? should not add named PersistentVolumeClaim as volume when in scratch mode, persistence.existingClaimName is set and persistence.enabled is false : 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP - containerPort: 3025 name: auth protocol: TCP - containerPort: 3026 name: kube protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 volumes: - name: auth-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-auth name: config - emptyDir: {} name: data should provision initContainer correctly when set in values: 1: | - args: - echo test image: alpine name: teleport-init resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true - args: - echo test2 image: alpine name: teleport-init2 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true should set affinity when set in values: 1: | nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: gravitational.io/dedicated operator: In values: - teleport should set imagePullSecrets when set in values: 1: | - name: myRegistryKeySecretName should set nodeSelector when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP - containerPort: 3025 name: auth protocol: TCP - containerPort: 3026 name: kube protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true nodeSelector: environment: security role: bastion serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 volumes: - name: auth-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-auth name: config - name: data persistentVolumeClaim: claimName: RELEASE-NAME should set required affinity when highAvailability.requireAntiAffinity is set: 1: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - RELEASE-NAME - key: app.kubernetes.io/component operator: In values: - auth topologyKey: kubernetes.io/hostname should set resources when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP - containerPort: 3025 name: auth protocol: TCP - containerPort: 3026 name: kube protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 volumes: - name: auth-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-auth name: config - name: data persistentVolumeClaim: claimName: RELEASE-NAME should set securityContext when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml image: public.ecr.aws/gravitational/teleport-distroless:15.0.1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP - containerPort: 3025 name: auth protocol: TCP - containerPort: 3026 name: kube protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 volumes: - name: auth-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-auth name: config - name: data persistentVolumeClaim: claimName: RELEASE-NAME should set tolerations when set in values: 1: | - effect: NoExecute key: dedicated operator: Equal value: teleport - effect: NoSchedule key: dedicated operator: Equal value: teleport should use OSS image and not mount license when enterprise is not set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP - containerPort: 3025 name: auth protocol: TCP - containerPort: 3026 name: kube protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: auth-serviceaccount-token readOnly: true serviceAccountName: RELEASE-NAME terminationGracePeriodSeconds: 60 volumes: - name: auth-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-auth name: config - name: data persistentVolumeClaim: claimName: RELEASE-NAME