diff --git a/helm/teleport-kube-agent/Chart.yaml b/helm/teleport-kube-agent/Chart.yaml index d93b395..89f95b1 100644 --- a/helm/teleport-kube-agent/Chart.yaml +++ b/helm/teleport-kube-agent/Chart.yaml @@ -1,17 +1,9 @@ apiVersion: v2 -name: teleport-kube-agent -version: [[ .Version ]] -appVersion: 16.1.7 +appVersion: 17.0.2 description: Teleport provides a secure SSH, Kubernetes, database and application remote access solution that doesn't get in the way. -icon: https://s.giantswarm.io/app-icons/teleport/1/light.png -type: application -sources: -- https://github.com/gravitational/teleport +icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport -annotations: - application.giantswarm.io/team: shield -maintainers: - - name: giantswarm/team-shield - email: team-shield@giantswarm.io +name: teleport-kube-agent +version: 17.0.2 diff --git a/helm/teleport-kube-agent/ci/ci-values.yaml b/helm/teleport-kube-agent/ci/ci-values.yaml deleted file mode 100644 index 2579ac1..0000000 --- a/helm/teleport-kube-agent/ci/ci-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -proxyAddr: "teleport.demo.gaws.gigantic.io:443" -authToken: "test" -kubeClusterName: "test" -roles: "kube" diff --git a/helm/teleport-kube-agent/templates/_config.tpl b/helm/teleport-kube-agent/templates/_config.tpl index 565e809..adb708d 100644 --- a/helm/teleport-kube-agent/templates/_config.tpl +++ b/helm/teleport-kube-agent/templates/_config.tpl @@ -128,6 +128,16 @@ discovery_service: enabled: false {{- end }} +jamf_service: + {{- if contains "jamf" (.Values.roles | toString) }} + enabled: true + api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }} + client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }} + client_secret_file: "/etc/teleport-jamf-api-credentials/credential" + {{- else }} + enabled: false + {{- end }} + auth_service: enabled: false ssh_service: diff --git a/helm/teleport-kube-agent/templates/_helpers.tpl b/helm/teleport-kube-agent/templates/_helpers.tpl index 2ef4c56..3e00e27 100644 --- a/helm/teleport-kube-agent/templates/_helpers.tpl +++ b/helm/teleport-kube-agent/templates/_helpers.tpl @@ -33,7 +33,7 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N {{- if .Values.teleportVersionOverride -}} {{- .Values.teleportVersionOverride -}} {{- else -}} - {{- .Chart.AppVersion -}} + {{- .Chart.Version -}} {{- end -}} {{- end -}} @@ -41,18 +41,10 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N {{- if .Values.enterprise -}} {{- .Values.enterpriseImage -}} {{- else -}} - {{- .Values.image.repository -}} + {{- .Values.image -}} {{- end -}} {{- end -}} {{- define "teleport-kube-agent.image" -}} {{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }} {{- end -}} - -{{- define "registry" }} -{{- $registry := .Values.image.registry -}} -{{- if and .Values.global (and .Values.global.image .Values.global.image.registry) -}} -{{- $registry = .Values.global.image.registry -}} -{{- end -}} -{{- printf "%s" $registry -}} -{{- end -}} diff --git a/helm/teleport-kube-agent/templates/delete_hook.yaml b/helm/teleport-kube-agent/templates/delete_hook.yaml index c6056b0..3cf584a 100644 --- a/helm/teleport-kube-agent/templates/delete_hook.yaml +++ b/helm/teleport-kube-agent/templates/delete_hook.yaml @@ -73,6 +73,15 @@ spec: template: metadata: name: {{ .Release.Name }}-delete-hook +{{- if .Values.annotations.pod }} + annotations: + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -100,7 +109,7 @@ spec: fieldPath: metadata.namespace - name: RELEASE_NAME value: {{ .Release.Name }} - image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}' + image: {{ include "teleport-kube-agent.image" . | quote }} {{- if .Values.imagePullPolicy }} imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} {{- end }} @@ -109,3 +118,6 @@ spec: {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} diff --git a/helm/teleport-kube-agent/templates/deployment.yaml b/helm/teleport-kube-agent/templates/deployment.yaml index 592ee4e..4eb3f5d 100644 --- a/helm/teleport-kube-agent/templates/deployment.yaml +++ b/helm/teleport-kube-agent/templates/deployment.yaml @@ -111,11 +111,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} - # {{- if contains "jamf" (.Values.roles | toString) }} - #- mountPath: /etc/teleport-jamf-api-credentials - # name: "jamf-api-credentials" - # readOnly: true - # {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -126,7 +126,7 @@ spec: {{- end }} containers: - name: "teleport" - image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}' + image: {{ include "teleport-kube-agent.image" . | quote }} {{- if .Values.imagePullPolicy }} imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} {{- end }} @@ -201,11 +201,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} - # {{- if contains "jamf" (.Values.roles | toString) }} - #- mountPath: /etc/teleport-jamf-api-credentials - # name: "jamf-api-credentials" - # readOnly: true - # {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -228,11 +228,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} - #{{- if contains "jamf" (.Values.roles | toString) }} - #- name: "jamf-api-credentials" - # secret: - # secretName: {{ .Values.jamfCredentialsSecret.name }} - #{{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} + {{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/helm/teleport-kube-agent/templates/hook.yaml b/helm/teleport-kube-agent/templates/hook.yaml index e6d7de5..efd5124 100644 --- a/helm/teleport-kube-agent/templates/hook.yaml +++ b/helm/teleport-kube-agent/templates/hook.yaml @@ -63,6 +63,15 @@ spec: template: metadata: name: {{ .Release.Name }}-hook +{{- if .Values.annotations.pod }} + annotations: + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} @@ -94,4 +103,7 @@ spec: {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} {{- end}} diff --git a/helm/teleport-kube-agent/templates/networkpolicy.yaml b/helm/teleport-kube-agent/templates/networkpolicy.yaml deleted file mode 100644 index 9dd8b40..0000000 --- a/helm/teleport-kube-agent/templates/networkpolicy.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name }} -spec: - egress: - - {} - ingress: - - {} - podSelector: - matchLabels: - app: {{ .Release.Name }} - policyTypes: - - Egress - - Ingress diff --git a/helm/teleport-kube-agent/templates/psp.yaml b/helm/teleport-kube-agent/templates/psp.yaml index aa3578c..bdf8b10 100644 --- a/helm/teleport-kube-agent/templates/psp.yaml +++ b/helm/teleport-kube-agent/templates/psp.yaml @@ -2,7 +2,7 @@ We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt. Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}} -{{- if and (not .Values.global.podSecurityStandards.enforced) .Values.podSecurityPolicy.enabled (semverCompare "<1.25.0" .Capabilities.KubeVersion.Version) -}} +{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/helm/teleport-kube-agent/templates/secret.yaml b/helm/teleport-kube-agent/templates/secret.yaml index 615c79c..3489968 100644 --- a/helm/teleport-kube-agent/templates/secret.yaml +++ b/helm/teleport-kube-agent/templates/secret.yaml @@ -17,22 +17,23 @@ stringData: auth-token: | {{ coalesce .Values.joinParams.tokenName .Values.authToken }} {{- end}} -#{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }} -#--- -#apiVersion: v1 -#kind: Secret -#metadata: -# name: {{ .Values.jamfCredentialsSecret.name }} -# namespace: {{ .Release.Namespace }} -# {{- if .Values.extraLabels.secret }} -# labels: -# {{- toYaml .Values.extraLabels.secret | nindent 4 }} -# {{- end }} -# {{- if .Values.annotations.secret }} -# annotations: -# {{- toYaml .Values.annotations.secret | nindent 4 }} -# {{- end }} -#type: Opaque -#stringData: -# credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }} -#{{- end}} + +{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.jamfCredentialsSecret.name }} + namespace: {{ .Release.Namespace }} + {{- if .Values.extraLabels.secret }} + labels: + {{- toYaml .Values.extraLabels.secret | nindent 4 }} + {{- end }} + {{- if .Values.annotations.secret }} + annotations: + {{- toYaml .Values.annotations.secret | nindent 4 }} + {{- end }} +type: Opaque +stringData: + credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }} +{{- end}} diff --git a/helm/teleport-kube-agent/templates/statefulset.yaml b/helm/teleport-kube-agent/templates/statefulset.yaml index 3935049..3105deb 100644 --- a/helm/teleport-kube-agent/templates/statefulset.yaml +++ b/helm/teleport-kube-agent/templates/statefulset.yaml @@ -13,6 +13,10 @@ metadata: {{- if .Values.extraLabels.deployment }} {{- toYaml .Values.extraLabels.deployment | nindent 4 }} {{- end }} + {{- if .Values.annotations.deployment }} + annotations: + {{- toYaml .Values.annotations.deployment | nindent 4 }} + {{- end }} spec: serviceName: {{ .Release.Name }} replicas: {{ $replicaCount }} @@ -45,6 +49,9 @@ spec: {{- if .Values.podSecurityContext }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8}} {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} {{- if or .Values.affinity (gt (int $replicaCount) 1) }} affinity: {{- if .Values.affinity }} @@ -107,11 +114,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} - # {{- if contains "jamf" (.Values.roles | toString) }} - #- mountPath: /etc/teleport-jamf-api-credentials - # name: "jamf-api-credentials" - # readOnly: true - # {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -126,26 +133,11 @@ spec: {{- end }} containers: - name: "teleport" - image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}' + image: {{ include "teleport-kube-agent.image" . | quote }} {{- if .Values.imagePullPolicy }} imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} {{- end }} env: - {{- $proxy := deepCopy .Values.cluster.proxy | mustMerge .Values.proxy }} - {{- if and $proxy.noProxy $proxy.http $proxy.https }} - - name: NO_PROXY - value: {{ $proxy.noProxy }} - - name: no_proxy - value: {{ $proxy.noProxy }} - - name: HTTP_PROXY - value: {{ $proxy.http }} - - name: http_proxy - value: {{ $proxy.http }} - - name: HTTPS_PROXY - value: {{ $proxy.https }} - - name: https_proxy - value: {{ $proxy.https }} - {{- end }} # This variable is set for telemetry purposes. # Telemetry is opt-in and controlled at the auth level. - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT @@ -166,6 +158,10 @@ spec: - name: TELEPORT_EXT_UPGRADER_VERSION value: {{ include "teleport-kube-agent.version" . }} {{- end }} + {{- if .Values.clusterDomain }} + - name: TELEPORT_KUBE_CLUSTER_DOMAIN + value: {{ .Values.clusterDomain | quote }} + {{- end }} {{- if .Values.tls.existingCASecretName }} - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem @@ -227,11 +223,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} -#{{- if contains "jamf" (.Values.roles | toString) }} -# - mountPath: /etc/teleport-jamf-api-credentials -# name: "jamf-api-credentials" -# readOnly: true -#{{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true +{{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -254,11 +250,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} -#{{- if contains "jamf" (.Values.roles | toString) }} -# - name: "jamf-api-credentials" -# secret: -# secretName: {{ .Values.jamfCredentialsSecret.name }} -#{{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} +{{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/helm/teleport-kube-agent/values.schema.json b/helm/teleport-kube-agent/values.schema.json index c289698..46b600c 100644 --- a/helm/teleport-kube-agent/values.schema.json +++ b/helm/teleport-kube-agent/values.schema.json @@ -2,7 +2,6 @@ "$schema": "http://json-schema.org/draft-07/schema", "type": "object", "required": [ - "global", "proxyAddr", "roles", "joinParams", @@ -38,34 +37,9 @@ "initContainers", "resources", "tolerations", - "probeTimeoutSeconds", - "proxy", - "cluster" + "probeTimeoutSeconds" ], "properties": { - "global": { - "$id": "#/properties/global", - "type": "object", - "required": [ - "podSecurityStandards" - ], - "properties": { - "podSecurityStandards": { - "$id": "#/properties/global/properties/podSecurityStandards", - "type": "object", - "required": [ - "enforced" - ], - "properties": { - "enforced": { - "$id": "#/properties/global/properties/podSecurityStandards/properties/enforced", - "type": "boolean", - "default": false - } - } - } - } - }, "authToken": { "$id": "#/properties/authToken", "type": "string", @@ -278,6 +252,11 @@ "type": "object", "default": {} }, + "terminationGracePeriodSeconds": { + "$id": "#/properties/terminationGracePeriodSeconds", + "type": "integer", + "default": 30 + }, "tls": { "$id": "#/properties/tls", "type": "object", @@ -368,19 +347,8 @@ }, "image": { "$id": "#/properties/image", - "type": "object", - "properties": { - "registry": { - "$id": "#/properties/image/registry", - "type": "string", - "default": "public.ecr.aws" - }, - "repository": { - "$id": "#/properties/image/repository", - "type": "string", - "default": "gravitational/teleport-distroless" - } - } + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-distroless" }, "enterpriseImage": { "$id": "#/properties/enterpriseImage", @@ -395,7 +363,7 @@ "replicaCount": { "$id": "#/properties/replicaCount", "type": "integer", - "default": 2 + "default": 1 }, "clusterRoleName": { "$id": "#/properties/clusterRoleName", @@ -437,7 +405,7 @@ "enabled": { "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled", "type": "boolean", - "default": true + "default": false }, "minAvailable": { "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable", @@ -790,7 +758,7 @@ "create": { "$id": "#/properties/jamfCredentialsSecret/create", "type": "boolean", - "default": false + "default": true }, "name": { "$id": "#/properties/jamfCredentialsSecret/name", @@ -814,41 +782,6 @@ "$id": "#/properties/jamfSecret", "type": "string", "default": "" - }, - "proxy": { - "$id": "#/properties/proxy", - "type": "object", - "properties": { - "http": { - "type": ["null", "string"] - }, - "https": { - "type": ["null", "string"] - }, - "noProxy": { - "type": ["null", "string"] - } - } - }, - "cluster": { - "$id": "#/properties/cluster", - "type": "object", - "properties": { - "proxy": { - "type": "object", - "properties": { - "http": { - "type": ["null", "string"] - }, - "https": { - "type": ["null", "string"] - }, - "noProxy": { - "type": ["null", "string"] - } - } - } - } } } } diff --git a/helm/teleport-kube-agent/values.yaml b/helm/teleport-kube-agent/values.yaml index 3ad205e..66f7e6c 100644 --- a/helm/teleport-kube-agent/values.yaml +++ b/helm/teleport-kube-agent/values.yaml @@ -1,12 +1,7 @@ ################################################################ # Values that must always be provided by the user. ################################################################ -global: - podSecurityStandards: - enforced: false - image: - registry: "" # roles(string) -- is a comma-separated list of services which will be enabled # when running the `teleport-kube-agent` chart. # @@ -71,7 +66,7 @@ joinParams: # joinParams.method(string) -- controls which join method will be used by the # instance to join the Teleport cluster. # - # See [the join method reference](../../join-methods.mdx) for the list of possible + # See [the join method reference](../../reference/join-methods.mdx) for the list of possible # values, the implications of each join method, and guides to set up each method. # # Common join-methods for the `teleport-kube-agent` are: @@ -85,7 +80,7 @@ joinParams: # joinParams.tokenName(string) -- controls which token is used by the agent to # join the Teleport cluster. # - # When `joinParams.method` is [a delegated join method](../../join-methods.mdx#delegated-join-methods), + # When `joinParams.method` is [a delegated join method](../../reference/join-methods.mdx#delegated-join-methods), # the value is not sensitive. # # When `joinParams.method` is `token` (by default), `joinParams.tokenName` @@ -114,7 +109,7 @@ kubeClusterName: "" ################################################################ # apps(list) -- is a static list of applications that should be proxied by -# the agent. See [the Teleport Application access documentation](../../../enroll-resources/application-access/introduction.mdx) +# the agent. See [the Teleport Application access documentation](../../reference/agent-services/application-access.mdx#configuration) # for more details. # # Proxied applications can be defined statically (through this value) or dynamically @@ -139,13 +134,13 @@ kubeClusterName: "" # # You can see a list of all the supported values that can be used in a Teleport # Application Service configuration in the [Application Service Configuration -# Reference](../../../enroll-resources/application-access/reference.mdx#configuration). +# Reference](../../reference/agent-services/application-access.mdx#configuration). # apps: [] # appResources(list) -- is a set of labels the agent will monitor. Any application # matching those labels will be proxied by the agent. See [the Teleport -# Application access documentation](../../../enroll-resources/application-access/introduction.mdx) +# Application access documentation](../../enroll-resources/application-access/introduction.mdx) # for more details. # # Proxied applications can be defined statically (through [`apps`](#apps)) or @@ -164,7 +159,7 @@ apps: [] # # # Once `appResources` is set, you can dynamically register application with -# `tsh` by following [the Dynamic App Registration guide](../../../enroll-resources/application-access/guides/dynamic-registration.mdx). +# `tsh` by following [the Dynamic App Registration guide](../../enroll-resources/application-access/guides/dynamic-registration.mdx). # appResources: [] @@ -184,7 +179,7 @@ clusterDomain: "cluster.local" # awsDatabases(list) -- configures AWS database auto-discovery. # # -# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport). +# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport). # After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions: # # ```yaml @@ -224,7 +219,7 @@ awsDatabases: [] # azureDatabases(list) -- configures Azure database auto-discovery. # -# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport). +# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-25-configure-iam-permissions-for-teleport). # # After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods. # The easiest way is to use an Azure client secret. @@ -296,7 +291,7 @@ awsDatabases: [] azureDatabases: [] # databases(list) -- is a static list of databases that should be proxied by -# the agent. See [the Teleport Database access documentation](../../../enroll-resources/database-access/database-access.mdx) +# the agent. See [the Teleport Database