jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update teleport

Browse Source
This commit is contained in:
Jonny Ervine 2024-05-30 22:13:48 +08:00
parent 75e0455149
commit e68fe2fe5a
186 changed files with 22273 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
teleport-cluster-15.3.3/.lint/acme-off.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: test-cluster-name
extraArgs:
- "--insecure"

3
teleport-cluster-15.3.3/.lint/acme-on.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com

4
teleport-cluster-15.3.3/.lint/acme-uri-staging.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com
acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory

29
teleport-cluster-15.3.3/.lint/affinity.yaml Normal file
View File

@ -0,0 +1,29 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 2
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- teleport
topologyKey: kubernetes.io/hostname
weight: 1

17
teleport-cluster-15.3.3/.lint/annotations.yaml Normal file
View File

@ -0,0 +1,17 @@
clusterName: helm-lint
annotations:
config:
kubernetes.io/config: "test-annotation"
kubernetes.io/config-different: 2
deployment:
kubernetes.io/deployment: "test-annotation"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-annotation"
kubernetes.io/pod-different: 4
service:
kubernetes.io/service: "test-annotation"
kubernetes.io/service-different: 5
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"
kubernetes.io/serviceaccount-different: 6

3
teleport-cluster-15.3.3/.lint/auth-connector-name.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
connectorName: "okta"

5
teleport-cluster-15.3.3/.lint/auth-disable-local.yaml Normal file
View File

@ -0,0 +1,5 @@
clusterName: helm-lint
authentication:
type: "github"
localAuth: false
secondFactor: "off"

3
teleport-cluster-15.3.3/.lint/auth-locking-mode.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
lockingMode: "strict"

4
teleport-cluster-15.3.3/.lint/auth-passwordless.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
connectorName: passwordless
secondFactor: webauthn

4
teleport-cluster-15.3.3/.lint/auth-type-legacy.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
type: "this-should-be-ignored"
authenticationType: "github"

3
teleport-cluster-15.3.3/.lint/auth-type.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
type: "github"

10
teleport-cluster-15.3.3/.lint/auth-webauthn-legacy.yaml Normal file
View File

@ -0,0 +1,10 @@
clusterName: helm-lint
authentication:
secondFactor: "off" # this should be overridden
authenticationSecondFactor:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

8
teleport-cluster-15.3.3/.lint/auth-webauthn.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
authentication:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

13
teleport-cluster-15.3.3/.lint/aws-access-monitoring.yaml Normal file
View File

@ -0,0 +1,13 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
sessionRecordingBucket: test-s3-session-storage-bucket
athenaURL: 'athena://db.table?topicArn=arn:aws:sns:region:account_id:topic_name'
accessMonitoring:
enabled: true
reportResults: "s3://example-athena-long-term/report_results"
roleARN: "arn:aws:iam::123456789012:role/example_AccessMonitoringRole"
workgroup: "example_access_monitoring_workgroup"

14
teleport-cluster-15.3.3/.lint/aws-dynamodb-autoscaling.yaml Normal file
View File

@ -0,0 +1,14 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
dynamoAutoScaling: true
readMinCapacity: 5
readMaxCapacity: 100
readTargetValue: 50.0
writeMinCapacity: 5
writeMaxCapacity: 100
writeTargetValue: 50.0

14
teleport-cluster-15.3.3/.lint/aws-ha-acme.yaml Normal file
View File

@ -0,0 +1,14 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

12
teleport-cluster-15.3.3/.lint/aws-ha-antiaffinity.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: aws

17
teleport-cluster-15.3.3/.lint/aws-ha-log.yaml Normal file
View File

@ -0,0 +1,17 @@
clusterName: test-aws-cluster
chartMode: aws
log:
level: DEBUG
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 2
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

11
teleport-cluster-15.3.3/.lint/aws-ha.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: aws

11
teleport-cluster-15.3.3/.lint/aws.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: aws

11
teleport-cluster-15.3.3/.lint/azure.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-azure-cluster
chartMode: azure
azure:
databaseHost: "mypostgresinstance.postgres.database.azure.com"
databaseUser: "teleport"
backendDatabase: "teleport_backend"
auditLogDatabase: "teleport_audit"
auditLogMirrorOnStdout: true
sessionRecordingStorageAccount: "mystorageaccount.blob.core.windows.net"
clientID: "1234"
databasePoolMaxConnections: 100

15
teleport-cluster-15.3.3/.lint/cert-manager.yaml Normal file
View File

@ -0,0 +1,15 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
addCommonName: true
enabled: true
issuerGroup: custom.cert-manager.io
issuerName: custom
issuerKind: CustomClusterIssuer

15
teleport-cluster-15.3.3/.lint/cert-secret.yaml Normal file
View File

@ -0,0 +1,15 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
annotations:
certSecret:
kubernetes.io/cert-secret: value
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt

7
teleport-cluster-15.3.3/.lint/example-minimal-standalone.yaml Normal file
View File

@ -0,0 +1,7 @@
# This setup is not safe for production because the proxy will self-sign its certificate.
# Use those values for testing only
# The chart should deploy and work only with a clusterName.
# This setup can also cause redirection issues if the proxy is contacted with a hostName instead of an IP address
# as it is not aware of its external hostname and will attempt to perform a redirection.
clusterName: helm-lint

4
teleport-cluster-15.3.3/.lint/existing-tls-secret-with-ca.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret
existingCASecretName: helm-lint-existing-tls-secret-ca

3
teleport-cluster-15.3.3/.lint/existing-tls-secret.yaml Normal file
View File

@ -0,0 +1,3 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret

12
teleport-cluster-15.3.3/.lint/extra-containers.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: helm-lint.example.com
extraContainers:
- name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false

4
teleport-cluster-15.3.3/.lint/extra-env.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint.example.com
extraEnv:
- name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"

14
teleport-cluster-15.3.3/.lint/gcp-ha-acme.yaml Normal file
View File

@ -0,0 +1,14 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-15.3.3/.lint/gcp-ha-antiaffinity.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: gcp

17
teleport-cluster-15.3.3/.lint/gcp-ha-log.yaml Normal file
View File

@ -0,0 +1,17 @@
clusterName: test-gcp-cluster
chartMode: gcp
log:
level: DEBUG
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
teleport-cluster-15.3.3/.lint/gcp-ha-workload.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
credentialSecretName: ""
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-15.3.3/.lint/gcp-ha.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: gcp

11
teleport-cluster-15.3.3/.lint/gcp.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: gcp

4
teleport-cluster-15.3.3/.lint/imagepullsecrets.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-standalone-cluster
chartMode: standalone
imagePullSecrets:
- name: myRegistryKeySecretName

8
teleport-cluster-15.3.3/.lint/ingress-publicaddr.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: teleport.example.com
publicAddr: ["my-teleport-ingress.example.com:443"]
ingress:
enabled: true
suppressAutomaticWildcards: true
proxyListenerMode: multiplex
service:
type: ClusterIP

6
teleport-cluster-15.3.3/.lint/ingress.yaml Normal file
View File

@ -0,0 +1,6 @@
clusterName: teleport.example.com
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP

