID that will be issued to
the workload. This should be prefixed with a forward-slash
("/"). This field supports templating using attributes.
type: string
jwt:
description: Configuration specific to JWT-SVIDs.
nullable: true
properties:
extra_claims:
additionalProperties: true
description: Additional claims that will be added to the JWT.
nullable: true
type: object
maximum_ttl:
description: Control the maximum TTL of JWT-SVIDs issued using
this WorkloadIdentity. If a JWT-SVID is requested with
a TTL greater than this value, then the returned JWT-SVID
will have a TTL of this value. Defaults to 24 hours. The
maximum this value can be set to is 24 hours.
format: duration
type: string
type: object
x509:
description: Configuration specific to X509-SVIDs.
nullable: true
properties:
dns_sans:
description: The DNS Subject Alternative Names (SANs) that
should be included in an X509-SVID issued using this WorkloadIdentity. Each
entry in this list supports templating using attributes.
items:
type: string
nullable: true
type: array
maximum_ttl:
description: Control the maximum TTL of X509-SVIDs issued
using this WorkloadIdentity. If a X509-SVID is requested
with a TTL greater than this value, then the returned X509-SVID
will have a TTL of this value. Defaults to 24 hours. The
maximum this value can be set to is 14 days.
format: duration
type: string
subject_template:
description: Used to configure the Subject Distinguished Name
(DN) of the X509-SVID. In most circumstances, it is recommended
to prefer relying on the SPIFFE ID encoded in the URI SAN.
However, the Subject DN may be needed to support legacy
systems designed for X509 and not SPIFFE/WIMSE. If not
provided, the X509-SVID will be issued with an empty Subject
DN.
nullable: true
properties:
common_name:
description: Common Name (CN) - 2.5.4.3 If empty, the
RDN will be omitted from the DN.
type: string
organization:
description: Organization (O) - 2.5.4.10 If empty, the
RDN will be omitted from the DN.
type: string
organizational_unit:
description: Organizational Unit (OU) - 2.5.4.11 If empty,
the RDN will be omitted from the DN.
type: string
type: object
type: object
type: object
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

4
teleport-cluster/charts/teleport-operator/templates/role.yaml
View File

@ -38,6 +38,10 @@ rules:
- teleportopenssheiceserversv2/status - teleportopenssheiceserversv2/status
- teleporttrustedclustersv2 - teleporttrustedclustersv2
- teleporttrustedclustersv2/status - teleporttrustedclustersv2/status
- teleportbotsv1
- teleportbotsv1/status
- teleportworkloadidentitiesv1
- teleportworkloadidentitiesv1/status
verbs: verbs:
- get - get
- list - list

29
teleport-cluster/templates/auth/_config.common.tpl
View File

@ -36,20 +36,33 @@ auth_service:
{{- if $authentication.lockingMode }} {{- if $authentication.lockingMode }}
locking_mode: "{{ $authentication.lockingMode }}" locking_mode: "{{ $authentication.lockingMode }}"
{{- end }} {{- end }}
{{- $hasWebauthnMFA := false }}
{{/* secondFactor takes precedence for backward compatibility, but new chart releases
should have second_factor unset and privilege second_factors instead.
Sadly, it is not possible to do a conversion between second_factor and second_factors
because of the "off" value. */}}
{{- if $authentication.secondFactor }} {{- if $authentication.secondFactor }}
second_factor: "{{ $authentication.secondFactor }}" second_factor: {{ $authentication.secondFactor | squote }}
{{- if not (or (eq $authentication.secondFactor "off") (eq $authentication.secondFactor "otp")) }} {{- if has $authentication.secondFactor (list "webauthn" "on" "optional") }}
{{- $hasWebauthnMFA = true }}
{{- end }}
{{- else }}
second_factors: {{- toYaml $authentication.secondFactors | nindent 6 }}
{{- if has "webauthn" $authentication.secondFactors }}
{{- $hasWebauthnMFA = true }}
{{- end }}
{{- end }}
{{- if $hasWebauthnMFA }}
webauthn: webauthn:
rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }} rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if $authentication.webauthn }} {{- if $authentication.webauthn }}
{{- if $authentication.webauthn.attestationAllowedCas }} {{- if $authentication.webauthn.attestationAllowedCas }}
attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }} attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }}
{{- end }} {{- end }}
{{- if $authentication.webauthn.attestationDeniedCas }} {{- if $authentication.webauthn.attestationDeniedCas }}
attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }} attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }}
{{- end }}
{{- end }} {{- end }}
{{- end }}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.sessionRecording }} {{- if .Values.sessionRecording }}
session_recording: {{ .Values.sessionRecording | squote }} session_recording: {{ .Values.sessionRecording | squote }}

