diff --git a/helm/teleport-kube-agent/Chart.yaml b/helm/teleport-kube-agent/Chart.yaml
index d93b395..89f95b1 100644
--- a/helm/teleport-kube-agent/Chart.yaml
+++ b/helm/teleport-kube-agent/Chart.yaml
@@ -1,17 +1,9 @@
apiVersion: v2
-name: teleport-kube-agent
-version: [[ .Version ]]
-appVersion: 16.1.7
+appVersion: 17.0.2
description: Teleport provides a secure SSH, Kubernetes, database and application
remote access solution that doesn't get in the way.
-icon: https://s.giantswarm.io/app-icons/teleport/1/light.png
-type: application
-sources:
-- https://github.com/gravitational/teleport
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
keywords:
- Teleport
-annotations:
- application.giantswarm.io/team: shield
-maintainers:
- - name: giantswarm/team-shield
- email: team-shield@giantswarm.io
+name: teleport-kube-agent
+version: 17.0.2
diff --git a/helm/teleport-kube-agent/ci/ci-values.yaml b/helm/teleport-kube-agent/ci/ci-values.yaml
deleted file mode 100644
index 2579ac1..0000000
--- a/helm/teleport-kube-agent/ci/ci-values.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-proxyAddr: "teleport.demo.gaws.gigantic.io:443"
-authToken: "test"
-kubeClusterName: "test"
-roles: "kube"
diff --git a/helm/teleport-kube-agent/templates/_config.tpl b/helm/teleport-kube-agent/templates/_config.tpl
index 565e809..adb708d 100644
--- a/helm/teleport-kube-agent/templates/_config.tpl
+++ b/helm/teleport-kube-agent/templates/_config.tpl
@@ -128,6 +128,16 @@ discovery_service:
enabled: false
{{- end }}
+jamf_service:
+ {{- if contains "jamf" (.Values.roles | toString) }}
+ enabled: true
+ api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }}
+ client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }}
+ client_secret_file: "/etc/teleport-jamf-api-credentials/credential"
+ {{- else }}
+ enabled: false
+ {{- end }}
+
auth_service:
enabled: false
ssh_service:
diff --git a/helm/teleport-kube-agent/templates/_helpers.tpl b/helm/teleport-kube-agent/templates/_helpers.tpl
index 2ef4c56..3e00e27 100644
--- a/helm/teleport-kube-agent/templates/_helpers.tpl
+++ b/helm/teleport-kube-agent/templates/_helpers.tpl
@@ -33,7 +33,7 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
{{- if .Values.teleportVersionOverride -}}
{{- .Values.teleportVersionOverride -}}
{{- else -}}
- {{- .Chart.AppVersion -}}
+ {{- .Chart.Version -}}
{{- end -}}
{{- end -}}
@@ -41,18 +41,10 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
{{- if .Values.enterprise -}}
{{- .Values.enterpriseImage -}}
{{- else -}}
- {{- .Values.image.repository -}}
+ {{- .Values.image -}}
{{- end -}}
{{- end -}}
{{- define "teleport-kube-agent.image" -}}
{{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }}
{{- end -}}
-
-{{- define "registry" }}
-{{- $registry := .Values.image.registry -}}
-{{- if and .Values.global (and .Values.global.image .Values.global.image.registry) -}}
-{{- $registry = .Values.global.image.registry -}}
-{{- end -}}
-{{- printf "%s" $registry -}}
-{{- end -}}
diff --git a/helm/teleport-kube-agent/templates/delete_hook.yaml b/helm/teleport-kube-agent/templates/delete_hook.yaml
index c6056b0..3cf584a 100644
--- a/helm/teleport-kube-agent/templates/delete_hook.yaml
+++ b/helm/teleport-kube-agent/templates/delete_hook.yaml
@@ -73,6 +73,15 @@ spec:
template:
metadata:
name: {{ .Release.Name }}-delete-hook
+{{- if .Values.annotations.pod }}
+ annotations:
+ {{- toYaml .Values.annotations.pod | nindent 8 }}
+{{- end }}
+ labels:
+ app: {{ .Release.Name }}
+{{- if .Values.extraLabels.pod }}
+ {{- toYaml .Values.extraLabels.pod | nindent 8 }}
+{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
@@ -100,7 +109,7 @@ spec:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: {{ .Release.Name }}
- image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+ image: {{ include "teleport-kube-agent.image" . | quote }}
{{- if .Values.imagePullPolicy }}
imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