8
teleport-cluster-15.3.3/.lint/initcontainers.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
initContainers:
- name: "teleport-init"
image: "alpine"
args: ["echo test"]
- name: "teleport-init2"
image: "alpine"
args: ["echo test2"]

2
teleport-cluster-15.3.3/.lint/kube-cluster-name.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-aws-cluster
kubeClusterName: test-kube-cluster

4
teleport-cluster-15.3.3/.lint/log-basic.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-log-cluster
log:
format: json
level: INFO

6
teleport-cluster-15.3.3/.lint/log-extra.yaml Normal file
View File

@ -0,0 +1,6 @@
clusterName: test-log-cluster
log:
format: json
level: DEBUG
output: /var/lib/teleport/test.log
extraFields: ["level", "timestamp", "component", "caller"]

2
teleport-cluster-15.3.3/.lint/log-legacy.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-log-cluster
logLevel: DEBUG

4
teleport-cluster-15.3.3/.lint/node-selector.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-cluster-name
nodeSelector:
role: bastion
environment: security

4
teleport-cluster-15.3.3/.lint/operator.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-cluster-name
operator:
enabled: true
installCRDs: true

12
teleport-cluster-15.3.3/.lint/pdb.yaml Normal file
View File

@ -0,0 +1,12 @@
clusterName: helm-lint
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
podDisruptionBudget:
enabled: true
minAvailable: 2

4
teleport-cluster-15.3.3/.lint/persistence-legacy.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: test-persistence-cluster
standalone:
existingClaimName: ""
volumeSize: 10Gi

1
teleport-cluster-15.3.3/.lint/pod-security-context-empty.yaml Normal file
View File

@ -0,0 +1 @@
clusterName: helm-lint

7
teleport-cluster-15.3.3/.lint/pod-security-context.yaml Normal file
View File

@ -0,0 +1,7 @@
clusterName: helm-lint
podSecurityContext:
fsGroup: 99
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99

6
teleport-cluster-15.3.3/.lint/podmonitor.yaml Normal file
View File

@ -0,0 +1,6 @@
clusterName: test-kube-cluster-name
podMonitor:
enabled: true
additionalLabels:
prometheus: default
interval: 30s

4
teleport-cluster-15.3.3/.lint/priority-class-name.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
priorityClassName: "system-cluster-critical"

4
teleport-cluster-15.3.3/.lint/probe-timeout-seconds.yaml Normal file
View File

@ -0,0 +1,4 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
probeTimeoutSeconds: 5

2
teleport-cluster-15.3.3/.lint/proxy-listener-mode-multiplex.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: multiplex

2
teleport-cluster-15.3.3/.lint/proxy-listener-mode-separate.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: separate

11
teleport-cluster-15.3.3/.lint/public-addresses.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterName: helm-lint
publicAddr: ["loadbalancer.example.com:443"]
sshPublicAddr: ["loadbalancer.example.com:3023"]
tunnelPublicAddr: ["loadbalancer.example.com:3024"]
postgresPublicAddr: ["loadbalancer.example.com:5432"]
mongoPublicAddr: ["loadbalancer.example.com:27017"]
mysqlPublicAddr: ["loadbalancer.example.com:3036"]
kubePublicAddr: ["loadbalancer.example.com:3026"]
separatePostgresListener: true
separateMongoListener: true

10
teleport-cluster-15.3.3/.lint/resources.yaml Normal file
View File

@ -0,0 +1,10 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi

1
teleport-cluster-15.3.3/.lint/security-context-empty.yaml Normal file
View File

@ -0,0 +1 @@
clusterName: helm-lint

8
teleport-cluster-15.3.3/.lint/security-context.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99

2
teleport-cluster-15.3.3/.lint/separate-mongo-listener.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
separateMongoListener: true

2
teleport-cluster-15.3.3/.lint/separate-postgres-listener.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
separatePostgresListener: true

7
teleport-cluster-15.3.3/.lint/service-account.yaml Normal file
View File

@ -0,0 +1,7 @@
clusterName: helm-lint
serviceAccount:
create: true
name: helm-lint
annotations:
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"

5
teleport-cluster-15.3.3/.lint/service.yaml Normal file
View File

@ -0,0 +1,5 @@
clusterName: helm-lint
service:
type: LoadBalancer
spec:
loadBalancerIP: 1.2.3.4

2
teleport-cluster-15.3.3/.lint/session-recording-off.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
sessionRecording: "off"

2
teleport-cluster-15.3.3/.lint/session-recording.yaml Normal file
View File

@ -0,0 +1,2 @@
clusterName: helm-lint
sessionRecording: "node-sync"

9
teleport-cluster-15.3.3/.lint/standalone-custom-storage-class.yaml Normal file
View File

@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
storageClassName: ebs-ssd
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
teleport-cluster-15.3.3/.lint/standalone-customsize.yaml Normal file
View File

@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
volumeSize: 50Gi
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
teleport-cluster-15.3.3/.lint/standalone-existingpvc.yaml Normal file
View File

@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
existingClaimName: teleport-storage
acme: true
acmeEmail: test@email.com
labels:
env: standalone

18
teleport-cluster-15.3.3/.lint/tolerations.yaml Normal file
View File

@ -0,0 +1,18 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
tolerations:
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoExecute"
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoSchedule"

5
teleport-cluster-15.3.3/.lint/version-override.yaml Normal file
View File

@ -0,0 +1,5 @@
clusterName: test-cluster-name
teleportVersionOverride: 5.2.1
labels:
env: test
version: 5.2.1

8
teleport-cluster-15.3.3/.lint/volumes.yaml Normal file
View File

@ -0,0 +1,8 @@
clusterName: helm-lint
extraVolumeMounts:
- name: "my-mount"
mountPath: "/path/to/mount"
extraVolumes:
- name: "my-mount"
secret:
secretName: "mySecret"

13
teleport-cluster-15.3.3/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v2
appVersion: 15.3.3
dependencies:
- alias: operator
name: teleport-operator
repository: ""
version: 15.3.3
description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
name: teleport-cluster
version: 15.3.3

67
teleport-cluster-15.3.3/README.md Normal file
View File

@ -0,0 +1,67 @@
# Teleport Cluster
This chart sets up a Teleport cluster composed of at least 1 Proxy instance
and 1 Auth instance. When applicable, the chart will default to 2 pods to
provide high-availability.
## Important Notices
- The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x
- Teleport does mutual TLS to authenticate clients. Establishing mTLS through a L7
LoadBalancer, like a Kubernetes `Ingress` [requires ALPN support](https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies).
Exposing Teleport through a `Service` with type `LoadBalancer` is still recommended
because its the most flexible and least complex setup.
## Getting Started
### Single-node example
To install Teleport in a separate namespace and provision a web certificate using Let's Encrypt, run:
```bash
$ helm install teleport/teleport-cluster \
--set acme=true \
--set acmeEmail=alice@example.com \
--set clusterName=teleport.example.com\
--create-namespace \
--namespace=teleport-cluster \
./teleport-cluster/
```
Finally, configure the DNS for `teleport.example.com` to point to the newly created LoadBalancer.
Note: this guide uses the built-in ACME client to get certificates.
In this setup, Teleport nodes cannot be replicated. If you want to run multiple
Teleport replicas, you must provide a certificate through `tls.existingSecretName`
or by installing [cert-manager](https://cert-manager.io/docs/) and setting the `highAvailability.certManager.*` values.
### Replicated setup guides
- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/aws/)
- [Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/gcp/)
- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/custom/)
### Creating first user
The first user can be created by executing a command in one of the auth pods.
```shell
kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access
```
The command should output a registration link to finalize the user creation.
## Uninstalling
```bash
helm uninstall --namespace teleport-cluster teleport-cluster
```
## Documentation
See https://goteleport.com/docs/kubernetes-access/helm/guides/ for guides on setting up HA Teleport clusters
in EKS or GKE, plus a comprehensive chart reference.
## Contributing to the chart
Please read [CONTRIBUTING.md](../CONTRIBUTING.md) before raising a pull request to this chart.