16
teleport-cluster/templates/auth/config.yaml
View File

@ -139,6 +139,22 @@ data:
- read - read
- update - update
- delete - delete
- resources:
- bot
verbs:
- list
- create
- read
- update
- delete
- resources:
- workload_identity
verbs:
- list
- create
- read
- update
- delete
deny: {} deny: {}
version: v7 version: v7
--- ---

29
teleport-cluster/templates/auth/deployment.yaml
View File

@ -1,6 +1,7 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} {{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- $replicated := gt (int $auth.highAvailability.replicaCount) 1 -}} {{- $replicated := gt (int $auth.highAvailability.replicaCount) 1 -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} {{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $auth.disableTopologySpreadConstraints) }}
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@ -55,6 +56,23 @@ spec:
spec: spec:
{{- if $auth.nodeSelector }} {{- if $auth.nodeSelector }}
nodeSelector: {{- toYaml $auth.nodeSelector | nindent 8 }} nodeSelector: {{- toYaml $auth.nodeSelector | nindent 8 }}
{{- end }}
{{- if $topologySpreadConstraints }}
{{- if $auth.topologySpreadConstraints }}
topologySpreadConstraints: {{- toYaml $auth.topologySpreadConstraints | nindent 8 }}
{{- else }}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }}
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 14 }}
{{- end }}
{{- end }} {{- end }}
affinity: affinity:
{{- if $auth.affinity }} {{- if $auth.affinity }}
@ -177,15 +195,16 @@ spec:
initialDelaySeconds: 5 # wait 5s for agent to start initialDelaySeconds: 5 # wait 5s for agent to start
periodSeconds: 5 # poll health every 5s periodSeconds: 5 # poll health every 5s
failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
timeoutSeconds: {{ .Values.probeTimeoutSeconds }} timeoutSeconds: {{ $auth.probeTimeoutSeconds }}
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /readyz path: /readyz
port: diag port: diag
initialDelaySeconds: 5 # wait 5s for agent to register initialDelaySeconds: {{ $auth.readinessProbe.initialDelaySeconds }}
periodSeconds: 5 # poll health every 5s periodSeconds: {{ $auth.readinessProbe.periodSeconds }}
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) failureThreshold: {{$auth.readinessProbe.failureThreshold}}
timeoutSeconds: {{ .Values.probeTimeoutSeconds }} successThreshold: {{$auth.readinessProbe.successThreshold}}
timeoutSeconds: {{ $auth.probeTimeoutSeconds }}
lifecycle: lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod # waiting during preStop ensures no new request will hit the Terminating pod
# on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s) # on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)

25
teleport-cluster/templates/proxy/deployment.yaml
View File

@ -1,6 +1,7 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}} {{- $replicable := or $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName $proxy.ingress.enabled -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} {{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- $topologySpreadConstraints := and (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) (not $proxy.disableTopologySpreadConstraints) }}
# Deployment is {{ if not $replicable }}not {{end}}replicable # Deployment is {{ if not $replicable }}not {{end}}replicable
{{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }} {{- if and $proxy.highAvailability.certManager.enabled $proxy.tls.existingSecretName }}
{{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }} {{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }}
@ -61,6 +62,23 @@ spec:
spec: spec:
{{- if $proxy.nodeSelector }} {{- if $proxy.nodeSelector }}
nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }} nodeSelector: {{- toYaml $proxy.nodeSelector | nindent 8 }}
{{- end }}
{{- if $topologySpreadConstraints }}
{{- if $proxy.topologySpreadConstraints }}
topologySpreadConstraints: {{- toYaml $proxy.topologySpreadConstraints | nindent 8 }}
{{- else }}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }}
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels: {{- include "teleport-cluster.proxy.selectorLabels" . | nindent 14 }}
{{- end }}
{{- end }} {{- end }}
affinity: affinity:
{{- if $proxy.affinity }} {{- if $proxy.affinity }}
@ -224,9 +242,10 @@ spec:
httpGet: httpGet:
path: /readyz path: /readyz
port: diag port: diag
initialDelaySeconds: 5 # wait 5s for agent to register initialDelaySeconds: {{ $proxy.readinessProbe.initialDelaySeconds }}
periodSeconds: 5 # poll health every 5s periodSeconds: {{ $proxy.readinessProbe.periodSeconds }}
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) failureThreshold: {{$proxy.readinessProbe.failureThreshold}}
successThreshold: {{$proxy.readinessProbe.successThreshold}}
timeoutSeconds: {{ $proxy.probeTimeoutSeconds }} timeoutSeconds: {{ $proxy.probeTimeoutSeconds }}
lifecycle: lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod # waiting during preStop ensures no new request will hit the Terminating pod

