sets Deployment annotations when specified if action is Upgrade: 1: | apiVersion: apps/v1 kind: Deployment metadata: annotations: kubernetes.io/deployment: test-annotation kubernetes.io/deployment-different: 3 labels: app: RELEASE-NAME name: RELEASE-NAME namespace: NAMESPACE spec: replicas: 1 selector: matchLabels: app: RELEASE-NAME template: metadata: annotations: checksum/config: 80088923d2d7ce4344db0f2174d29d7cfb2d599424adfabf6f6818a9434794ca kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: app: RELEASE-NAME spec: containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data sets Deployment labels when specified if action is Upgrade: 1: | replicas: 1 selector: matchLabels: app: RELEASE-NAME template: metadata: annotations: checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent resource: pod spec: containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data sets Pod annotations when specified if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data sets Pod labels when specified if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data sets by default a container security context if action is Upgrade: 1: | allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 2: | allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 should add emptyDir for data when existingDataVolume is not set if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should add insecureSkipProxyTLSVerify to args when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 - --insecure env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should correctly configure existingDataVolume when set if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: teleport-kube-agent-data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should expose diag port if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) if action is Upgrade: 1: | affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname weight: 50 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) if action is Upgrade: 1: | affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname weight: 50 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should have one replica when replicaCount is not set if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should mount extraVolumes and extraVolumeMounts if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /path/to/mount name: my-mount serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data - name: my-mount secret: secretName: mySecret should mount tls.existingCASecretName and set environment when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data - name: teleport-tls-ca secret: secretName: helm-lint-existing-tls-secret-ca should mount tls.existingCASecretName and set extra environment when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data - name: teleport-tls-ca secret: secretName: helm-lint-existing-tls-secret-ca should provision initContainer correctly when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data initContainers: - args: - echo test image: alpine name: teleport-init resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set SecurityContext if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set affinity when set in values if action is Upgrade: 1: | affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: gravitational.io/dedicated operator: In values: - teleport podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - teleport topologyKey: kubernetes.io/hostname weight: 1 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set default serviceAccountName when not set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set dnsConfig when set in values if action is Upgrade: 1: | nameservers: - 1.2.3.4 options: - name: ndots value: "2" - name: edns0 searches: - ns1.svc.cluster-domain.example - my.dns.search.suffix should set environment when extraEnv set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set image and tag correctly if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set imagePullPolicy when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: Always livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set nodeSelector if set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data nodeSelector: gravitational.io/k8s-role: node serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set not set priorityClassName when not set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set preferred affinity when more than one replica is used if action is Upgrade: 1: | affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname weight: 50 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set priorityClassName when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data priorityClassName: teleport-kube-agent serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set probeTimeoutSeconds when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set required affinity when highAvailability.requireAntiAffinity is set if action is Upgrade: 1: | affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set resources when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set serviceAccountName when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: teleport-kube-agent-sa volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should set tolerations when set in values if action is Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data serviceAccountName: RELEASE-NAME tolerations: - effect: NoExecute key: dedicated operator: Equal value: teleport - effect: NoSchedule key: dedicated operator: Equal value: teleport volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data