14
teleport-cluster-15.3.3/charts/teleport-operator/.lint/annotations.yaml Normal file
View File

@ -0,0 +1,14 @@
annotations:
deployment:
kubernetes.io/deployment: "test-annotation"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-annotation"
kubernetes.io/pod-different: 4
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"
kubernetes.io/serviceaccount-different: 6
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
teleportClusterName: "example.teleport.sh"

3
teleport-cluster-15.3.3/charts/teleport-operator/.lint/cloud-join.yaml Normal file
View File

@ -0,0 +1,3 @@
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
teleportClusterName: "example.teleport.sh"

1
teleport-cluster-15.3.3/charts/teleport-operator/.lint/disabled.yaml Normal file
View File

@ -0,0 +1 @@
enabled: false

6
teleport-cluster-15.3.3/charts/teleport-operator/.lint/existing-tls-ca.yaml Normal file
View File

@ -0,0 +1,6 @@
tls:
existingCASecretName: helm-lint-existing-tls-secret-ca
teleportAddress: "teleport.example.com:3080"
token: "my-operator-bot"
teleportClusterName: "teleport.example.com"

3
teleport-cluster-15.3.3/charts/teleport-operator/.lint/non-kubernetes-joining.yaml Normal file
View File

@ -0,0 +1,3 @@
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
joinMethod: "iam"

13
teleport-cluster-15.3.3/charts/teleport-operator/.lint/resources.yaml Normal file
View File

@ -0,0 +1,13 @@
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
teleportAddress: "example.teleport.sh:443"
token: "my-operator-bot"
teleportClusterName: "example.teleport.sh"

8
teleport-cluster-15.3.3/charts/teleport-operator/Chart.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v2
appVersion: 15.3.3
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
name: teleport-operator
version: 15.3.3

28
teleport-cluster-15.3.3/charts/teleport-operator/README.md Normal file
View File

@ -0,0 +1,28 @@
# Teleport Operator
This chart deploys the Teleport Kubernetes Operator. The operator allows to manage
Teleport resources from inside Kubernetes.
## Important notice
The chart version follows the Teleport and Teleport Kube Operator version. e.g.
chart v15.0.1 runs the operator version 15.0.1 by default. To control which
operator version is deployed, use the `--version` Helm flag.
## Deployment
The chart can be deployed in two ways:
- in standalone mode by running
```shell
helm install teleport/teleport-operator teleport-operator --set authAddr=teleport.example.com:443 --set token=my-operator-token
```
See [the standalone guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-standalone/) for more details.
- as a dependency of the `teleport-cluster` Helm chart by adding `--set operator.enabled=true`. See
[the operator within teleport-cluster chart guide](https://goteleport.com/docs/management/dynamic-resources/teleport-operator-helm/).
## Values and reference
The `values.yaml` is documented through comment or via
[the reference docs](https://goteleport.com/docs/reference/helm-reference/teleport-operator/).
Please make sure you are looking at the correct version when looking at the values reference.

278
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml Normal file
View File

@ -0,0 +1,278 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportaccesslists.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportAccessList
listKind: TeleportAccessListList
plural: teleportaccesslists
shortNames:
- accesslist
- accesslists
singular: teleportaccesslist
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: AccessList is the Schema for the accesslists API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AccessList resource definition v1 from Teleport
properties:
audit:
description: audit describes the frequency that this access list must
be audited.
nullable: true
properties:
next_audit_date:
description: next_audit_date is when the next audit date should
be done by.
format: date-time
type: string
notifications:
description: notifications is the configuration for notifying
users.
nullable: true
properties:
start:
description: start specifies when to start notifying users
that the next audit date is coming up.
format: duration
type: string
type: object
recurrence:
description: recurrence is the recurrence definition
nullable: true
properties:
day_of_month:
description: day_of_month is the day of month that reviews
will be scheduled on. Supported values are 0, 1, 15, and
31.
x-kubernetes-int-or-string: true
frequency:
description: frequency is the frequency of reviews. This represents
the period in months between two reviews. Supported values
are 0, 1, 3, 6, and 12.
x-kubernetes-int-or-string: true
type: object
type: object
description:
description: description is an optional plaintext description of the
access list.
type: string
grants:
description: grants describes the access granted by membership to
this access list.
nullable: true
properties:
roles:
description: roles are the roles that are granted to users who
are members of the access list.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that are granted to users who
are members of the access list.
type: object
type: object
membership_requires:
description: membership_requires describes the requirements for a
user to be a member of the access list. For a membership to an access
list to be effective, the user must meet the requirements of Membership_requires
and must be in the members list.
nullable: true
properties:
roles:
description: roles are the user roles that must be present for
the user to obtain access.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that must be present for the
user to obtain access.
type: object
type: object
owner_grants:
description: owner_grants describes the access granted by owners to
this access list.
nullable: true
properties:
roles:
description: roles are the roles that are granted to users who
are members of the access list.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that are granted to users who
are members of the access list.
type: object
type: object
owners:
description: owners is a list of owners of the access list.
items:
properties:
description:
description: description is the plaintext description of the
owner and why they are an owner.
type: string
ineligible_status:
description: ineligible_status describes if this owner is eligible
or not and if not, describes how they're lacking eligibility.
x-kubernetes-int-or-string: true
name:
description: name is the username of the owner.
type: string
type: object
nullable: true
type: array
ownership_requires:
description: ownership_requires describes the requirements for a user
to be an owner of the access list. For ownership of an access list
to be effective, the user must meet the requirements of ownership_requires
and must be in the owners list.
nullable: true
properties:
roles:
description: roles are the user roles that must be present for
the user to obtain access.
items:
type: string
nullable: true
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: traits are the traits that must be present for the
user to obtain access.
type: object
type: object
title:
description: title is a plaintext short description of the access
list.
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

182
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml Normal file
View File