4
teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap
View File

@ -8,8 +8,8 @@ adds operator permissions to ClusterRole:
app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7 app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.2.7 helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17" teleport.dev/majorVersion: "17"
name: RELEASE-NAME name: RELEASE-NAME
rules: rules:

292
teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap
View File

@ -24,7 +24,9 @@ configures access monitoring when its values are set:
workgroup: example_access_monitoring_workgroup workgroup: example_access_monitoring_workgroup
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -101,7 +103,9 @@ keeps the session_recording type even when it's "off":
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -137,7 +141,9 @@ matches snapshot for acme-off.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-cluster-name rp_id: test-cluster-name
@ -172,7 +178,9 @@ matches snapshot for acme-on.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-acme-cluster rp_id: test-acme-cluster
@ -207,7 +215,9 @@ matches snapshot for acme-uri-staging.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-acme-cluster rp_id: test-acme-cluster
@ -243,7 +253,9 @@ matches snapshot for auth-connector-name.yaml:
authentication: authentication:
connector_name: okta connector_name: okta
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -312,7 +324,9 @@ matches snapshot for auth-locking-mode.yaml:
authentication: authentication:
local_auth: true local_auth: true
locking_mode: strict locking_mode: strict
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -377,13 +391,90 @@ matches snapshot for auth-passwordless.yaml:
output: stderr output: stderr
severity: INFO severity: INFO
version: v3 version: v3
matches snapshot for auth-secondfactors-sso.yaml:
1: |
|-
auth_service:
authentication:
local_auth: true
second_factors:
- sso
type: local
cluster_name: helm-lint
enabled: true
proxy_listener_mode: separate
kubernetes_service:
enabled: true
kube_cluster_name: helm-lint
listen_addr: 0.0.0.0:3026
public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
proxy_service:
enabled: false
ssh_service:
enabled: false
teleport:
auth_server: 127.0.0.1:3025
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for auth-secondfactors-webauthn.yaml:
1: |
|-
auth_service:
authentication:
local_auth: true
second_factors:
- sso
- webauthn
type: local
webauthn:
attestation_allowed_cas:
- /etc/ssl/certs/ca-certificates.crt
attestation_denied_cas:
- /etc/ssl/certs/ca-certificates.crt
rp_id: helm-lint
cluster_name: helm-lint
enabled: true
proxy_listener_mode: separate
kubernetes_service:
enabled: true
kube_cluster_name: helm-lint
listen_addr: 0.0.0.0:3026
public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
proxy_service:
enabled: false
ssh_service:
enabled: false
teleport:
auth_server: 127.0.0.1:3025
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
matches snapshot for auth-type-legacy.yaml: matches snapshot for auth-type-legacy.yaml:
1: | 1: |
|- |-
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: github type: github
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -418,7 +509,9 @@ matches snapshot for auth-type.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: github type: github
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -531,7 +624,9 @@ matches snapshot for aws-dynamodb-autoscaling.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -582,7 +677,9 @@ matches snapshot for aws-ha-acme.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -628,7 +725,9 @@ matches snapshot for aws-ha-antiaffinity.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -674,7 +773,9 @@ matches snapshot for aws-ha-log.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -721,7 +822,9 @@ matches snapshot for aws-ha.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -767,7 +870,9 @@ matches snapshot for aws.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -813,7 +918,9 @@ matches snapshot for azure.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-azure-cluster rp_id: test-azure-cluster
@ -856,7 +963,9 @@ matches snapshot for azure.yaml without pool_max_conn:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-azure-cluster rp_id: test-azure-cluster
@ -899,7 +1008,9 @@ matches snapshot for existing-tls-secret-with-ca.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-cluster-name rp_id: test-cluster-name
@ -934,7 +1045,9 @@ matches snapshot for existing-tls-secret.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-cluster-name rp_id: test-cluster-name
@ -969,7 +1082,9 @@ matches snapshot for gcp-ha-acme.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-gcp-cluster rp_id: test-gcp-cluster
