sets Pod annotations when specified: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token sets Pod labels when specified: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token sets StatefulSet labels when specified: 1: | apiVersion: apps/v1 kind: StatefulSet metadata: labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent resource: deployment name: RELEASE-NAME namespace: NAMESPACE spec: replicas: 1 selector: matchLabels: app: RELEASE-NAME serviceName: RELEASE-NAME template: metadata: annotations: checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent resource: pod spec: containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token volumeClaimTemplates: - metadata: name: RELEASE-NAME-teleport-data spec: accessModes: - ReadWriteOnce resources: requests: storage: 128Mi storageClassName: aws-gp2 sets by default a container security context: 1: | allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 2: | allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 should add insecureSkipProxyTLSVerify to args when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 - --insecure env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should add volumeClaimTemplate for data volume when using StatefulSet and action is an Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should add volumeClaimTemplate for data volume when using StatefulSet and is Fresh Install: 1: | apiVersion: apps/v1 kind: StatefulSet metadata: labels: app: RELEASE-NAME name: RELEASE-NAME namespace: NAMESPACE spec: replicas: 1 selector: matchLabels: app: RELEASE-NAME serviceName: RELEASE-NAME template: metadata: annotations: checksum/config: 6e010c147e8d81d244e7aafdcee7e652cdb4d5640fb7f14d0e1ebb7832f943a5 labels: app: RELEASE-NAME spec: containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token volumeClaimTemplates: - metadata: name: RELEASE-NAME-teleport-data spec: accessModes: - ReadWriteOnce resources: requests: storage: 128Mi storageClassName: aws-gp2 should add volumeMount for data volume when using StatefulSet: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should expose diag port: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should generate Statefulset when storage is disabled and mode is a Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should have multiple replicas when replicaCount is set (using .replicaCount, deprecated): 1: | affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname weight: 50 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should have multiple replicas when replicaCount is set (using highAvailability.replicaCount): 1: | affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname weight: 50 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should have one replica when replicaCount is not set: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should install Statefulset when storage is disabled and mode is a Fresh Install: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data should mount extraVolumes and extraVolumeMounts: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data - mountPath: /path/to/mount name: my-mount securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - name: my-mount secret: secretName: mySecret should mount tls.existingCASecretName and set environment when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data - name: teleport-tls-ca secret: secretName: helm-lint-existing-tls-secret-ca should mount tls.existingCASecretName and set extra environment when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: data - mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token - emptyDir: {} name: data - name: teleport-tls-ca secret: secretName: helm-lint-existing-tls-secret-ca should not add emptyDir for data when using StatefulSet: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should provision initContainer correctly when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data initContainers: - args: - echo test image: alpine name: teleport-init resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set SecurityContext: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set affinity when set in values: 1: | affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: gravitational.io/dedicated operator: In values: - teleport podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - teleport topologyKey: kubernetes.io/hostname weight: 1 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set default serviceAccountName when not set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set dnsConfig when set in values: 1: | nameservers: - 1.2.3.4 options: - name: ndots value: "2" - name: edns0 searches: - ns1.svc.cluster-domain.example - my.dns.search.suffix should set environment when extraEnv set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set image and tag correctly: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:12.2.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set imagePullPolicy when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: Always livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set nodeSelector if set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data nodeSelector: gravitational.io/k8s-role: node securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set preferred affinity when more than one replica is used: 1: | affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname weight: 50 containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set probeTimeoutSeconds when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set required affinity when highAvailability.requireAntiAffinity is set: 1: | affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - RELEASE-NAME topologyKey: kubernetes.io/hostname containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set resources when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 resources: limits: cpu: 2 memory: 4Gi requests: cpu: 1 memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set serviceAccountName when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: teleport-kube-agent-sa volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set storage.requests when set in values and action is an Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set storage.storageClassName when set in values and action is an Upgrade: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token should set tolerations when set in values: 1: | containers: - args: - --diag-addr=0.0.0.0:3000 env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME image: public.ecr.aws/gravitational/teleport-distroless:13.3.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /healthz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 name: teleport ports: - containerPort: 3000 name: diag protocol: TCP readinessProbe: failureThreshold: 12 httpGet: path: /readyz port: diag initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 volumeMounts: - mountPath: /etc/teleport name: config readOnly: true - mountPath: /etc/teleport-secrets name: auth-token readOnly: true - mountPath: /var/lib/teleport name: RELEASE-NAME-teleport-data securityContext: fsGroup: 9807 serviceAccountName: RELEASE-NAME tolerations: - effect: NoExecute key: dedicated operator: Equal value: teleport - effect: NoSchedule key: dedicated operator: Equal value: teleport volumes: - configMap: name: RELEASE-NAME name: config - name: auth-token secret: secretName: teleport-kube-agent-join-token