61 lines
3.3 KiB
Smarty
61 lines
3.3 KiB
Smarty
{{- define "teleport-cluster.auth.config.aws" -}}
|
|
{{ mustMergeOverwrite (include "teleport-cluster.auth.config.common" . | fromYaml) (include "teleport-cluster.auth.config.aws.overrides" . | fromYaml) | toYaml }}
|
|
{{- end -}}
|
|
|
|
{{- define "teleport-cluster.auth.config.aws.overrides" -}}
|
|
teleport:
|
|
storage:
|
|
type: dynamodb
|
|
region: {{ required "aws.region is required in chart values" .Values.aws.region }}
|
|
table_name: {{ required "aws.backendTable is required in chart values" .Values.aws.backendTable }}
|
|
audit_events_uri: {{- include "teleport-cluster.auth.config.aws.audit" . | nindent 4 }}
|
|
audit_sessions_uri: s3://{{ required "aws.sessionRecordingBucket is required in chart values" .Values.aws.sessionRecordingBucket }}
|
|
continuous_backups: {{ required "aws.backups is required in chart values" .Values.aws.backups }}
|
|
{{- if .Values.aws.dynamoAutoScaling }}
|
|
auto_scaling: true
|
|
billing_mode: provisioned
|
|
read_min_capacity: {{ required "aws.readMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMinCapacity }}
|
|
read_max_capacity: {{ required "aws.readMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMaxCapacity }}
|
|
read_target_value: {{ required "aws.readTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.readTargetValue }}
|
|
write_min_capacity: {{ required "aws.writeMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMinCapacity }}
|
|
write_max_capacity: {{ required "aws.writeMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMaxCapacity }}
|
|
write_target_value: {{ required "aws.writeTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.writeTargetValue }}
|
|
{{- else }}
|
|
auto_scaling: false
|
|
{{- end }}
|
|
{{- if .Values.aws.accessMonitoring.enabled }}
|
|
{{- if not .Values.aws.athenaURL }}
|
|
{{- fail "AccessMonitoring requires an Athena Event backend" }}
|
|
{{- end }}
|
|
auth_service:
|
|
access_monitoring:
|
|
enabled: true
|
|
report_results: {{ .Values.aws.accessMonitoring.reportResults | quote }}
|
|
role_arn: {{ .Values.aws.accessMonitoring.roleARN | quote }}
|
|
workgroup: {{ .Values.aws.accessMonitoring.workgroup | quote }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
|
|
{{- define "teleport-cluster.auth.config.aws.audit" -}}
|
|
{{- if and .Values.aws.auditLogTable (not .Values.aws.athenaURL) -}}
|
|
- 'dynamodb://{{.Values.aws.auditLogTable}}'
|
|
{{- else if and (not .Values.aws.auditLogTable) .Values.aws.athenaURL -}}
|
|
- {{ .Values.aws.athenaURL | quote }}
|
|
{{- else if and .Values.aws.auditLogTable .Values.aws.athenaURL -}}
|
|
{{- if eq .Values.aws.auditLogPrimaryBackend "dynamo" -}}
|
|
- 'dynamodb://{{.Values.aws.auditLogTable}}'
|
|
- {{ .Values.aws.athenaURL | quote }}
|
|
{{- else if eq .Values.aws.auditLogPrimaryBackend "athena" -}}
|
|
- {{ .Values.aws.athenaURL | quote }}
|
|
- 'dynamodb://{{.Values.aws.auditLogTable}}'
|
|
{{- else -}}
|
|
{{- fail "Both Dynamo and Athena audit backends are enabled. You must specify the primary backend by setting `aws.auditLogPrimaryBackend` to either 'dynamo' or 'athena'." -}}
|
|
{{- end -}}
|
|
{{- else -}}
|
|
{{- fail "You need an audit backend. In AWS mode, you must set at least one of `aws.auditLogTable` (Dynamo) and `aws.athenaURL` (Athena)." -}}
|
|
{{- end -}}
|
|
{{- if .Values.aws.auditLogMirrorOnStdout }}
|
|
- 'stdout://'
|
|
{{- end -}}
|
|
{{- end -}}
|