@ -1014,7 +1129,9 @@ matches snapshot for gcp-ha-antiaffinity.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-gcp-cluster rp_id: test-gcp-cluster
@ -1059,7 +1176,9 @@ matches snapshot for gcp-ha-log.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-gcp-cluster rp_id: test-gcp-cluster
@ -1105,7 +1224,9 @@ matches snapshot for gcp.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-gcp-cluster rp_id: test-gcp-cluster
@ -1150,7 +1271,9 @@ matches snapshot for initcontainers.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1185,7 +1308,9 @@ matches snapshot for kube-cluster-name.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -1220,7 +1345,9 @@ matches snapshot for log-basic.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-log-cluster rp_id: test-log-cluster
@ -1255,7 +1382,9 @@ matches snapshot for log-extra.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-log-cluster rp_id: test-log-cluster
@ -1290,7 +1419,9 @@ matches snapshot for log-legacy.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-log-cluster rp_id: test-log-cluster
@ -1325,7 +1456,9 @@ matches snapshot for priority-class-name.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1360,7 +1493,9 @@ matches snapshot for proxy-listener-mode-multiplex.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-proxy-listener-mode rp_id: test-proxy-listener-mode
@ -1395,7 +1530,9 @@ matches snapshot for proxy-listener-mode-separate.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-proxy-listener-mode rp_id: test-proxy-listener-mode
@ -1430,7 +1567,9 @@ matches snapshot for public-addresses.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1465,7 +1604,9 @@ matches snapshot for separate-mongo-listener.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1500,7 +1641,9 @@ matches snapshot for separate-postgres-listener.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1535,7 +1678,9 @@ matches snapshot for service.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1570,7 +1715,9 @@ matches snapshot for session-recording.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1606,7 +1753,9 @@ matches snapshot for standalone-customsize.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-standalone-cluster rp_id: test-standalone-cluster
@ -1643,7 +1792,9 @@ matches snapshot for standalone-existingpvc.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-standalone-cluster rp_id: test-standalone-cluster
@ -1680,7 +1831,9 @@ matches snapshot for tolerations.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-aws-cluster rp_id: test-aws-cluster
@ -1724,7 +1877,9 @@ matches snapshot for version-override.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: test-cluster-name rp_id: test-cluster-name
@ -1762,7 +1917,9 @@ matches snapshot for volumes.yaml:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: helm-lint rp_id: helm-lint
@ -1791,6 +1948,39 @@ matches snapshot for volumes.yaml:
output: stderr output: stderr
severity: INFO severity: INFO
version: v3 version: v3
matches snapshot when both secondFactor and secondFactors are set.:
1: |
|-
auth_service:
authentication:
local_auth: true
second_factor: "off"
type: local
cluster_name: helm-lint
enabled: true
proxy_listener_mode: separate
kubernetes_service:
enabled: true
kube_cluster_name: helm-lint
listen_addr: 0.0.0.0:3026
public_addr: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3026
proxy_service:
enabled: false
ssh_service:
enabled: false
teleport:
auth_server: 127.0.0.1:3025
log:
format:
extra_fields:
- timestamp
- level
- component
- caller
output: text
output: stderr
severity: INFO
version: v3
sets clusterDomain on Configmap: sets clusterDomain on Configmap:
1: | 1: |
apiVersion: v1 apiVersion: v1
@ -1812,7 +2002,9 @@ sets clusterDomain on Configmap:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: teleport.example.com rp_id: teleport.example.com
@ -1848,8 +2040,8 @@ sets clusterDomain on Configmap:
app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7 app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.2.7 helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17" teleport.dev/majorVersion: "17"
name: RELEASE-NAME-auth name: RELEASE-NAME-auth
namespace: NAMESPACE namespace: NAMESPACE
@ -1859,7 +2051,9 @@ uses athena as primary backend when configured:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: teleport.example.com rp_id: teleport.example.com
@ -1904,7 +2098,9 @@ uses athena, dynamo, and stdout when everything is on:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: teleport.example.com rp_id: teleport.example.com
@ -1950,7 +2146,9 @@ uses dynamo as primary backend when configured:
auth_service: auth_service:
authentication: authentication:
local_auth: true local_auth: true
second_factor: "on" second_factors:
- otp
- webauthn
type: local type: local
webauthn: webauthn:
rp_id: teleport.example.com rp_id: teleport.example.com