{{- end }}
@@ -109,3 +118,6 @@ spec:
{{- if .Values.securityContext }}
securityContext: {{- toYaml .Values.securityContext | nindent 10 }}
{{- end }}
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 10 }}
+ {{- end }}
diff --git a/helm/teleport-kube-agent/templates/deployment.yaml b/helm/teleport-kube-agent/templates/deployment.yaml
index 592ee4e..4eb3f5d 100644
--- a/helm/teleport-kube-agent/templates/deployment.yaml
+++ b/helm/teleport-kube-agent/templates/deployment.yaml
@@ -111,11 +111,11 @@ spec:
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- # {{- if contains "jamf" (.Values.roles | toString) }}
- #- mountPath: /etc/teleport-jamf-api-credentials
- # name: "jamf-api-credentials"
- # readOnly: true
- # {{- end }}
+ {{- if contains "jamf" (.Values.roles | toString) }}
+ - mountPath: /etc/teleport-jamf-api-credentials
+ name: "jamf-api-credentials"
+ readOnly: true
+ {{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
@@ -126,7 +126,7 @@ spec:
{{- end }}
containers:
- name: "teleport"
- image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+ image: {{ include "teleport-kube-agent.image" . | quote }}
{{- if .Values.imagePullPolicy }}
imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
{{- end }}
@@ -201,11 +201,11 @@ spec:
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- # {{- if contains "jamf" (.Values.roles | toString) }}
- #- mountPath: /etc/teleport-jamf-api-credentials
- # name: "jamf-api-credentials"
- # readOnly: true
- # {{- end }}
+ {{- if contains "jamf" (.Values.roles | toString) }}
+ - mountPath: /etc/teleport-jamf-api-credentials
+ name: "jamf-api-credentials"
+ readOnly: true
+ {{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
@@ -228,11 +228,11 @@ spec:
secret:
secretName: {{ .Values.tls.existingCASecretName }}
{{- end }}
- #{{- if contains "jamf" (.Values.roles | toString) }}
- #- name: "jamf-api-credentials"
- # secret:
- # secretName: {{ .Values.jamfCredentialsSecret.name }}
- #{{- end }}
+ {{- if contains "jamf" (.Values.roles | toString) }}
+ - name: "jamf-api-credentials"
+ secret:
+ secretName: {{ .Values.jamfCredentialsSecret.name }}
+ {{- end }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 6 }}
{{- end }}
diff --git a/helm/teleport-kube-agent/templates/hook.yaml b/helm/teleport-kube-agent/templates/hook.yaml
index e6d7de5..efd5124 100644
--- a/helm/teleport-kube-agent/templates/hook.yaml
+++ b/helm/teleport-kube-agent/templates/hook.yaml
@@ -63,6 +63,15 @@ spec:
template:
metadata:
name: {{ .Release.Name }}-hook
+{{- if .Values.annotations.pod }}
+ annotations:
+ {{- toYaml .Values.annotations.pod | nindent 8 }}
+{{- end }}
+ labels:
+ app: {{ .Release.Name }}
+{{- if .Values.extraLabels.pod }}
+ {{- toYaml .Values.extraLabels.pod | nindent 8 }}
+{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
@@ -94,4 +103,7 @@ spec:
{{- if .Values.securityContext }}
securityContext: {{- toYaml .Values.securityContext | nindent 10 }}
{{- end }}
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 10 }}
+ {{- end }}
{{- end}}
diff --git a/helm/teleport-kube-agent/templates/networkpolicy.yaml b/helm/teleport-kube-agent/templates/networkpolicy.yaml
deleted file mode 100644
index 9dd8b40..0000000
--- a/helm/teleport-kube-agent/templates/networkpolicy.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: {{ .Release.Name }}
- namespace: {{ .Release.Namespace }}
- labels:
- app: {{ .Release.Name }}
-spec:
- egress:
- - {}
- ingress:
- - {}
- podSelector:
- matchLabels:
- app: {{ .Release.Name }}
- policyTypes:
- - Egress
- - Ingress
diff --git a/helm/teleport-kube-agent/templates/psp.yaml b/helm/teleport-kube-agent/templates/psp.yaml
index aa3578c..bdf8b10 100644
--- a/helm/teleport-kube-agent/templates/psp.yaml
+++ b/helm/teleport-kube-agent/templates/psp.yaml
@@ -2,7 +2,7 @@
We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this
only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt.
Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}}
-{{- if and (not .Values.global.podSecurityStandards.enforced) .Values.podSecurityPolicy.enabled (semverCompare "<1.25.0" .Capabilities.KubeVersion.Version) -}}
+{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
diff --git a/helm/teleport-kube-agent/templates/secret.yaml b/helm/teleport-kube-agent/templates/secret.yaml
index 615c79c..3489968 100644
--- a/helm/teleport-kube-agent/templates/secret.yaml
+++ b/helm/teleport-kube-agent/templates/secret.yaml
@@ -17,22 +17,23 @@ stringData:
auth-token: |
{{ coalesce .Values.joinParams.tokenName .Values.authToken }}
{{- end}}
-#{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }}
-#---
-#apiVersion: v1
-#kind: Secret
-#metadata:
-# name: {{ .Values.jamfCredentialsSecret.name }}
-# namespace: {{ .Release.Namespace }}
-# {{- if .Values.extraLabels.secret }}
-# labels:
-# {{- toYaml .Values.extraLabels.secret | nindent 4 }}
-# {{- end }}
-# {{- if .Values.annotations.secret }}
-# annotations:
-# {{- toYaml .Values.annotations.secret | nindent 4 }}
-# {{- end }}
-#type: Opaque
-#stringData:
-# credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }}
-#{{- end}}
+
+{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.jamfCredentialsSecret.name }}
+ namespace: {{ .Release.Namespace }}
+ {{- if .Values.extraLabels.secret }}
+ labels:
+ {{- toYaml .Values.extraLabels.secret | nindent 4 }}
+ {{- end }}
+ {{- if .Values.annotations.secret }}
+ annotations:
+ {{- toYaml .Values.annotations.secret | nindent 4 }}
+ {{- end }}
+type: Opaque
+stringData:
+ credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }}
+{{- end}}
diff --git a/helm/teleport-kube-agent/templates/statefulset.yaml b/helm/teleport-kube-agent/templates/statefulset.yaml
index 3935049..3105deb 100644
--- a/helm/teleport-kube-agent/templates/statefulset.yaml
+++ b/helm/teleport-kube-agent/templates/statefulset.yaml
@@ -13,6 +13,10 @@ metadata:
{{- if .Values.extraLabels.deployment }}
{{- toYaml .Values.extraLabels.deployment | nindent 4 }}
{{- end }}
+ {{- if .Values.annotations.deployment }}
+ annotations:
+ {{- toYaml .Values.annotations.deployment | nindent 4 }}
+ {{- end }}
spec:
serviceName: {{ .Release.Name }}
replicas: {{ $replicaCount }}
@@ -45,6 +49,9 @@ spec:
{{- if .Values.podSecurityContext }}
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8}}
{{- end }}
+ {{- if .Values.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+ {{- end }}
{{- if or .Values.affinity (gt (int $replicaCount) 1) }}
affinity:
{{- if .Values.affinity }}
@@ -107,11 +114,11 @@ spec:
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- # {{- if contains "jamf" (.Values.roles | toString) }}
- #- mountPath: /etc/teleport-jamf-api-credentials
- # name: "jamf-api-credentials"
- # readOnly: true
- # {{- end }}
+ {{- if contains "jamf" (.Values.roles | toString) }}
+ - mountPath: /etc/teleport-jamf-api-credentials
+ name: "jamf-api-credentials"
+ readOnly: true
+ {{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
@@ -126,26 +133,11 @@ spec:
{{- end }}
containers:
- name: "teleport"