@ -0,0 +1,182 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportgithubconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportGithubConnector
listKind: TeleportGithubConnectorList
plural: teleportgithubconnectors
shortNames:
- githubconnector
- githubconnectors
singular: teleportgithubconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: GithubConnector is the Schema for the githubconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GithubConnector resource definition v3 from Teleport
properties:
api_endpoint_url:
description: APIEndpointURL is the URL of the API endpoint of the
Github instance this connector is for.
type: string
client_id:
description: ClientID is the Github OAuth app client ID.
type: string
client_redirect_settings:
description: ClientRedirectSettings defines which client redirect
URLs are allowed for non-browser SSO logins other than the standard
localhost ones.
nullable: true
properties:
allowed_https_hostnames:
description: a list of hostnames allowed for https client redirect
URLs
items:
type: string
nullable: true
type: array
type: object
client_secret:
description: ClientSecret is the Github OAuth app client secret.
type: string
display:
description: Display is the connector display name.
type: string
endpoint_url:
description: EndpointURL is the URL of the GitHub instance this connector
is for.
type: string
redirect_url:
description: RedirectURL is the authorization callback URL.
type: string
teams_to_roles:
description: TeamsToRoles maps Github team memberships onto allowed
roles.
items:
properties:
organization:
description: Organization is a Github organization a user belongs
to.
type: string
roles:
description: Roles is a list of allowed logins for this org/team.
items:
type: string
nullable: true
type: array
team:
description: Team is a team within the organization a user belongs
to.
type: string
type: object
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

147
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_loginrules.yaml Normal file
View File

@ -0,0 +1,147 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportloginrules.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportLoginRule
listKind: TeleportLoginRuleList
plural: teleportloginrules
shortNames:
- loginrule
- loginrules
singular: teleportloginrule
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: LoginRule is the Schema for the loginrules API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: LoginRule resource definition v1 from Teleport
properties:
priority:
description: Priority is the priority of the login rule relative to
other login rules in the same cluster. Login rules with a lower
numbered priority will be evaluated first.
format: int32
type: integer
traits_expression:
description: TraitsExpression is a predicate expression which should
return the desired traits for the user upon login.
type: string
traits_map:
additionalProperties:
items:
type: string
type: array
description: TraitsMap is a map of trait keys to lists of predicate
expressions which should evaluate to the desired values for that
trait.
nullable: true
type: object
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

227
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml Normal file
View File

@ -0,0 +1,227 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportoidcconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOIDCConnector
listKind: TeleportOIDCConnectorList
plural: teleportoidcconnectors
shortNames:
- oidcconnector
- oidcconnectors
singular: teleportoidcconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: OIDCConnector is the Schema for the oidcconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OIDCConnector resource definition v3 from Teleport
properties:
acr_values:
description: ACR is an Authentication Context Class Reference value.
The meaning of the ACR value is context-specific and varies for
identity providers.
type: string
allow_unverified_email:
description: AllowUnverifiedEmail tells the connector to accept OIDC
users with unverified emails.
type: boolean
claims_to_roles:
description: ClaimsToRoles specifies a dynamic mapping from claims
to roles.
items:
properties:
claim:
description: Claim is a claim name.
type: string
roles:
description: Roles is a list of static teleport roles to match.
items:
type: string
nullable: true
type: array
value:
description: Value is a claim value to match.
type: string
type: object
type: array
client_id:
description: ClientID is the id of the authentication client (Teleport
Auth server).
type: string
client_redirect_settings:
description: ClientRedirectSettings defines which client redirect
URLs are allowed for non-browser SSO logins other than the standard
localhost ones.
nullable: true
properties:
allowed_https_hostnames:
description: a list of hostnames allowed for https client redirect
URLs
items:
type: string
nullable: true
type: array
type: object
client_secret:
description: ClientSecret is used to authenticate the client.
type: string
display:
description: Display is the friendly name for this provider.
type: string
google_admin_email:
description: GoogleAdminEmail is the email of a google admin to impersonate.
type: string
google_service_account:
description: GoogleServiceAccount is a string containing google service
account credentials.
type: string
google_service_account_uri:
description: GoogleServiceAccountURI is a path to a google service
account uri.
type: string
issuer_url:
description: IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
type: string
max_age:
description: MaxAge is the amount of time that user logins are valid
for. If a user logs in, but then does not login again within this
time period, they will be forced to re-authenticate.
format: duration
type: string
prompt:
description: Prompt is an optional OIDC prompt. An empty string omits
prompt. If not specified, it defaults to select_account for backwards
compatibility.
type: string
provider:
description: Provider is the external identity provider.
type: string
redirect_url:
description: RedirectURLs is a list of callback URLs which the identity
provider can use to redirect the client back to the Teleport Proxy
to complete authentication. This list should match the URLs on the
provider's side. The URL used for a given auth request will be chosen
to match the requesting Proxy's public address. If there is no match,
the first url in the list will be used.
items:
type: string
type: array
scope:
description: Scope specifies additional scopes set by provider.
items:
type: string
nullable: true
type: array
username_claim:
description: UsernameClaim specifies the name of the claim from the
OIDC connector to be used as the user's username.
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

185
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_oktaimportrules.yaml Normal file
View File

@ -0,0 +1,185 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportoktaimportrules.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOktaImportRule
listKind: TeleportOktaImportRuleList
plural: teleportoktaimportrules
shortNames:
- oktaimportrule
- oktaimportrules
singular: teleportoktaimportrule
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: OktaImportRule is the Schema for the oktaimportrules API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OktaImportRule resource definition v1 from Teleport
properties:
mappings:
description: Mappings is a list of matches that will map match conditions
to labels.
items:
properties:
add_labels:
description: AddLabels specifies which labels to add if any
of the previous matches match.
nullable: true
properties:
key:
type: string
value:
type: string
type: object
match:
description: Match is a set of matching rules for this mapping.
If any of these match, then the mapping will be applied.
items:
properties:
app_ids:
description: AppIDs is a list of app IDs to match against.
items:
type: string
nullable: true
type: array
app_name_regexes:
description: AppNameRegexes is a list of regexes to match
against app names.
items:
type: string
nullable: true
type: array
group_ids:
description: GroupIDs is a list of group IDs to match
against.
items:
type: string
nullable: true
type: array
group_name_regexes:
description: GroupNameRegexes is a list of regexes to
match against group names.
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
nullable: true
type: array
priority:
description: Priority represents the priority of the rule application.
Lower numbered rules will be applied first.
format: int32
type: integer
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

262
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_openssheiceserversv2.yaml Normal file
View File