118
teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
View File

@ -8,7 +8,7 @@
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -25,7 +25,7 @@
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3000 - containerPort: 3000
@ -44,7 +44,8 @@
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
volumeMounts: volumeMounts:
- mountPath: /etc/teleport - mountPath: /etc/teleport
name: config name: config
@ -56,6 +57,23 @@
readOnly: true readOnly: true
serviceAccountName: RELEASE-NAME serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: auth-serviceaccount-token - name: auth-serviceaccount-token
projected: projected:
@ -141,7 +159,7 @@ should set nodeSelector when set in values:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -158,7 +176,7 @@ should set nodeSelector when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3000 - containerPort: 3000
@ -177,7 +195,8 @@ should set nodeSelector when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
volumeMounts: volumeMounts:
- mountPath: /etc/teleport - mountPath: /etc/teleport
name: config name: config
@ -192,6 +211,23 @@ should set nodeSelector when set in values:
role: bastion role: bastion
serviceAccountName: RELEASE-NAME serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: auth-serviceaccount-token - name: auth-serviceaccount-token
projected: projected:
@ -238,7 +274,7 @@ should set resources when set in values:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -255,7 +291,7 @@ should set resources when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3000 - containerPort: 3000
@ -274,7 +310,8 @@ should set resources when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
resources: resources:
limits: limits:
cpu: 2 cpu: 2
@ -293,6 +330,23 @@ should set resources when set in values:
readOnly: true readOnly: true
serviceAccountName: RELEASE-NAME serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: auth-serviceaccount-token - name: auth-serviceaccount-token
projected: projected:
@ -324,7 +378,7 @@ should set securityContext when set in values:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -341,7 +395,7 @@ should set securityContext when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3000 - containerPort: 3000
@ -360,7 +414,8 @@ should set securityContext when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
privileged: false privileged: false
@ -379,6 +434,23 @@ should set securityContext when set in values:
readOnly: true readOnly: true
serviceAccountName: RELEASE-NAME serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: auth-serviceaccount-token - name: auth-serviceaccount-token
projected: projected:
@ -437,7 +509,7 @@ should use OSS image and not mount license when enterprise is not set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3000 - containerPort: 3000
@ -456,7 +528,8 @@ should use OSS image and not mount license when enterprise is not set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
volumeMounts: volumeMounts:
- mountPath: /etc/teleport - mountPath: /etc/teleport
name: config name: config
@ -468,6 +541,23 @@ should use OSS image and not mount license when enterprise is not set in values:
readOnly: true readOnly: true
serviceAccountName: RELEASE-NAME serviceAccountName: RELEASE-NAME
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: auth-serviceaccount-token - name: auth-serviceaccount-token
projected: projected:

4
teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
View File

@ -567,8 +567,8 @@ sets clusterDomain on Configmap:
app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7 app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.2.7 helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17" teleport.dev/majorVersion: "17"
name: RELEASE-NAME-proxy name: RELEASE-NAME-proxy
namespace: NAMESPACE namespace: NAMESPACE

