sets clusterDomain on Deployment Pods: 1: | apiVersion: apps/v1 kind: Deployment metadata: annotations: kubernetes.io/deployment: test-annotation kubernetes.io/deployment-different: 3 labels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster app.kubernetes.io/version: 15.3.7 helm.sh/chart: teleport-cluster-15.3.7 teleport.dev/majorVersion: "15" name: RELEASE-NAME-proxy namespace: NAMESPACE spec: replicas: 1 selector: matchLabels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: teleport-cluster template: metadata: annotations: checksum/config: 30ed507562c0a982e772381732ae0e197e40b79d6d216f82f0e16c368a530b0f kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: app.kubernetes.io/component: proxy app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: teleport-cluster app.kubernetes.io/version: 15.3.7 helm.sh/chart: teleport-cluster-15.3.7 teleport.dev/majorVersion: "15" spec: affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.test.com image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should provision initContainer correctly when set in values: 1: | - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 name: wait-auth-update resources: limits: cpu: 1 memory: 512Mi requests: cpu: 0.1 memory: 256Mi - args: - echo test image: alpine name: teleport-init resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - args: - echo test2 image: alpine name: teleport-init2 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data should set affinity when set in values: 1: | nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: gravitational.io/dedicated operator: In values: - teleport should set imagePullSecrets when set in values: 1: | - name: myRegistryKeySecretName should set nodeSelector when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 name: wait-auth-update nodeSelector: environment: security role: bastion serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set required affinity when highAvailability.requireAntiAffinity is set: 1: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/instance operator: In values: - RELEASE-NAME - key: app.kubernetes.io/component operator: In values: - proxy topologyKey: kubernetes.io/hostname should set resources for wait-auth-update initContainer when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 name: wait-auth-update resources: limits: cpu: 1 memory: 512Mi requests: cpu: 0.1 memory: 256Mi serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set resources when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 name: wait-auth-update resources: limits: cpu: 1 memory: 512Mi requests: cpu: 0.1 memory: 256Mi serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set securityContext for initContainers when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 name: wait-auth-update securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set securityContext when set in values: 1: | affinity: podAntiAffinity: null automountServiceAccountToken: false containers: - args: - --diag-addr=0.0.0.0:3000 image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - teleport - wait - duration - 30s livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3080 name: tls protocol: TCP - containerPort: 3023 name: sshproxy protocol: TCP - containerPort: 3024 name: sshtun protocol: TCP - containerPort: 3026 name: kube protocol: TCP - containerPort: 3036 name: mysql protocol: TCP - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true initContainers: - command: - teleport - wait - no-resolve - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local image: public.ecr.aws/gravitational/teleport-distroless:15.3.7 name: wait-auth-update securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: false runAsGroup: 99 runAsNonRoot: true runAsUser: 99 serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 volumes: - name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: fieldPath: metadata.namespace path: namespace - configMap: name: RELEASE-NAME-proxy name: config - emptyDir: {} name: data should set tolerations when set in values: 1: | - effect: NoExecute key: dedicated operator: Equal value: teleport - effect: NoSchedule key: dedicated operator: Equal value: teleport