@ -0,0 +1,262 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportopenssheiceserversv2.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOpenSSHEICEServerV2
listKind: TeleportOpenSSHEICEServerV2List
plural: teleportopenssheiceserversv2
shortNames:
- openssheiceserverv2
- openssheiceserversv2
singular: teleportopenssheiceserverv2
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Server hostname
jsonPath: .spec.hostname
name: Hostname
type: string
- description: Server address, with SSH port.
jsonPath: .spec.addr
name: Address
type: string
- description: The age of this resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: OpenSSHEICEServerV2 is the Schema for the openssheiceserversv2
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OpenSSHEICEServer resource definition v2 from Teleport
properties:
addr:
description: Addr is a host:port address where this server can be
reached.
type: string
cloud_metadata:
description: CloudMetadata contains info about the cloud instance
the server is running on, if any.
nullable: true
properties:
aws:
description: AWSInfo contains attributes to match to an EC2 instance.
nullable: true
properties:
account_id:
description: AccountID is an AWS account ID.
type: string
instance_id:
description: InstanceID is an EC2 instance ID.
type: string
integration:
description: Integration is the integration name that added
this Node. When connecting to it, it will use this integration
to issue AWS API calls in order to set up the connection.
This includes sending an SSH Key and then opening a tunnel
(EC2 Instance Connect Endpoint) so Teleport can connect
to it.
type: string
region:
description: Region is the AWS EC2 Instance Region.
type: string
subnet_id:
description: SubnetID is the Subnet ID in use by the instance.
type: string
vpc_id:
description: VPCID is the AWS VPC ID where the Instance is
running.
type: string
type: object
type: object
hostname:
description: Hostname is server hostname
type: string
peer_addr:
description: PeerAddr is the address a proxy server is reachable at
by its peer proxies.
type: string
proxy_ids:
description: ProxyIDs is a list of proxy IDs this server is expected
to be connected to.
items:
type: string
nullable: true
type: array
public_addrs:
description: PublicAddrs is a list of public addresses where this
server can be reached.
items:
type: string
nullable: true
type: array
rotation:
description: Rotation specifies server rotation
properties:
current_id:
description: CurrentID is the ID of the rotation operation to
differentiate between rotation attempts.
type: string
grace_period:
description: GracePeriod is a period during which old and new
CA are valid for checking purposes, but only new CA is issuing
certificates.
format: duration
type: string
last_rotated:
description: LastRotated specifies the last time of the completed
rotation.
format: date-time
type: string
mode:
description: Mode sets manual or automatic rotation mode.
type: string
phase:
description: Phase is the current rotation phase.
type: string
schedule:
description: Schedule is a rotation schedule - used in automatic
mode to switch between phases.
properties:
standby:
description: Standby specifies time to switch to the "Standby"
phase.
format: date-time
type: string
update_clients:
description: UpdateClients specifies time to switch to the
"Update clients" phase
format: date-time
type: string
update_servers:
description: UpdateServers specifies time to switch to the
"Update servers" phase.
format: date-time
type: string
type: object
started:
description: Started is set to the time when rotation has been
started in case if the state of the rotation is "in_progress".
format: date-time
type: string
state:
description: State could be one of "init" or "in_progress".
type: string
type: object
use_tunnel:
description: UseTunnel indicates that connections to this server should
occur over a reverse tunnel.
type: boolean
version:
description: TeleportVersion is the teleport version that the server
is running on
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

261
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_opensshserversv2.yaml Normal file
View File

@ -0,0 +1,261 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportopensshserversv2.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOpenSSHServerV2
listKind: TeleportOpenSSHServerV2List
plural: teleportopensshserversv2
shortNames:
- opensshserverv2
- opensshserversv2
singular: teleportopensshserverv2
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Server hostname
jsonPath: .spec.hostname
name: Hostname
type: string
- description: Server address, with SSH port.
jsonPath: .spec.addr
name: Address
type: string
- description: The age of this resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: OpenSSHServerV2 is the Schema for the opensshserversv2 API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OpenSSHServer resource definition v2 from Teleport
properties:
addr:
description: Addr is a host:port address where this server can be
reached.
type: string
cloud_metadata:
description: CloudMetadata contains info about the cloud instance
the server is running on, if any.
nullable: true
properties:
aws:
description: AWSInfo contains attributes to match to an EC2 instance.
nullable: true
properties:
account_id:
description: AccountID is an AWS account ID.
type: string
instance_id:
description: InstanceID is an EC2 instance ID.
type: string
integration:
description: Integration is the integration name that added
this Node. When connecting to it, it will use this integration
to issue AWS API calls in order to set up the connection.
This includes sending an SSH Key and then opening a tunnel
(EC2 Instance Connect Endpoint) so Teleport can connect
to it.
type: string
region:
description: Region is the AWS EC2 Instance Region.
type: string
subnet_id:
description: SubnetID is the Subnet ID in use by the instance.
type: string
vpc_id:
description: VPCID is the AWS VPC ID where the Instance is
running.
type: string
type: object
type: object
hostname:
description: Hostname is server hostname
type: string
peer_addr:
description: PeerAddr is the address a proxy server is reachable at
by its peer proxies.
type: string
proxy_ids:
description: ProxyIDs is a list of proxy IDs this server is expected
to be connected to.
items:
type: string
nullable: true
type: array
public_addrs:
description: PublicAddrs is a list of public addresses where this
server can be reached.
items:
type: string
nullable: true
type: array
rotation:
description: Rotation specifies server rotation
properties:
current_id:
description: CurrentID is the ID of the rotation operation to
differentiate between rotation attempts.
type: string
grace_period:
description: GracePeriod is a period during which old and new
CA are valid for checking purposes, but only new CA is issuing
certificates.
format: duration
type: string
last_rotated:
description: LastRotated specifies the last time of the completed
rotation.
format: date-time
type: string
mode:
description: Mode sets manual or automatic rotation mode.
type: string
phase:
description: Phase is the current rotation phase.
type: string
schedule:
description: Schedule is a rotation schedule - used in automatic
mode to switch between phases.
properties:
standby:
description: Standby specifies time to switch to the "Standby"
phase.
format: date-time
type: string
update_clients:
description: UpdateClients specifies time to switch to the
"Update clients" phase
format: date-time
type: string
update_servers:
description: UpdateServers specifies time to switch to the
"Update servers" phase.
format: date-time
type: string
type: object
started:
description: Started is set to the time when rotation has been
started in case if the state of the rotation is "in_progress".
format: date-time
type: string
state:
description: State could be one of "init" or "in_progress".
type: string
type: object
use_tunnel:
description: UseTunnel indicates that connections to this server should
occur over a reverse tunnel.
type: boolean
version:
description: TeleportVersion is the teleport version that the server
is running on
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

464
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml Normal file
View File