access documentation](../../enroll-resources/database-access/database-access.mdx) # for more details. # # Proxied applications can be defined statically (through this value) or dynamically @@ -325,7 +320,7 @@ azureDatabases: [] # ``` # # -# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../enroll-resources/database-access/reference/configuration.mdx). +# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../reference/agent-services/database-access-reference/configuration.mdx). # # # @@ -360,7 +355,7 @@ databases: [] # databaseResources(list) -- is a set of labels the agent will monitor. # Any database matching those labels will be proxied by the agent. See [the Teleport # Database access -# documentation](../../../enroll-resources/database-access/database-access.mdx) +# documentation](../../enroll-resources/database-access/database-access.mdx) # for more details. # # Proxied databases can be defined statically (through [`databases`](#databases)) or @@ -380,7 +375,7 @@ databases: [] # # # Once `databaseResources` is set, you can dynamically register database with -# `tsh` by following [this guide](../../../enroll-resources/database-access/guides/dynamic-registration.mdx). +# `tsh` by following [this guide](../../enroll-resources/database-access/guides/dynamic-registration.mdx). # databaseResources: [] @@ -394,7 +389,7 @@ databaseResources: [] # The Discovery Service is enabled when the agent `roles` contains "discovery". # The Discovery service automatically detects Kubernetes Services and configures # the agent to provide access to them. See [the Kubernetes App Discovery -# documentation](../../../enroll-resources/auto-discovery/kubernetes-applications/architecture.mdx) +# documentation](../../reference/architecture/kubernetes-applications-architecture.mdx) # for more details. # # @@ -448,7 +443,7 @@ jamfCredentialsSecret: # Kubernetes `Secret` containing the Jamf Pro API Client Secret. # If false, you must create a Kubernetes Secret with the configured name in # the Helm release namespace. - create: false + create: true # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret # containing the Jamf Pro API Client Secret used by the chart. # @@ -520,7 +515,7 @@ caPin: [] # Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport # cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads. # -# One option might be to use Teleport's built-in [ACME support](../teleport-cluster.mdx#acme) or enable [cert-manager support](../teleport-cluster.mdx#highavailabilitycertmanager). +# One option might be to use Teleport's built-in [ACME support](../../reference/helm-reference/teleport-cluster.mdx#acme) or enable [cert-manager support](../../reference/helm-reference/teleport-cluster.mdx#highavailabilitycertmanager). # insecureSkipProxyTLSVerify: false @@ -528,7 +523,7 @@ insecureSkipProxyTLSVerify: false # Teleport pods. The configuration will be merged with the chart-generated # configuration and will take precedence in case of conflict. # -# See the [Teleport Configuration Reference](../../config.mdx) for the list of supported fields. +# See the [Teleport Configuration Reference](../../reference/config.mdx) for the list of supported fields. # # ```yaml # teleportConfig: @@ -543,6 +538,16 @@ insecureSkipProxyTLSVerify: false # ``` teleportConfig: {} +# terminationGracePeriodSeconds(integer) -- is the time the pod has to do a graceful shutdown. +# If teleport has not existed after this delay, the process gets killed. +# Teleport will wait until every connection backed by the agent is over before exiting. +# If you want to reduce the disruption of rolling out agents at the price of a slower rollout, you can increase this +# value to an hour. +# +# See the [Kubernetes Pod Lifecycle docs](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination) +# for more details. +terminationGracePeriodSeconds: 30 + # tls -- contains settings for mounting your own TLS material in the agent pod. # The agent does not expose a TLS server, so this is only used to trust CAs. tls: @@ -709,7 +714,7 @@ podSecurityPolicy: # and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on # Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs. # The steps are documented in the - # [PSP removal guide](../../../deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp.mdx). + # [PSP removal guide](../../admin-guides/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp.mdx). # # This value will be removed in a future chart version. enabled: true @@ -730,7 +735,7 @@ podSecurityPolicy: # To set labels for applications, add a `labels` element to the [`apps`](#apps) section. # To set labels for databases, add a `static_labels` element to the [`databases`](#databases) section. # -# For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../../management/admin/labels.mdx). +# For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../admin-guides/management/admin/labels.mdx). # # # For example: @@ -771,7 +776,7 @@ highAvailability: # (via [`authToken`](#authToken), [`joinParams`](#joinParams), or [`joinTokenSecret`](#joinTokenSecret)) # is still valid. Each replica has its own identity and needs to join the Teleport # cluster on its first startup. - replicaCount: 3 + replicaCount: 1 # highAvailability.requireAntiAffinity(bool) -- configures Kubernetes `requiredDuringSchedulingIgnoredDuringExecution` # to require that multiple Teleport pods must not be scheduled on the same physical host. @@ -796,7 +801,7 @@ highAvailability: podDisruptionBudget: # highAvailability.podDisruptionBudget.enabled(bool) -- makes the chart create # a Kubernetes PodDisruptionBudget for the agent pods. - enabled: true + enabled: false # highAvailability.podDisruptionBudget.minAvailable(int) -- is the minimum # available pod specified on the PodDisruptionBudget. @@ -893,9 +898,8 @@ adminClusterRoleBinding: # This setting only takes effect when [`enterprise`](#enterprise) is `false`. # When running an enterprise version, you must use # [`enterpriseImage`](#enterpriseImage) instead. -image: - registry: ®istry gsoci.azurecr.io - repository: giantswarm/teleport-distroless +image: public.ecr.aws/gravitational/teleport-distroless + # enterpriseImage(string) -- sets the container image used for Teleport Enterprise # agent pods created by the chart. # @@ -1059,7 +1063,7 @@ log: format: text # log.extraFields(list) -- sets the fields used in logging for the Teleport process. # - # See the [Teleport config file reference](../../config.mdx) for + # See the [Teleport config file reference](../../reference/config.mdx) for # more details on possible values for `extra_fields`. extraFields: ["timestamp", "level", "component", "caller"] @@ -1070,22 +1074,7 @@ log: # affinity(object) -- sets the affinities for any pods created by the chart. # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # for more details. -affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app: teleport-kube-agent - topologyKey: "kubernetes.io/hostname" - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - weight: 10 +affinity: {} # dnsConfig(object) -- contains custom Pod DNS Configuration for the agent pods. # This value is useful if you need to reduce the DNS load: set "ndots" to 0 and @@ -1141,7 +1130,7 @@ extraLabels: # extraLabels.job(object) -- are labels to set on the post-delete Job created by the chart. job: {} # extraLabels.pod(object) -- are labels to set on the Pods created by the - # Deployment or StatefulSet. + # Deployment, StatefulSet, or Job. pod: {} # extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget. podDisruptionBudget: {} @@ -1319,8 +1308,6 @@ securityContext: # To unset the security context, set it to `null` or `~`. podSecurityContext: fsGroup: 9807 - seccompProfile: - type: RuntimeDefault # priorityClassName(string) -- sets the priority class used by any pods created by the chart. # The user is responsible for creating the `PriorityClass` resource before deploying the chart. @@ -1328,26 +1315,11 @@ podSecurityContext: # for more details. priorityClassName: "" -tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - - effect: NoSchedule - key: node.cluster.x-k8s.io/uninitialized - operator: "Exists" +# tolerations(list) -- sets the tolerations for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +# for more details. +tolerations: [] # probeTimeoutSeconds(int) -- sets the timeout for the readiness and liveness probes # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ probeTimeoutSeconds: 1 - -# set the HTTP_PROXY, HTTPS_PROXY and NO_PROXY variable -proxy: - noProxy: - http: - https: -cluster: - # is getting overwritten by the top level proxy if set - # These values are generated via cluster-apps-operator - proxy: - noProxy: - http: - https: diff --git a/vendir.lock.yml b/vendir.lock.yml index f2f421c..395e765 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - helmChart: - appVersion: 16.1.7 - version: 16.1.7 + appVersion: 17.0.2 + version: 17.0.2 path: teleport-kube-agent path: helm kind: LockConfig diff --git a/vendir.yml b/vendir.yml index f28769e..96d464f 100644 --- a/vendir.yml +++ b/vendir.yml @@ -6,7 +6,7 @@ directories: - path: teleport-kube-agent helmChart: name: "teleport-kube-agent" - version: "16.1.7" + version: "17.0.2" repository: url: https://charts.releases.teleport.dev newRootPath: .