168
teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
View File

@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods:
app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7 app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.2.7 helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17" teleport.dev/majorVersion: "17"
name: RELEASE-NAME-proxy name: RELEASE-NAME-proxy
namespace: NAMESPACE namespace: NAMESPACE
@ -26,7 +26,7 @@ sets clusterDomain on Deployment Pods:
template: template:
metadata: metadata:
annotations: annotations:
checksum/config: 788cc751f0c48b48415714a674bdb771ba9a079091aa0bbe737447df2f94ec58 checksum/config: da6155f69a526a5b92d4fa09d4b6658536bfab0d3e5435e2e898b77c1a30dbff
kubernetes.io/pod: test-annotation kubernetes.io/pod: test-annotation
kubernetes.io/pod-different: 4 kubernetes.io/pod-different: 4
labels: labels:
@ -34,8 +34,8 @@ sets clusterDomain on Deployment Pods:
app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: teleport-cluster app.kubernetes.io/name: teleport-cluster
app.kubernetes.io/version: 17.2.7 app.kubernetes.io/version: 17.4.9
helm.sh/chart: teleport-cluster-17.2.7 helm.sh/chart: teleport-cluster-17.4.9
teleport.dev/majorVersion: "17" teleport.dev/majorVersion: "17"
spec: spec:
affinity: affinity:
@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods:
containers: containers:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -61,7 +61,7 @@ sets clusterDomain on Deployment Pods:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3080 - containerPort: 3080
@ -89,7 +89,8 @@ sets clusterDomain on Deployment Pods:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
volumeMounts: volumeMounts:
- mountPath: /etc/teleport - mountPath: /etc/teleport
name: config name: config
@ -105,10 +106,27 @@ sets clusterDomain on Deployment Pods:
- wait - wait
- no-resolve - no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com - RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: proxy-serviceaccount-token - name: proxy-serviceaccount-token
projected: projected:
@ -137,7 +155,7 @@ should provision initContainer correctly when set in values:
- wait - wait
- no-resolve - no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update name: wait-auth-update
resources: resources:
limits: limits:
@ -201,7 +219,7 @@ should set nodeSelector when set in values:
containers: containers:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -218,7 +236,7 @@ should set nodeSelector when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3080 - containerPort: 3080
@ -246,7 +264,8 @@ should set nodeSelector when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
volumeMounts: volumeMounts:
- mountPath: /etc/teleport - mountPath: /etc/teleport
name: config name: config
@ -262,13 +281,30 @@ should set nodeSelector when set in values:
- wait - wait
- no-resolve - no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update name: wait-auth-update
nodeSelector: nodeSelector:
environment: security environment: security
role: bastion role: bastion
serviceAccountName: RELEASE-NAME-proxy serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: proxy-serviceaccount-token - name: proxy-serviceaccount-token
projected: projected:
@ -313,7 +349,7 @@ should set resources for wait-auth-update initContainer when set in values:
containers: containers:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -330,7 +366,7 @@ should set resources for wait-auth-update initContainer when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3080 - containerPort: 3080
@ -358,7 +394,8 @@ should set resources for wait-auth-update initContainer when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
resources: resources:
limits: limits:
cpu: 2 cpu: 2
@ -381,7 +418,7 @@ should set resources for wait-auth-update initContainer when set in values:
- wait - wait
- no-resolve - no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update name: wait-auth-update
resources: resources:
limits: limits:
@ -392,6 +429,23 @@ should set resources for wait-auth-update initContainer when set in values:
memory: 256Mi memory: 256Mi
serviceAccountName: RELEASE-NAME-proxy serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: proxy-serviceaccount-token - name: proxy-serviceaccount-token
projected: projected:
@ -421,7 +475,7 @@ should set resources when set in values:
containers: containers:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -438,7 +492,7 @@ should set resources when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3080 - containerPort: 3080
@ -466,7 +520,8 @@ should set resources when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
resources: resources:
limits: limits:
cpu: 2 cpu: 2
@ -489,7 +544,7 @@ should set resources when set in values:
- wait - wait
- no-resolve - no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update name: wait-auth-update
resources: resources:
limits: limits:
@ -500,6 +555,23 @@ should set resources when set in values:
memory: 256Mi memory: 256Mi
serviceAccountName: RELEASE-NAME-proxy serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: proxy-serviceaccount-token - name: proxy-serviceaccount-token
projected: projected:
@ -529,7 +601,7 @@ should set securityContext for initContainers when set in values:
containers: containers:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -546,7 +618,7 @@ should set securityContext for initContainers when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3080 - containerPort: 3080
@ -574,7 +646,8 @@ should set securityContext for initContainers when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
privileged: false privileged: false
@ -597,7 +670,7 @@ should set securityContext for initContainers when set in values:
- wait - wait
- no-resolve - no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update name: wait-auth-update
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@ -608,6 +681,23 @@ should set securityContext for initContainers when set in values:
runAsUser: 99 runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: proxy-serviceaccount-token - name: proxy-serviceaccount-token
projected: projected:
@ -637,7 +727,7 @@ should set securityContext when set in values:
containers: containers:
- args: - args:
- --diag-addr=0.0.0.0:3000 - --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -654,7 +744,7 @@ should set securityContext when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 timeoutSeconds: 5
name: teleport name: teleport
ports: ports:
- containerPort: 3080 - containerPort: 3080
@ -682,7 +772,8 @@ should set securityContext when set in values:
port: diag port: diag
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 1 successThreshold: 1
timeoutSeconds: 5
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
privileged: false privileged: false
@ -705,7 +796,7 @@ should set securityContext when set in values:
- wait - wait
- no-resolve - no-resolve
- RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:17.2.7 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9
name: wait-auth-update name: wait-auth-update
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@ -716,6 +807,23 @@ should set securityContext when set in values:
runAsUser: 99 runAsUser: 99
serviceAccountName: RELEASE-NAME-proxy serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
volumes: volumes:
- name: proxy-serviceaccount-token - name: proxy-serviceaccount-token
projected: projected:

38
teleport-cluster/tests/auth_config_test.yaml
View File

@ -697,4 +697,40 @@ tests:
- matchSnapshot: {} - matchSnapshot: {}
- matchRegex: - matchRegex:
path: data.teleport\.yaml path: data.teleport\.yaml
pattern: 'svc.test.com:3026' pattern: 'svc.test.com:3026'
- it: matches snapshot for auth-secondfactors-webauthn.yaml
values:
- ../.lint/auth-secondfactors-webauthn.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot for auth-secondfactors-sso.yaml
values:
- ../.lint/auth-secondfactors-sso.yaml
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: matches snapshot when both secondFactor and secondFactors are set.
set:
clusterName: helm-lint
authentication:
secondFactor: "off"
secondFactors: ["otp", "webauthn"]
asserts:
- hasDocuments:
count: 1
- isKind:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml

98
teleport-cluster/tests/auth_deployment_test.yaml
View File

@ -923,3 +923,101 @@ tests:
- equal: - equal:
path: spec.template.metadata.labels.baz path: spec.template.metadata.labels.baz
value: overridden value: overridden
- it: sets readinessProbe values on Deployment Pods
template: auth/deployment.yaml
set:
clusterName: helm-lint
readinessProbe:
initialDelaySeconds: 9
periodSeconds: 10
failureThreshold: 11
successThreshold: 12
auth:
# we test an auth-specific override
readinessProbe:
initialDelaySeconds: 13
asserts:
- equal:
path: spec.template.spec.containers[0].readinessProbe.periodSeconds
value: 10
- equal:
path: spec.template.spec.containers[0].readinessProbe.failureThreshold
value: 11
- equal:
path: spec.template.spec.containers[0].readinessProbe.successThreshold
value: 12
- equal:
path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
value: 13
- it: sets topology spread constraints by default
template: auth/deployment.yaml
set:
clusterName: helm-lint
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: auth
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- it: removes topology spread constraints when disabled
template: auth/deployment.yaml
set:
clusterName: helm-lint
disableTopologySpreadConstraints: true
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: removes topology spread constraints when running on antique kubernetes
template: auth/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 17
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: uses custom topology spread constraints when set
template: auth/deployment.yaml
set:
clusterName: helm-lint
topologySpreadConstraints:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz
# helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test.
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz

100
teleport-cluster/tests/proxy_deployment_test.yaml
View File

@ -1041,4 +1041,102 @@ tests:
- matchSnapshot: {} - matchSnapshot: {}
- matchRegex: - matchRegex:
path: spec.template.spec.initContainers[0].command[3] path: spec.template.spec.initContainers[0].command[3]
pattern: ".svc.test.com$" pattern: ".svc.test.com$"
- it: sets readinessProbe values on Deployment Pods
template: proxy/deployment.yaml
set:
clusterName: helm-lint
readinessProbe:
initialDelaySeconds: 9
periodSeconds: 10
failureThreshold: 11
successThreshold: 12
proxy:
# we test an auth-specific override
readinessProbe:
initialDelaySeconds: 13
asserts:
- equal:
path: spec.template.spec.containers[0].readinessProbe.periodSeconds
value: 10
- equal:
path: spec.template.spec.containers[0].readinessProbe.failureThreshold
value: 11
- equal:
path: spec.template.spec.containers[0].readinessProbe.successThreshold
value: 12
- equal:
path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
value: 13
- it: sets topology spread constraints by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: teleport-cluster
- it: removes topology spread constraints when disabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint
disableTopologySpreadConstraints: true
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: removes topology spread constraints when running on antique kubernetes
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 17
asserts:
- isEmpty:
path: spec.template.spec.topologySpreadConstraints
- it: uses custom topology spread constraints when set
template: proxy/deployment.yaml
set:
clusterName: helm-lint
topologySpreadConstraints:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz
# helm unit-test has a bug where capabilities are not reset between tests, we must set back to 1.18 after the 1.17 test.
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- equal:
path: spec.template.spec.topologySpreadConstraints
value:
- maxSkew: 2
topologyKey: foobar
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: baz