@ -0,0 +1,464 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportprovisiontokens.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportProvisionToken
listKind: TeleportProvisionTokenList
plural: teleportprovisiontokens
shortNames:
- provisiontoken
- provisiontokens
singular: teleportprovisiontoken
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Token join method.
jsonPath: .spec.join_method
name: Join Method
type: string
- description: System roles granted by this token.
jsonPath: .spec.roles
name: System Roles
type: string
- description: The age of this resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2
schema:
openAPIV3Schema:
description: ProvisionToken is the Schema for the provisiontokens API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ProvisionToken resource definition v2 from Teleport
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
aws_account:
description: AWSAccount is the AWS account ID.
type: string
aws_arn:
description: AWSARN is used for the IAM join method, the AWS
identity of joining nodes must match this ARN. Supports wildcards
"*" and "?".
type: string
aws_regions:
description: AWSRegions is used for the EC2 join method and
is a list of AWS regions a node is allowed to join from.
items:
type: string
nullable: true
type: array
aws_role:
description: AWSRole is used for the EC2 join method and is
the the ARN of the AWS role that the auth server will assume
in order to call the ec2 API.
type: string
type: object
nullable: true
type: array
aws_iid_ttl:
description: AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity
Documents used to join the cluster with this token.
format: duration
type: string
azure:
description: Azure allows the configuration of options specific to
the "azure" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
resource_groups:
items:
type: string
nullable: true
type: array
subscription:
type: string
type: object
nullable: true
type: array
type: object
bot_name:
description: BotName is the name of the bot this token grants access
to, if any
type: string
circleci:
description: CircleCI allows the configuration of options specific
to the "circleci" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
context_id:
type: string
project_id:
type: string
type: object
nullable: true
type: array
organization_id:
type: string
type: object
gcp:
description: GCP allows the configuration of options specific to the
"gcp" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
locations:
items:
type: string
nullable: true
type: array
project_ids:
items:
type: string
nullable: true
type: array
service_accounts:
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
github:
description: GitHub allows the configuration of options specific to
the "github" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
actor:
type: string
environment:
type: string
ref:
type: string
ref_type:
type: string
repository:
type: string
repository_owner:
type: string
sub:
type: string
workflow:
type: string
type: object
nullable: true
type: array
enterprise_server_host:
description: EnterpriseServerHost allows joining from runners
associated with a GitHub Enterprise Server instance. When unconfigured,
tokens will be validated against github.com, but when configured
to the host of a GHES instance, then the tokens will be validated
against host. This value should be the hostname of the GHES
instance, and should not include the scheme or a path. The instance
must be accessible over HTTPS at this hostname and the certificate
must be trusted by the Auth Server.
type: string
enterprise_slug:
description: EnterpriseSlug allows the slug of a GitHub Enterprise
organisation to be included in the expected issuer of the OIDC
tokens. This is for compatibility with the `include_enterprise_slug`
option in GHE. This field should be set to the slug of your
enterprise if this is enabled. If this is not enabled, then
this field must be left empty. This field cannot be specified
if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise
for more information about customized issuer values.
type: string
type: object
gitlab:
description: GitLab allows the configuration of options specific to
the "gitlab" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
ci_config_ref_uri:
type: string
ci_config_sha:
type: string
deployment_tier:
type: string
environment:
type: string
environment_protected:
type: boolean
namespace_path:
type: string
pipeline_source:
type: string
project_path:
type: string
project_visibility:
type: string
ref:
type: string
ref_protected:
type: boolean
ref_type:
type: string
sub:
type: string
user_email:
type: string
user_id:
type: string
user_login:
type: string
type: object
nullable: true
type: array
domain:
description: Domain is the domain of your GitLab instance. This
will default to `gitlab.com` - but can be set to the domain
of your self-hosted GitLab e.g `gitlab.example.com`.
type: string
type: object
join_method:
description: JoinMethod is the joining method required in order to
use this token. Supported joining methods include "token", "ec2",
and "iam".
type: string
kubernetes:
description: Kubernetes allows the configuration of options specific
to the "kubernetes" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
service_account:
type: string
type: object
nullable: true
type: array
static_jwks:
description: StaticJWKS is the configuration specific to the `static_jwks`
type.
nullable: true
properties:
jwks:
type: string
type: object
type:
description: 'Type controls which behavior should be used for
validating the Kubernetes Service Account token. Support values:
- `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
type: string
type: object
roles:
description: Roles is a list of roles associated with the token, that
will be converted to metadata in the SSH and X509 certificates issued
to the user of the token
items:
type: string
nullable: true
type: array
spacelift:
description: Spacelift allows the configuration of options specific
to the "spacelift" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
caller_id:
type: string
caller_type:
type: string
scope:
type: string
space_id:
type: string
type: object
nullable: true
type: array
hostname:
description: Hostname is the hostname of the Spacelift tenant
that tokens will originate from. E.g `example.app.spacelift.io`
type: string
type: object
suggested_agent_matcher_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedAgentMatcherLabels is a set of labels to be
used by agents to match on resources. When an agent uses this token,
the agent should monitor resources that match those labels. For
databases, this means adding the labels to `db_service.resources.labels`.
Currently, only node-join scripts create a configuration according
to the suggestion.
type: object
suggested_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedLabels is a set of labels that resources should
set when using this token to enroll themselves in the cluster. Currently,
only node-join scripts create a configuration according to the suggestion.
type: object
tpm:
description: TPM allows the configuration of options specific to the
"tpm" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, the presented delegated
identity must match one allow rule to permit joining.
items:
properties:
description:
type: string
ek_certificate_serial:
type: string
ek_public_hash:
type: string
type: object
nullable: true
type: array
ekcert_allowed_cas:
description: EKCertAllowedCAs is a list of CA certificates that
will be used to validate TPM EKCerts. When specified, joining
TPMs must present an EKCert signed by one of the specified CAs.
TPMs that do not present an EKCert will be not permitted to
join. When unspecified, TPMs will be allowed to join with either
an EKCert or an EKPubHash.
items:
type: string
nullable: true
type: array
type: object
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

2684
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

1355
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

1355
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

224
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml Normal file
View File

@ -0,0 +1,224 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportsamlconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportSAMLConnector
listKind: TeleportSAMLConnectorList
plural: teleportsamlconnectors
shortNames:
- samlconnector
- samlconnectors
singular: teleportsamlconnector
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: SAMLConnector is the Schema for the samlconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SAMLConnector resource definition v2 from Teleport
properties:
acs:
description: AssertionConsumerService is a URL for assertion consumer
service on the service provider (Teleport's side).
type: string
allow_idp_initiated:
description: AllowIDPInitiated is a flag that indicates if the connector
can be used for IdP-initiated logins.
type: boolean
assertion_key_pair:
description: EncryptionKeyPair is a key pair used for decrypting SAML
assertions.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
attributes_to_roles:
description: AttributesToRoles is a list of mappings of attribute
statements to roles.
items:
properties:
name:
description: Name is an attribute statement name.
type: string
roles:
description: Roles is a list of static teleport roles to map
to.
items:
type: string
nullable: true
type: array
value:
description: Value is an attribute statement value to match.
type: string
type: object
type: array
audience:
description: Audience uniquely identifies our service provider.
type: string
cert:
description: Cert is the identity provider certificate PEM. IDP signs
<Response> responses using this certificate.
type: string
client_redirect_settings:
description: ClientRedirectSettings defines which client redirect
URLs are allowed for non-browser SSO logins other than the standard
localhost ones.
nullable: true
properties:
allowed_https_hostnames:
description: a list of hostnames allowed for https client redirect
URLs
items:
type: string
nullable: true
type: array
type: object
display:
description: Display controls how this connector is displayed.
type: string
entity_descriptor:
description: EntityDescriptor is XML with descriptor. It can be used
to supply configuration parameters in one XML file rather than supplying
them in the individual elements.
type: string
entity_descriptor_url:
description: EntityDescriptorURL is a URL that supplies a configuration
XML.
type: string
issuer:
description: Issuer is the identity provider issuer.
type: string
provider:
description: Provider is the external identity provider.
type: string
service_provider_issuer:
description: ServiceProviderIssuer is the issuer of the service provider
(Teleport).
type: string
signing_key_pair:
description: SigningKeyPair is an x509 key pair used to sign AuthnRequest.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
sso:
description: SSO is the URL of the identity provider's SSO service.
type: string
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

205
teleport-cluster-15.3.3/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml Normal file
View File

