sets clusterDomain on Deployment Pods: 1: | apiVersion: apps/v1 kind: Deployment metadata: annotations: kubernetes.io/deployment: test-annotation kubernetes.io/deployment-different: 3 labels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster app.kubernetes.io/version: 17.4.9 helm.sh/chart: teleport-cluster-17.4.9 teleport.dev/majorVersion: "17" name: RELEASE-NAME-proxy namespace: NAMESPACE spec: replicas: 1 selector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster template: metadata: annotations: checksum/config: da6155f69a526a5b92d4fa09d4b6658536bfab0d3e5435e2e898b77c1a30dbff kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster app.kubernetes.io/version: 17.4.9 helm.sh/chart: teleport-cluster-17.4.9 teleport.dev/majorVersion: "17" spec: affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.test.com image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should provision initContainer correctly when set in values: 1: | - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update resources: limits: cpu: 1 memory: 512Mi requests: cpu: 0.1 memory: 256Mi - args: - echo test image: alpine name: teleport-init resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - args: - echo test2 image: alpine name: teleport-init2 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data should set affinity when set in values: 1: | nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: gravitational.io/dedicated operator: In values: - teleport should set imagePullSecrets when set in values: 1: | - name: myRegistryKeySecretName should set nodeSelector when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update nodeSelector: environment: security role: bastion serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set required affinity when highAvailability.requireAntiAffinity is set: 1: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - RELEASE-NAME - key: app.kubernetes.io/component operator: In values: - proxy topologyKey: kubernetes.io/hostname should set resources for wait-auth-update initContainer when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update resources: limits: cpu: 1 memory: 512Mi requests: cpu: 0.1 memory: 256Mi serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set resources when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update resources: limits: cpu: 1 memory: 512Mi requests: cpu: 0.1 memory: 256Mi serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set securityContext for initContainers when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set securityContext when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v16.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:17.4.9 name: wait-auth-update securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set tolerations when set in values: 1: | - effect: NoExecute key: dedicated operator: Equal value: teleport - effect: NoSchedule key: dedicated operator: Equal value: teleport