- image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+ image: {{ include "teleport-kube-agent.image" . | quote }}
{{- if .Values.imagePullPolicy }}
imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
{{- end }}
env:
- {{- $proxy := deepCopy .Values.cluster.proxy | mustMerge .Values.proxy }}
- {{- if and $proxy.noProxy $proxy.http $proxy.https }}
- - name: NO_PROXY
- value: {{ $proxy.noProxy }}
- - name: no_proxy
- value: {{ $proxy.noProxy }}
- - name: HTTP_PROXY
- value: {{ $proxy.http }}
- - name: http_proxy
- value: {{ $proxy.http }}
- - name: HTTPS_PROXY
- value: {{ $proxy.https }}
- - name: https_proxy
- value: {{ $proxy.https }}
- {{- end }}
# This variable is set for telemetry purposes.
# Telemetry is opt-in and controlled at the auth level.
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
@@ -166,6 +158,10 @@ spec:
- name: TELEPORT_EXT_UPGRADER_VERSION
value: {{ include "teleport-kube-agent.version" . }}
{{- end }}
+ {{- if .Values.clusterDomain }}
+ - name: TELEPORT_KUBE_CLUSTER_DOMAIN
+ value: {{ .Values.clusterDomain | quote }}
+ {{- end }}
{{- if .Values.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
@@ -227,11 +223,11 @@ spec:
name: "teleport-tls-ca"
readOnly: true
{{- end }}
-#{{- if contains "jamf" (.Values.roles | toString) }}
-# - mountPath: /etc/teleport-jamf-api-credentials
-# name: "jamf-api-credentials"
-# readOnly: true
-#{{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+ - mountPath: /etc/teleport-jamf-api-credentials
+ name: "jamf-api-credentials"
+ readOnly: true
+{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
@@ -254,11 +250,11 @@ spec:
secret:
secretName: {{ .Values.tls.existingCASecretName }}
{{- end }}
-#{{- if contains "jamf" (.Values.roles | toString) }}
-# - name: "jamf-api-credentials"
-# secret:
-# secretName: {{ .Values.jamfCredentialsSecret.name }}
-#{{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+ - name: "jamf-api-credentials"
+ secret:
+ secretName: {{ .Values.jamfCredentialsSecret.name }}
+{{- end }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 6 }}
{{- end }}
diff --git a/helm/teleport-kube-agent/values.schema.json b/helm/teleport-kube-agent/values.schema.json
index c289698..46b600c 100644
--- a/helm/teleport-kube-agent/values.schema.json
+++ b/helm/teleport-kube-agent/values.schema.json
@@ -2,7 +2,6 @@
"$schema": "http://json-schema.org/draft-07/schema",
"type": "object",
"required": [
- "global",
"proxyAddr",
"roles",
"joinParams",
@@ -38,34 +37,9 @@
"initContainers",
"resources",
"tolerations",
- "probeTimeoutSeconds",
- "proxy",
- "cluster"
+ "probeTimeoutSeconds"
],
"properties": {
- "global": {
- "$id": "#/properties/global",
- "type": "object",
- "required": [
- "podSecurityStandards"
- ],
- "properties": {
- "podSecurityStandards": {
- "$id": "#/properties/global/properties/podSecurityStandards",
- "type": "object",
- "required": [
- "enforced"
- ],
- "properties": {
- "enforced": {
- "$id": "#/properties/global/properties/podSecurityStandards/properties/enforced",
- "type": "boolean",
- "default": false
- }
- }
- }
- }
- },
"authToken": {
"$id": "#/properties/authToken",
