jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
charts/teleport-kube-agent-13.3.8/tests/__snapshot__/statefulset_test.yaml.snap
Jonny Ervine b76e232ac2 Add teleport agent update
2024-08-15 22:45:43 +08:00

2491 lines
65 KiB
Plaintext
Raw Permalink Blame History

sets Pod annotations when specified:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
sets Pod labels when specified:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
sets StatefulSet labels when specified:
1: |
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: RELEASE-NAME
app.kubernetes.io/name: teleport-kube-agent
resource: deployment
name: RELEASE-NAME
namespace: NAMESPACE
spec:
replicas: 1
selector:
matchLabels:
app: RELEASE-NAME
serviceName: RELEASE-NAME
template:
metadata:
annotations:
checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2
labels:
app: RELEASE-NAME
app.kubernetes.io/name: teleport-kube-agent
resource: pod
spec:
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
volumeClaimTemplates:
- metadata:
name: RELEASE-NAME-teleport-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 128Mi
storageClassName: aws-gp2
sets by default a container security context:
1: |
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
2: |
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
should add insecureSkipProxyTLSVerify to args when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
- --insecure
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should add volumeClaimTemplate for data volume when using StatefulSet and action is an Upgrade:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should add volumeClaimTemplate for data volume when using StatefulSet and is Fresh Install:
1: |
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: RELEASE-NAME
name: RELEASE-NAME
namespace: NAMESPACE
spec:
replicas: 1
selector:
matchLabels:
app: RELEASE-NAME
serviceName: RELEASE-NAME
template:
metadata:
annotations:
checksum/config: 6e010c147e8d81d244e7aafdcee7e652cdb4d5640fb7f14d0e1ebb7832f943a5
labels:
app: RELEASE-NAME
spec:
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
volumeClaimTemplates:
- metadata:
name: RELEASE-NAME-teleport-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 128Mi
storageClassName: aws-gp2
should add volumeMount for data volume when using StatefulSet:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should expose diag port:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should generate Statefulset when storage is disabled and mode is a Upgrade:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
- emptyDir: {}
name: data
should have multiple replicas when replicaCount is set (using .replicaCount, deprecated):
1: |
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- RELEASE-NAME
topologyKey: kubernetes.io/hostname
weight: 50
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should have multiple replicas when replicaCount is set (using highAvailability.replicaCount):
1: |
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- RELEASE-NAME
topologyKey: kubernetes.io/hostname
weight: 50
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should have one replica when replicaCount is not set:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should install Statefulset when storage is disabled and mode is a Fresh Install:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
- emptyDir: {}
name: data
should mount extraVolumes and extraVolumeMounts:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
- mountPath: /path/to/mount
name: my-mount
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
- name: my-mount
secret:
secretName: mySecret
should mount tls.existingCASecretName and set environment when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
- emptyDir: {}
name: data
- name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
should mount tls.existingCASecretName and set extra environment when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- name: HTTPS_PROXY
value: http://username:password@my.proxy.host:3128
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: data
- mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
- emptyDir: {}
name: data
- name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
should not add emptyDir for data when using StatefulSet:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should provision initContainer correctly when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
initContainers:
- args:
- echo test
image: alpine
name: teleport-init
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set SecurityContext:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set affinity when set in values:
1: |
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- teleport
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set default serviceAccountName when not set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set dnsConfig when set in values:
1: |
nameservers:
- 1.2.3.4
options:
- name: ndots
value: "2"
- name: edns0
searches:
- ns1.svc.cluster-domain.example
- my.dns.search.suffix
should set environment when extraEnv set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
- name: HTTPS_PROXY
value: http://username:password@my.proxy.host:3128
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set image and tag correctly:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:12.2.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set imagePullPolicy when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: Always
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set nodeSelector if set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
nodeSelector:
gravitational.io/k8s-role: node
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set preferred affinity when more than one replica is used:
1: |
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- RELEASE-NAME
topologyKey: kubernetes.io/hostname
weight: 50
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set probeTimeoutSeconds when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set required affinity when highAvailability.requireAntiAffinity is set:
1: |
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- RELEASE-NAME
topologyKey: kubernetes.io/hostname
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set resources when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set serviceAccountName when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: teleport-kube-agent-sa
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set storage.requests when set in values and action is an Upgrade:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set storage.storageClassName when set in values and action is an Upgrade:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
should set tolerations when set in values:
1: |
containers:
- args:
- --diag-addr=0.0.0.0:3000
env:
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
value: "true"
- name: TELEPORT_REPLICA_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.3.8
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
name: teleport
ports:
- containerPort: 3000
name: diag
protocol: TCP
readinessProbe:
failureThreshold: 12
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
volumeMounts:
- mountPath: /etc/teleport
name: config
readOnly: true
- mountPath: /etc/teleport-secrets
name: auth-token
readOnly: true
- mountPath: /var/lib/teleport
name: RELEASE-NAME-teleport-data
securityContext:
fsGroup: 9807
serviceAccountName: RELEASE-NAME
tolerations:
- effect: NoExecute
key: dedicated
operator: Equal
value: teleport
- effect: NoSchedule
key: dedicated
operator: Equal
value: teleport
volumes:
- configMap:
name: RELEASE-NAME
name: config
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
Reference in New Issue View Git Blame Copy Permalink