@ -0,0 +1,205 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportusers.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportUser
listKind: TeleportUserList
plural: teleportusers
shortNames:
- user
- users
singular: teleportuser
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: List of Teleport roles granted to the user.
jsonPath: .spec.roles
name: Roles
type: string
- description: The age of this resource
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2
schema:
openAPIV3Schema:
description: User is the Schema for the users API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: User resource definition v2 from Teleport
properties:
github_identities:
description: GithubIdentities list associated Github OAuth2 identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
oidc_identities:
description: OIDCIdentities lists associated OpenID Connect identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
roles:
description: Roles is a list of roles assigned to user
items:
type: string
nullable: true
type: array
saml_identities:
description: SAMLIdentities lists associated SAML identities that
let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: Traits are key/value pairs received from an identity
provider (through OIDC claims or SAML assertions) or from a system
administrator for local accounts. Traits are used to populate role
variables.
type: object
trusted_device_ids:
description: TrustedDeviceIDs contains the IDs of trusted devices
enrolled by the user. Managed by the Device Trust subsystem, avoid
manual edits.
items:
type: string
nullable: true
type: array
type: object
status:
description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

131
teleport-cluster-15.3.3/charts/teleport-operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,131 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "teleport-cluster.operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
This is a modified version of the default fully qualified app name helper.
We diverge by always honouring "nameOverride" when it's set, as opposed to the
default behaviour of shortening if `nameOverride` is included in chart name.
This is done to avoid naming conflicts when including th chart in `teleport-cluster`
*/}}
{{- define "teleport-cluster.operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- if .Values.nameOverride }}
{{- printf "%s-%s" .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- if contains .Chart.Name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
*/}}
{{- define "teleport-cluster.operator.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name (include "teleport-cluster.operator.fullname" .) -}}
{{- end -}}
{{- define "teleport-cluster.version" -}}
{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
{{- end -}}
{{- define "teleport-cluster.majorVersion" -}}
{{- (semver (include "teleport-cluster.version" .)).Major -}}
{{- end -}}
{{/* Operator selector labels */}}
{{- define "teleport-cluster.operator.selectorLabels" -}}
app.kubernetes.io/name: '{{ include "teleport-cluster.operator.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'operator'
{{- end -}}
{{/* Operator all labels */}}
{{- define "teleport-cluster.operator.labels" -}}
{{ include "teleport-cluster.operator.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
teleport.dev/release: '{{ include "teleport-cluster.operator.namespacedRelease" . }}'
{{- end -}}
{{/* Teleport auth or proxy address */}}
{{- define "teleport-cluster.operator.teleportAddress" -}}
{{- $clusterAddr := include "teleport-cluster.auth.serviceFQDN" . -}}
{{- if empty $clusterAddr -}}
{{- required "The `teleportAddress` value is mandatory when deploying a standalone operator." .Values.teleportAddress -}}
{{- if and (eq .Values.joinMethod "kubernetes") (empty .Values.teleportClusterName) (not (hasSuffix ":3025" .Values.teleportAddress)) -}}
{{- fail "When joining using the Kubernetes JWKS join method, you must set the value `teleportClusterName`" -}}
{{- end -}}
{{- else -}}
{{- $clusterAddr | printf "%s:3025" -}}
{{- end -}}
{{- end -}}
{{- /* This template is a placeholder.
If we are imported by the main chart "teleport-cluster" it is overridden*/ -}}
{{- define "teleport-cluster.auth.serviceFQDN" -}}{{- end }}
{{- /* This templates returns "true" or "false" describing if the CRDs should be deployed.
If we have an explicit requirement ("always" or "never") things are easy.
If we don't we check if the operator is enabled.
However, we cannot just trash the CRDs if the operator is disabled, this causes
a mass CR deletion and users will shoot themselves in the foot whith this
(temporarily disabling the operator would cause havoc).
So we check if there's a CRD already deployed, it that's the case, we keep the CRDs.
*/ -}}
{{- define "teleport-cluster.operator.shouldInstallCRDs" -}}
{{- if eq .Values.installCRDs "always" -}}
true
{{- else if eq .Values.installCRDs "never" -}}
false
{{- else if eq .Values.installCRDs "dynamic" -}}
{{- if .Values.enabled -}}
true
{{- else -}}
{{- include "teleport-cluster.operator.checkExistingCRDs" . -}}
{{- end -}}
{{- else -}}
{{- fail ".Values.installCRDs must be 'never', 'always' or 'dynamic'." -}}
{{- end -}}
{{- end -}}
{{- /* This template checks if a known CRD is depployed (rolev7) and owned by
the release. As CRDs are not namespaced, we must use a custom annotation to avoid
a conflict when two releases are deployed with the same name in different namespaces. */ -}}
{{- define "teleport-cluster.operator.checkExistingCRDs" -}}
{{ $existingCRD := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "teleportrolesv7.resources.teleport.dev"}}
{{- if not $existingCRD -}}
false
{{- else -}}
{{- $release := index $existingCRD.metadata.labels "teleport.dev/release" }}
{{- if eq $release (include "teleport-cluster.operator.namespacedRelease" .) -}}
true
{{- else -}}
false
{{- end -}}
{{- end -}}
{{- end -}}
{{- /* This is a custom label containing the namespaced release.
This is used to avoid conflicts for non-namespaced resources like CRDs. */ -}}
{{- define "teleport-cluster.operator.namespacedRelease" -}}
{{ .Release.Namespace }}_{{ .Release.Name }}
{{- end -}}
{{- /* This is the object merged with CRDs manifests to enrich them (add labels). */ -}}
{{- define "teleport-cluster.operator.crdOverrides" -}}
metadata:
labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
{{- end -}}

24
teleport-cluster-15.3.3/charts/teleport-operator/templates/crds.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- /* This template iterates over every CRD in the `operator-crds/` directory
and creates them if needed. It also adds common labels, like any other
Helm-deployed resource.
We cannot rely on the "crds/" Helm directory as Helm's startegy is "fire and forget".
We have no way to update the CRDs after the initial deployment. As Teleport keeps
adding new field to existing CRs, we need a deployment strategy that supports
updating CRDs.
The obvious solution would be to have a separate chart for CRs but we wanted to
have everything functional in a single "helm install", hence the rube goldberg
mechanism to try to guess what to do with the CRDs (see the implementation of
shouldInstallCRDs in _helpers.yaml for more details). */ -}}
{{- if eq (include "teleport-cluster.operator.shouldInstallCRDs" . ) "true" -}}
{{ $currentScope := .}}
{{ range $path, $_ := .Files.Glob "operator-crds/*" }}
{{- with $currentScope}}
{{- $crd := (.Files.Get $path | fromYaml) -}}
{{- $injectedCRD := mustMergeOverwrite $crd (include "teleport-cluster.operator.crdOverrides" $currentScope | fromYaml) -}}
{{- toYaml $injectedCRD -}}
{{- end }}
---
{{ end }}
{{- end -}}

155
teleport-cluster-15.3.3/charts/teleport-operator/templates/deployment.yaml Normal file
View File