"type": "string",
@@ -278,6 +252,11 @@
"type": "object",
"default": {}
},
+ "terminationGracePeriodSeconds": {
+ "$id": "#/properties/terminationGracePeriodSeconds",
+ "type": "integer",
+ "default": 30
+ },
"tls": {
"$id": "#/properties/tls",
"type": "object",
@@ -368,19 +347,8 @@
},
"image": {
"$id": "#/properties/image",
- "type": "object",
- "properties": {
- "registry": {
- "$id": "#/properties/image/registry",
- "type": "string",
- "default": "public.ecr.aws"
- },
- "repository": {
- "$id": "#/properties/image/repository",
- "type": "string",
- "default": "gravitational/teleport-distroless"
- }
- }
+ "type": "string",
+ "default": "public.ecr.aws/gravitational/teleport-distroless"
},
"enterpriseImage": {
"$id": "#/properties/enterpriseImage",
@@ -395,7 +363,7 @@
"replicaCount": {
"$id": "#/properties/replicaCount",
"type": "integer",
- "default": 2
+ "default": 1
},
"clusterRoleName": {
"$id": "#/properties/clusterRoleName",
@@ -437,7 +405,7 @@
"enabled": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled",
"type": "boolean",
- "default": true
+ "default": false
},
"minAvailable": {
"$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable",
@@ -790,7 +758,7 @@
"create": {
"$id": "#/properties/jamfCredentialsSecret/create",
"type": "boolean",
- "default": false
+ "default": true
},
"name": {
"$id": "#/properties/jamfCredentialsSecret/name",
@@ -814,41 +782,6 @@
"$id": "#/properties/jamfSecret",
"type": "string",
"default": ""
- },
- "proxy": {
- "$id": "#/properties/proxy",
- "type": "object",
- "properties": {
- "http": {
- "type": ["null", "string"]
- },
- "https": {
- "type": ["null", "string"]
- },
- "noProxy": {
- "type": ["null", "string"]
- }
- }
- },
- "cluster": {
- "$id": "#/properties/cluster",
- "type": "object",
- "properties": {
- "proxy": {
- "type": "object",
- "properties": {
- "http": {
- "type": ["null", "string"]
- },
- "https": {
- "type": ["null", "string"]
- },
- "noProxy": {
- "type": ["null", "string"]
- }
- }
- }
- }
}
}
}
diff --git a/helm/teleport-kube-agent/values.yaml b/helm/teleport-kube-agent/values.yaml
index 3ad205e..66f7e6c 100644
--- a/helm/teleport-kube-agent/values.yaml
+++ b/helm/teleport-kube-agent/values.yaml
@@ -1,12 +1,7 @@
################################################################
# Values that must always be provided by the user.
################################################################
-global:
- podSecurityStandards:
- enforced: false
- image:
- registry: ""
# roles(string) -- is a comma-separated list of services which will be enabled
# when running the `teleport-kube-agent` chart.
#
@@ -71,7 +66,7 @@ joinParams:
# joinParams.method(string) -- controls which join method will be used by the
# instance to join the Teleport cluster.
#
- # See [the join method reference](../../join-methods.mdx) for the list of possible
+ # See [the join method reference](../../reference/join-methods.mdx) for the list of possible
# values, the implications of each join method, and guides to set up each method.
#
# Common join-methods for the `teleport-kube-agent` are:
@@ -85,7 +80,7 @@ joinParams:
# joinParams.tokenName(string) -- controls which token is used by the agent to
# join the Teleport cluster.
#
- # When `joinParams.method` is [a delegated join method](../../join-methods.mdx#delegated-join-methods),
+ # When `joinParams.method` is [a delegated join method](../../reference/join-methods.mdx#delegated-join-methods),
# the value is not sensitive.
#
# When `joinParams.method` is `token` (by default), `joinParams.tokenName`
@@ -114,7 +109,7 @@ kubeClusterName: ""
################################################################
# apps(list) -- is a static list of applications that should be proxied by
-# the agent. See [the Teleport Application access documentation](../../../enroll-resources/application-access/introduction.mdx)
+# the agent. See [the Teleport Application access documentation](../../reference/agent-services/application-access.mdx#configuration)
# for more details.
#
# Proxied applications can be defined statically (through this value) or dynamically
@@ -139,13 +134,13 @@ kubeClusterName: ""
#
# You can see a list of all the supported values that can be used in a Teleport
# Application Service configuration in the [Application Service Configuration
-# Reference](../../../enroll-resources/application-access/reference.mdx#configuration).
+# Reference](../../reference/agent-services/application-access.mdx#configuration).
#
apps: []
# appResources(list) -- is a set of labels the agent will monitor. Any application
# matching those labels will be proxied by the agent. See [the Teleport
-# Application access documentation](../../../enroll-resources/application-access/introduction.mdx)
+# Application access documentation](../../enroll-resources/application-access/introduction.mdx)
# for more details.
#
# Proxied applications can be defined statically (through [`apps`](#apps)) or
@@ -164,7 +159,7 @@ apps: []
#
#
# Once `appResources` is set, you can dynamically register application with
-# `tsh` by following [the Dynamic App Registration guide](../../../enroll-resources/application-access/guides/dynamic-registration.mdx).
+# `tsh` by following [the Dynamic App Registration guide](../../enroll-resources/application-access/guides/dynamic-registration.mdx).
#
appResources: []
@@ -184,7 +179,7 @@ clusterDomain: "cluster.local"
# awsDatabases(list) -- configures AWS database auto-discovery.
#
#
-# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport).
+# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport).
# After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions:
#
# ```yaml
@@ -224,7 +219,7 @@ awsDatabases: []
# azureDatabases(list) -- configures Azure database auto-discovery.
#
-# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport).
+# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-25-configure-iam-permissions-for-teleport).
#
# After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods.
# The easiest way is to use an Azure client secret.
@@ -296,7 +291,7 @@ awsDatabases: []
azureDatabases: []
# databases(list) -- is a static list of databases that should be proxied by
-# the agent. See [the Teleport Database access documentation](../../../enroll-resources/database-access/database-access.mdx)
+# the agent. See [the Teleport Database access documentation](../../enroll-resources/database-access/database-access.mdx)
# for more details.
#
# Proxied applications can be defined statically (through this value) or dynamically
@@ -325,7 +320,7 @@ azureDatabases: []
# ```
#
#
-# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../enroll-resources/database-access/reference/configuration.mdx).
+# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../reference/agent-services/database-access-reference/configuration.mdx).
#
#
#
@@ -360,7 +355,7 @@ databases: []
# databaseResources(list) -- is a set of labels the agent will monitor.
# Any database matching those labels will be proxied by the agent. See [the Teleport
# Database access
-# documentation](../../../enroll-resources/database-access/database-access.mdx)
+# documentation](../../enroll-resources/database-access/database-access.mdx)
# for more details.
#
# Proxied databases can be defined statically (through [`databases`](#databases)) or
@@ -380,7 +375,7 @@ databases: []
#
#
# Once `databaseResources` is set, you can dynamically register database with
-# `tsh` by following [this guide](../../../enroll-resources/database-access/guides/dynamic-registration.mdx).
+# `tsh` by following [this guide](../../enroll-resources/database-access/guides/dynamic-registration.mdx).