13
teleport-cluster/values.schema.json
View File

@ -126,6 +126,19 @@
], ],
"default": "otp" "default": "otp"
}, },
"secondFactors": {
"$id": "#/properties/authentication/properties/secondFactors",
"type": "array",
"items": {
"type": "string",
"enum": [
"otp",
"sso",
"webauthn"
]
},
"default": []
},
"webauthn": { "webauthn": {
"$id": "#/properties/authentication/properties/webauthn", "$id": "#/properties/authentication/properties/webauthn",
"type": "object", "type": "object",

71
teleport-cluster/values.yaml
View File

@ -129,9 +129,11 @@ authentication:
# See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes. # See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
lockingMode: "" lockingMode: ""
# Second factor requirements for users of the Teleport cluster. # DEPRECATED: Second factor requirements for users of the Teleport cluster.
# Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`. # Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
# Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'. # Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
# This field is kept for backward compatibility purposes, you should use
# `secondFactors` instead.
# #
# WARNING: # WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different # If you set `publicAddr` for users to access the cluster under a domain different
@ -148,7 +150,29 @@ authentication:
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com". # "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
# #
# Changing the RP ID will invalidate all already registered webauthn second factors. # Changing the RP ID will invalidate all already registered webauthn second factors.
secondFactor: "on" # secondFactor: ""
# Second factor requirements for users of the Teleport cluster.
# Controls the `auth_config.authentication.second_factors` field in `teleport.yaml`.
# This is a list whose possible item values are item values are 'otp', 'sso' and 'webauthn'.
# This should be preferred over `secondFactor`.
#
# WARNING:
# If you set `publicAddr` for users to access the cluster under a domain different
# to clusterName you must manually set the webauthn Relying
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
# If you don't, RP ID will default to `clusterName` and users will fail
# to register second factors.
#
# You can do this by setting the value
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
#
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
# For example, if users are accessing the cluster with the domain
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
#
# Changing the RP ID will invalidate all already registered webauthn second factors.
secondFactors: ["otp", "webauthn"]
# (Optional) When using webauthn this allows to restrict which vendor and key models can be used. # (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
# webauthn: # webauthn:
@ -604,6 +628,30 @@ log:
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
nodeSelector: {} nodeSelector: {}
# Turns off the topology spread constraints.
# The feature is automatically turned off on Kubernetes versions below 1.18.
disableTopologySpreadConstraints: false
# Pod topology spread constraints:
# https://kubernetes.io/fr/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# When unset, the chart defaults to a soft topology spread constraint
# that tries to spread pods across hosts and zones.
#
# ```
# topologySpreadConstraints
# - maxSkew: 1
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels: # dynamically computed
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels: # dynamically computed
# ```
topologySpreadConstraints: []
# Affinity for pod assignment # Affinity for pod assignment
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other. # NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
@ -794,7 +842,24 @@ tolerations: []
# Timeouts for the readiness and liveness probes # Timeouts for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1 probeTimeoutSeconds: 5
# readinessProbe(object) -- configures the readiness probe settings.
# This can be tuned to keep proxy pods ready even when the auth is unavailable.
#
# The default values mark the pod unready after one minute of failing readiness probe.
readinessProbe:
# readinessProbe.initialDelaySeconds(int) -- controls the number of seconds after the container has started before
# liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
initialDelaySeconds: 5
# readinessProbe.periodSeconds(int) -- controls how often (in seconds) to perform the probe. Minimum value is 1.
periodSeconds: 5
# readinessProbe.failureThreshold(int) -- is the minimum consecutive failures for the probe to be considered failed
# after having succeeded. Minimum value is 1.
failureThreshold: 12
# readinessProbe.successThreshold(int) -- is the minimum consecutive successes for the probe to be considered
# successful after having failed. Minimum value is 1.
successThreshold: 1
# Kubernetes termination grace period # Kubernetes termination grace period
# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution