diff --git a/.circleci/config.yml b/.circleci/config.yml index 02619af..8140d93 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,6 +1,6 @@ version: 2.1 orbs: - architect: giantswarm/architect@5.2.1 + architect: giantswarm/architect@5.5.0 workflows: package-and-push-chart-on-tag: diff --git a/CHANGELOG.md b/CHANGELOG.md index bdb3c63..432f7f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.10.2] - 2024-09-25 + +### Changed + +- Fix issues with templates +- Change ownership to Team Shield + +## [0.10.1] - 2024-09-04 + +- Added small fix on `podSecurityContext` for `seccompProfile`. + +## [0.10.0] - 2024-08-21 + +### Changed + +- Upgraded to Teleport `version 16` + ## [0.9.2] - 2024-07-16 ### Changed @@ -79,7 +96,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - First release of teleport-kube-agent-app -[Unreleased]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.2...HEAD +[Unreleased]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.10.2...HEAD +[0.10.2]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.10.1...v0.10.2 +[0.10.1]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.10.0...v0.10.1 +[0.10.0]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.2...v0.10.0 [0.9.2]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.1...v0.9.2 [0.9.1]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.0...v0.9.1 [0.9.0]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.8.0...v0.9.0 diff --git a/CODEOWNERS b/CODEOWNERS index 7bce3f9..fbfcf99 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,2 +1,2 @@ # generated by giantswarm/github actions - changes will be overwritten -* @giantswarm/team-bigmac +* @giantswarm/team-shield diff --git a/helm/teleport-kube-agent/Chart.yaml b/helm/teleport-kube-agent/Chart.yaml index b40195e..d93b395 100644 --- a/helm/teleport-kube-agent/Chart.yaml +++ b/helm/teleport-kube-agent/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: teleport-kube-agent -appVersion: 15.1.9 version: [[ .Version ]] +appVersion: 16.1.7 description: Teleport provides a secure SSH, Kubernetes, database and application remote access solution that doesn't get in the way. icon: https://s.giantswarm.io/app-icons/teleport/1/light.png @@ -11,7 +11,7 @@ sources: keywords: - Teleport annotations: - application.giantswarm.io/team: bigmac + application.giantswarm.io/team: shield maintainers: - - name: giantswarm/team-bigmac - email: team-bigmac@giantswarm.io + - name: giantswarm/team-shield + email: team-shield@giantswarm.io diff --git a/helm/teleport-kube-agent/values.schema.json b/helm/teleport-kube-agent/values.schema.json index 9326acb..c289698 100644 --- a/helm/teleport-kube-agent/values.schema.json +++ b/helm/teleport-kube-agent/values.schema.json @@ -595,6 +595,11 @@ "type": "object", "default": {} }, + "job": { + "$id": "#/properties/extraLabels/properties/job", + "type": "object", + "default": {} + }, "pod": { "$id": "#/properties/extraLabels/properties/pod", "type": "object", @@ -777,6 +782,39 @@ "additionalProperties": false } }, + "jamfCredentialsSecret": { + "$id": "#/properties/jamfCredentialsSecret", + "type": "object", + "required": ["create", "name"], + "properties": { + "create": { + "$id": "#/properties/jamfCredentialsSecret/create", + "type": "boolean", + "default": false + }, + "name": { + "$id": "#/properties/jamfCredentialsSecret/name", + "type": "string", + "default": "teleport-jamf-api-credentials" + }, + "additionalProperties": false + } + }, + "jamfApiEndpoint": { + "$id": "#/properties/jamfApiEndpoint", + "type": "string", + "default": "" + }, + "jamfClientId": { + "$id": "#/properties/jamfClientId", + "type": "string", + "default": "" + }, + "jamfClientSecret": { + "$id": "#/properties/jamfSecret", + "type": "string", + "default": "" + }, "proxy": { "$id": "#/properties/proxy", "type": "object", @@ -790,7 +828,7 @@ "noProxy": { "type": ["null", "string"] } - } + } }, "cluster": { "$id": "#/properties/cluster", diff --git a/helm/teleport-kube-agent/values.yaml b/helm/teleport-kube-agent/values.yaml index 74f0c5a..0c523fd 100644 --- a/helm/teleport-kube-agent/values.yaml +++ b/helm/teleport-kube-agent/values.yaml @@ -17,6 +17,7 @@ global: # | Teleport Application service | `app` | [`apps`](#apps) or [`appResources`](#appresources) | # | Teleport Database service | `db` | [`databases`](#databases) or [`databaseResources`](#databaseresources) | # | Teleport Discovery service | `discovery` | [`kubeClusterName`](#kubeclustername) | +# | Teleport Jamf service | `jamf` | [`jamfApiEndpoint`](#jamfapiendpoint), [`jamfClientId`](#jamfclientid) | # # For example: # ```yaml @@ -114,7 +115,7 @@ kubeClusterName: "" ################################################################ # apps(list) -- is a static list of applications that should be proxied by -# the agent. See [the Teleport Application access documentation](../../../application-access/introduction.mdx) +# the agent. See [the Teleport Application access documentation](../../../enroll-resources/application-access/introduction.mdx) # for more details. # # Proxied applications can be defined statically (through this value) or dynamically @@ -139,13 +140,13 @@ kubeClusterName: "" # # You can see a list of all the supported values that can be used in a Teleport # Application Service configuration in the [Application Service Configuration -# Reference](../../../application-access/reference.mdx#configuration). +# Reference](../../../enroll-resources/application-access/reference.mdx#configuration). # apps: [] # appResources(list) -- is a set of labels the agent will monitor. Any application # matching those labels will be proxied by the agent. See [the Teleport -# Application access documentation](../../../application-access/introduction.mdx) +# Application access documentation](../../../enroll-resources/application-access/introduction.mdx) # for more details. # # Proxied applications can be defined statically (through [`apps`](#apps)) or @@ -164,10 +165,16 @@ apps: [] # # # Once `appResources` is set, you can dynamically register application with -# `tsh` by following [the Dynamic App Registration guide](../../../application-access/guides/dynamic-registration.mdx). +# `tsh` by following [the Dynamic App Registration guide](../../../enroll-resources/application-access/guides/dynamic-registration.mdx). # appResources: [] +# clusterDomain(string) -- sets the domain name used by the Kubernetes cluster. This value is used to build the +# FQDN application URIs. For example, if the cluster domain is `anything.local`, the agent will proxy the application +# `myapp` running in the `default` namespace at `http://myapp.default.svc.anything.local`. You must manually set this value +# to match your cluster domain if it is different from the default value `cluster.local`. +clusterDomain: "cluster.local" + ################################################################ # Values that must be provided if Database access is enabled. ################################################################ @@ -178,7 +185,7 @@ appResources: [] # awsDatabases(list) -- configures AWS database auto-discovery. # # -# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../database-access/guides/rds.mdx#step-36-create-iam-policies-for-teleport). +# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport). # After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions: # # ```yaml @@ -218,7 +225,7 @@ awsDatabases: [] # azureDatabases(list) -- configures Azure database auto-discovery. # -# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../database-access/guides/azure-postgres-mysql.mdx#step-46-configure-iam-permissions-for-teleport). +# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport). # # After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods. # The easiest way is to use an Azure client secret. @@ -290,7 +297,7 @@ awsDatabases: [] azureDatabases: [] # databases(list) -- is a static list of databases that should be proxied by -# the agent. See [the Teleport Database access documentation](../../../database-access/introduction.mdx) +# the agent. See [the Teleport Database access documentation](../../../enroll-resources/database-access/database-access.mdx) # for more details. # # Proxied applications can be defined statically (through this value) or dynamically @@ -319,7 +326,7 @@ azureDatabases: [] # ``` # # -# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../database-access/reference/configuration.mdx). +# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../enroll-resources/database-access/reference/configuration.mdx). # # # @@ -353,7 +360,8 @@ databases: [] # databaseResources(list) -- is a set of labels the agent will monitor. # Any database matching those labels will be proxied by the agent. See [the Teleport -# Database access documentation](../../../database-access/introduction.mdx) +# Database access +# documentation](../../../enroll-resources/database-access/database-access.mdx) # for more details. # # Proxied databases can be defined statically (through [`databases`](#databases)) or @@ -373,7 +381,7 @@ databases: [] # # # Once `databaseResources` is set, you can dynamically register database with -# `tsh` by following [this guide](../../../database-access/guides/dynamic-registration.mdx). +# `tsh` by following [this guide](../../../enroll-resources/database-access/guides/dynamic-registration.mdx). # databaseResources: [] @@ -387,9 +395,13 @@ databaseResources: [] # The Discovery Service is enabled when the agent `roles` contains "discovery". # The Discovery service automatically detects Kubernetes Services and configures # the agent to provide access to them. See [the Kubernetes App Discovery -# documentation](../../../auto-discovery/kubernetes-applications/architecture.mdx) +# documentation](../../../enroll-resources/auto-discovery/kubernetes-applications/architecture.mdx) # for more details. # +# +# The Discovery mechanism ignores Kubernetes services running in the `kube-system` and +# `kube-public` namespaces. +# # The default value will try to discover all apps running in Kubernetes. # The discovery can be restricted through this value. For example: # @@ -410,6 +422,61 @@ kubernetesDiscovery: labels: "*": "*" +################################################################ +# Values that must be provided if Jamf service is enabled. +################################################################ + +# jamfApiEndpoint(string) -- sets the Jamf Pro API endpoint used for Jamf service. +# Example: "https://yourtenant.jamfcloud.com/api". +# +# This setting is required if the chart `roles` contains `jamf`. +jamfApiEndpoint: "" + +# jamfClientId(string) -- sets the Jamf Pro API Client ID used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf`. +jamfClientId: "" + +# jamfClientSecret(string) -- sets the Jamf Pro API client secret used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf` and `jamfCredentialsSecret.create` is set to `true`. +# If you provide your own Kubernetes Secret, this setting can remain unset. +jamfClientSecret: "" + +# jamfCredentialsSecret -- manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password). +jamfCredentialsSecret: + # jamfCredentialsSecret.create(bool) -- controls whether the chart creates the + # Kubernetes `Secret` containing the Jamf Pro API Client Secret. + # If false, you must create a Kubernetes Secret with the configured name in + # the Helm release namespace. + create: true + # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret + # containing the Jamf Pro API Client Secret used by the chart. + # + # If `jamfCredentialsSecret.create` is `false`, the chart will not attempt to create the secret itself. + # Instead, it will read the value from an existing Kubernetes Secret. `jamfCredentialsSecret.name` + # configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext + # Jamf Pro API Client Secret stored in your Teleport chart values. + # + # To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command: + # + # ```code + # $ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential= + # ``` + # + # + # The key used for the Jamf Pro API Client Secret inside the secret must be `credential`, as in the command above. + # + # + # For example: + # + # ```yaml + # jamfCredentialsSecret: + # create: false + # name: my-jamf-secret + # ``` + name: teleport-jamf-api-credentials + ################################################################ # Values that you may need to change. ################################################################ @@ -598,6 +665,33 @@ updater: # binary. extraArgs: [] + # updater.extraVolumes(list) -- contains extra volumes to mount into the Updater pods. + # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + # for more details. + # + # For example: + # ```yaml + # updater: + # extraVolumes: + # - name: myvolume + # secret: + # secretName: testSecret + # ``` + extraVolumes: [] + + # updater.extraVolumeMounts(list) -- contains extra volumes mounts for the updater. + # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + # for more details. + # + # For example: + # ```yaml + # updater: + # extraVolumesMounts: + # - name: myvolume + # mountPath: /path/on/host + # ``` + extraVolumeMounts: [] + # existingDataVolume(string) -- is the name of an existing Kubernetes Persistent # Volume that should be mounted at `/var/lib/teleport`. # @@ -1046,6 +1140,8 @@ extraLabels: config: {} # extraLabels.deployment(object) -- are labels to set on the Deployment or StatefulSet. deployment: {} + # extraLabels.job(object) -- are labels to set on the post-delete Job created by the chart. + job: {} # extraLabels.pod(object) -- are labels to set on the Pods created by the # Deployment or StatefulSet. pod: {} @@ -1186,29 +1282,37 @@ resources: {} # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) # for more details. # +# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +# # To unset the security context, set it to `null` or `~`. initSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault # securityContext(object) -- sets the container security context for any pods created by the chart. # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) # for more details. # +# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +# # To unset the security context, set it to `null` or `~`. securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault # podSecurityContext(object) -- sets the pod security context for any pods created by the chart. # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) @@ -1217,6 +1321,8 @@ securityContext: # To unset the security context, set it to `null` or `~`. podSecurityContext: fsGroup: 9807 + seccompProfile: + type: RuntimeDefault # priorityClassName(string) -- sets the priority class used by any pods created by the chart. # The user is responsible for creating the `PriorityClass` resource before deploying the chart. diff --git a/vendir.lock.yml b/vendir.lock.yml index f8f15d5..f2f421c 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - helmChart: - appVersion: 15.1.9 - version: 15.1.9 + appVersion: 16.1.7 + version: 16.1.7 path: teleport-kube-agent path: helm kind: LockConfig diff --git a/vendir.yml b/vendir.yml index 9ec0548..f28769e 100644 --- a/vendir.yml +++ b/vendir.yml @@ -6,7 +6,7 @@ directories: - path: teleport-kube-agent helmChart: name: "teleport-kube-agent" - version: "15.1.9" + version: "16.1.7" repository: url: https://charts.releases.teleport.dev newRootPath: .