#
databaseResources: []
@@ -394,7 +389,7 @@ databaseResources: []
# The Discovery Service is enabled when the agent `roles` contains "discovery".
# The Discovery service automatically detects Kubernetes Services and configures
# the agent to provide access to them. See [the Kubernetes App Discovery
-# documentation](../../../enroll-resources/auto-discovery/kubernetes-applications/architecture.mdx)
+# documentation](../../reference/architecture/kubernetes-applications-architecture.mdx)
# for more details.
#
#
@@ -448,7 +443,7 @@ jamfCredentialsSecret:
# Kubernetes `Secret` containing the Jamf Pro API Client Secret.
# If false, you must create a Kubernetes Secret with the configured name in
# the Helm release namespace.
- create: false
+ create: true
# jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret
# containing the Jamf Pro API Client Secret used by the chart.
#
@@ -520,7 +515,7 @@ caPin: []
# Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport
# cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads.
#
-# One option might be to use Teleport's built-in [ACME support](../teleport-cluster.mdx#acme) or enable [cert-manager support](../teleport-cluster.mdx#highavailabilitycertmanager).
+# One option might be to use Teleport's built-in [ACME support](../../reference/helm-reference/teleport-cluster.mdx#acme) or enable [cert-manager support](../../reference/helm-reference/teleport-cluster.mdx#highavailabilitycertmanager).
#
insecureSkipProxyTLSVerify: false
@@ -528,7 +523,7 @@ insecureSkipProxyTLSVerify: false
# Teleport pods. The configuration will be merged with the chart-generated
# configuration and will take precedence in case of conflict.
#
-# See the [Teleport Configuration Reference](../../config.mdx) for the list of supported fields.
+# See the [Teleport Configuration Reference](../../reference/config.mdx) for the list of supported fields.
#
# ```yaml
# teleportConfig:
@@ -543,6 +538,16 @@ insecureSkipProxyTLSVerify: false
# ```
teleportConfig: {}
+# terminationGracePeriodSeconds(integer) -- is the time the pod has to do a graceful shutdown.
+# If teleport has not existed after this delay, the process gets killed.
+# Teleport will wait until every connection backed by the agent is over before exiting.
+# If you want to reduce the disruption of rolling out agents at the price of a slower rollout, you can increase this
+# value to an hour.
+#
+# See the [Kubernetes Pod Lifecycle docs](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)
+# for more details.
+terminationGracePeriodSeconds: 30
+
# tls -- contains settings for mounting your own TLS material in the agent pod.
# The agent does not expose a TLS server, so this is only used to trust CAs.
tls:
@@ -709,7 +714,7 @@ podSecurityPolicy:
# and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on
# Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs.
# The steps are documented in the
- # [PSP removal guide](../../../deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp.mdx).
+ # [PSP removal guide](../../admin-guides/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp.mdx).
#
# This value will be removed in a future chart version.
enabled: true
@@ -730,7 +735,7 @@ podSecurityPolicy:
# To set labels for applications, add a `labels` element to the [`apps`](#apps) section.
# To set labels for databases, add a `static_labels` element to the [`databases`](#databases) section.
#
-# For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../../management/admin/labels.mdx).
+# For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../admin-guides/management/admin/labels.mdx).
#
#
# For example:
@@ -771,7 +776,7 @@ highAvailability:
# (via [`authToken`](#authToken), [`joinParams`](#joinParams), or [`joinTokenSecret`](#joinTokenSecret))
# is still valid. Each replica has its own identity and needs to join the Teleport
# cluster on its first startup.
- replicaCount: 3
+ replicaCount: 1
# highAvailability.requireAntiAffinity(bool) -- configures Kubernetes `requiredDuringSchedulingIgnoredDuringExecution`
# to require that multiple Teleport pods must not be scheduled on the same physical host.
@@ -796,7 +801,7 @@ highAvailability:
podDisruptionBudget:
# highAvailability.podDisruptionBudget.enabled(bool) -- makes the chart create
# a Kubernetes PodDisruptionBudget for the agent pods.
- enabled: true
+ enabled: false
# highAvailability.podDisruptionBudget.minAvailable(int) -- is the minimum
# available pod specified on the PodDisruptionBudget.
@@ -893,9 +898,8 @@ adminClusterRoleBinding:
# This setting only takes effect when [`enterprise`](#enterprise) is `false`.
# When running an enterprise version, you must use
# [`enterpriseImage`](#enterpriseImage) instead.
-image:
- registry: ®istry gsoci.azurecr.io
- repository: giantswarm/teleport-distroless
+image: public.ecr.aws/gravitational/teleport-distroless
+
# enterpriseImage(string) -- sets the container image used for Teleport Enterprise
# agent pods created by the chart.
#
@@ -1059,7 +1063,7 @@ log:
format: text
# log.extraFields(list) -- sets the fields used in logging for the Teleport process.
#
- # See the [Teleport config file reference](../../config.mdx) for
+ # See the [Teleport config file reference](../../reference/config.mdx) for
# more details on possible values for `extra_fields`.
extraFields: ["timestamp", "level", "component", "caller"]
@@ -1070,22 +1074,7 @@ log:
# affinity(object) -- sets the affinities for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for more details.
-affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchLabels:
- app: teleport-kube-agent
- topologyKey: "kubernetes.io/hostname"
- nodeAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - preference:
- matchExpressions:
- - key: node-role.kubernetes.io/control-plane
- operator: Exists
- weight: 10
+affinity: {}
# dnsConfig(object) -- contains custom Pod DNS Configuration for the agent pods.
# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and
@@ -1141,7 +1130,7 @@ extraLabels:
# extraLabels.job(object) -- are labels to set on the post-delete Job created by the chart.
job: {}
# extraLabels.pod(object) -- are labels to set on the Pods created by the
- # Deployment or StatefulSet.
+ # Deployment, StatefulSet, or Job.
pod: {}
# extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget.
podDisruptionBudget: {}
@@ -1319,8 +1308,6 @@ securityContext:
# To unset the security context, set it to `null` or `~`.
podSecurityContext:
fsGroup: 9807
- seccompProfile:
- type: RuntimeDefault
# priorityClassName(string) -- sets the priority class used by any pods created by the chart.
# The user is responsible for creating the `PriorityClass` resource before deploying the chart.
@@ -1328,26 +1315,11 @@ podSecurityContext:
# for more details.
priorityClassName: ""
-tolerations:
- - effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
- - effect: NoSchedule
- key: node.cluster.x-k8s.io/uninitialized
- operator: "Exists"
+# tolerations(list) -- sets the tolerations for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+# for more details.
+tolerations: []
# probeTimeoutSeconds(int) -- sets the timeout for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1
-
-# set the HTTP_PROXY, HTTPS_PROXY and NO_PROXY variable
-proxy:
- noProxy:
- http:
- https:
-cluster:
- # is getting overwritten by the top level proxy if set
- # These values are generated via cluster-apps-operator
- proxy:
- noProxy:
- http:
- https:
diff --git a/vendir.lock.yml b/vendir.lock.yml
index f2f421c..395e765 100644
--- a/vendir.lock.yml
+++ b/vendir.lock.yml
@@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- helmChart:
- appVersion: 16.1.7
- version: 16.1.7
+ appVersion: 17.0.2
+ version: 17.0.2
path: teleport-kube-agent
path: helm
kind: LockConfig
diff --git a/vendir.yml b/vendir.yml
index f28769e..96d464f 100644
--- a/vendir.yml
+++ b/vendir.yml
@@ -6,7 +6,7 @@ directories:
- path: teleport-kube-agent
helmChart:
name: "teleport-kube-agent"
- version: "16.1.7"
+ version: "17.0.2"
repository:
url: https://charts.releases.teleport.dev
newRootPath: .