@ -0,0 +1,155 @@
{{- if .Values.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "teleport-cluster.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
{{- if .Values.annotations.deployment }}
annotations: {{- toYaml .Values.annotations.deployment | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.highAvailability.replicaCount }}
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
selector:
matchLabels: {{- include "teleport-cluster.operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- if .Values.annotations.pod }}
annotations: {{- toYaml .Values.annotations.pod | nindent 8 }}
{{- end }}
labels: {{- include "teleport-cluster.operator.labels" . | nindent 8 }}
spec:
{{- if .Values.nodeSelector }}
nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{- toYaml .Values.affinity | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
containers:
- name: "operator"
image: '{{ .Values.image }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ .Values.imagePullPolicy }}
command:
- /teleport-operator
- -auth-server
- '{{ include "teleport-cluster.operator.teleportAddress" . }}'
- -join-method
- '{{ .Values.joinMethod }}'
- -token
- '{{ .Values.token }}'
{{- if .Values.caPins }}
- -ca-pin
- '{{ join "," .Values.caPins }}'
{{- end }}
{{- if or (.Values.tls.existingCASecretName) (.Values.teleportClusterName) }}
env:
{{- if .Values.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- if .Values.teleportClusterName }}
- name: KUBERNETES_TOKEN_PATH
value: /var/run/secrets/teleport/serviceaccount/token
{{- end }}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
ports:
- name: op-metrics
containerPort: 8080
protocol: TCP
- name: op-health
containerPort: 8081
protocol: TCP
{{- if .Values.securityContext }}
securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: operator-serviceaccount-token
readOnly: true
{{- if .Values.teleportClusterName }}
- mountPath: /var/run/secrets/teleport/serviceaccount
name: bot-serviceaccount-token
readOnly: true
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
automountServiceAccountToken: false
volumes:
# This projected token volume mimics the `automountServiceAccountToken`
# behaviour but defaults to a 1h TTL instead of 1y.
- name: operator-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.teleportClusterName }}
- name: bot-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
audience: "{{ .Values.teleportClusterName }}"
expirationSeconds: 600
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ .Values.tls.existingCASecretName }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.operator.serviceAccountName" . }}
{{- end }}

59
teleport-cluster-15.3.3/charts/teleport-operator/templates/role.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- if .Values.enabled }}
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "teleport-cluster.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- "resources.teleport.dev"
resources:
- teleportroles
- teleportroles/status
- teleportrolesv6
- teleportrolesv6/status
- teleportrolesv7
- teleportrolesv7/status
- teleportusers
- teleportusers/status
- teleportgithubconnectors
- teleportgithubconnectors/status
- teleportoidcconnectors
- teleportoidcconnectors/status
- teleportsamlconnectors
- teleportsamlconnectors/status
- teleportloginrules
- teleportloginrules/status
- teleportprovisiontokens
- teleportprovisiontokens/status
- teleportoktaimportrules
- teleportoktaimportrules/status
- teleportaccesslists
- teleportaccesslists/status
- teleportopensshserversv2
- teleportopensshserversv2/status
- teleportopenssheiceserversv2
- teleportopenssheiceserversv2/status
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
{{- end -}}
{{- end -}}

17
teleport-cluster-15.3.3/charts/teleport-operator/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.enabled }}
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "teleport-cluster.operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "teleport-cluster.operator.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "teleport-cluster.operator.serviceAccountName" . }}
{{- end }}
{{- end }}

12
teleport-cluster-15.3.3/charts/teleport-operator/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.enabled }}
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "teleport-cluster.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.annotations.serviceAccount }}
annotations: {{- toYaml .Values.annotations.serviceAccount | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

44
teleport-cluster-15.3.3/charts/teleport-operator/tests/crds_test.yaml Normal file
View File

@ -0,0 +1,44 @@
suite: Operator CRDs
templates:
- crds.yaml
tests:
- it: creates no CRDs when installCRDs is "never"
set:
installCRDs: "never"
enabled: true
asserts:
- hasDocuments:
count: 0
- it: creates CRDs when installCRDs is "always"
set:
installCRDs: "always"
enabled: false
asserts:
- containsDocument:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: teleportrolesv7.resources.teleport.dev
- it: labels CRDs
set:
installCRDs: "always"
enabled: false
asserts:
- equal:
path: metadata.labels.[teleport.dev/release]
value: NAMESPACE_RELEASE-NAME
- it: creates CRDs when installCRDs is "dynamic" and operator enabled
set:
installCRDs: "dynamic"
enabled: true
asserts:
- containsDocument:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: teleportrolesv7.resources.teleport.dev
- it: creates no CRDs when installCRDs is "dynamic" and operator disabled (and no existing CRD)
set:
installCRDs: "dynamic"
enabled: false
asserts:
- hasDocuments:
count: 0

199
teleport-cluster-15.3.3/charts/teleport-operator/tests/deployment_test.yaml Normal file
View File

@ -0,0 +1,199 @@
suite: Operator Deployment
templates:
- deployment.yaml
tests:
- it: creates no deployment when operator is not enabled
values:
- ../.lint/disabled.yaml
asserts:
- hasDocuments:
count: 0
- it: creates a deployment when operator is enabled
values:
- ../.lint/cloud-join.yaml
asserts:
- containsDocument:
kind: Deployment
apiVersion: apps/v1
name: RELEASE-NAME-teleport-operator
- it: shortens fullname if .Release.Name == .Chart.Name
release:
name: teleport-operator
values:
- ../.lint/cloud-join.yaml
asserts:
- containsDocument:
kind: Deployment
apiVersion: apps/v1
name: teleport-operator
- it: respects the nameOverride
set:
nameOverride: operator
values:
- ../.lint/cloud-join.yaml
asserts:
- containsDocument:
kind: Deployment
apiVersion: apps/v1
name: RELEASE-NAME-operator
- it: sets annotations when specified
values:
- ../.lint/annotations.yaml
asserts:
# Pod annotations
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod
value: test-annotation
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod-different
value: 4
# Deployment annotations
- equal:
path: metadata.annotations.kubernetes\.io/deployment
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/deployment-different
value: 3
- it: should mount tls.existingCASecretName and set environment when set in values
values:
- ../.lint/existing-tls-ca.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- it: mounts tokens through projected volumes
values:
- ../.lint/cloud-join.yaml
asserts:
- equal:
path: spec.template.spec.automountServiceAccountToken
value: false
- contains:
path: spec.template.spec.volumes
content:
name: operator-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: operator-serviceaccount-token
readOnly: true
- it: should set imagePullPolicy when set in values
values:
- ../.lint/cloud-join.yaml
set:
imagePullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should set resources when set in values
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- it: should set security contexts by default
values:
- ../.lint/cloud-join.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- equal:
path: spec.template.spec.securityContext
value:
seccompProfile:
type: RuntimeDefault
runAsUser: 65532
runAsGroup: 65532
fsGroup: 65532
runAsNonRoot: true
- it: configures a dedicated token when kube JWKS joining
values:
- ../.lint/cloud-join.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: bot-serviceaccount-token
projected:
sources:
- serviceAccountToken:
audience: example.teleport.sh
expirationSeconds: 600
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.namespace
path: namespace
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/teleport/serviceaccount
name: bot-serviceaccount-token
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: KUBERNETES_TOKEN_PATH
value: /var/run/secrets/teleport/serviceaccount/token

Some files were not shown because too many files have changed in this diff Show More