diff --git a/.circleci/config.yml b/.circleci/config.yml
index 02619af..8140d93 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,6 +1,6 @@
version: 2.1
orbs:
- architect: giantswarm/architect@5.2.1
+ architect: giantswarm/architect@5.5.0
workflows:
package-and-push-chart-on-tag:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index bdb3c63..432f7f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+## [0.10.2] - 2024-09-25
+
+### Changed
+
+- Fix issues with templates
+- Change ownership to Team Shield
+
+## [0.10.1] - 2024-09-04
+
+- Added small fix on `podSecurityContext` for `seccompProfile`.
+
+## [0.10.0] - 2024-08-21
+
+### Changed
+
+- Upgraded to Teleport `version 16`
+
## [0.9.2] - 2024-07-16
### Changed
@@ -79,7 +96,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- First release of teleport-kube-agent-app
-[Unreleased]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.2...HEAD
+[Unreleased]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.10.2...HEAD
+[0.10.2]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.10.1...v0.10.2
+[0.10.1]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.10.0...v0.10.1
+[0.10.0]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.2...v0.10.0
[0.9.2]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.1...v0.9.2
[0.9.1]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.9.0...v0.9.1
[0.9.0]: https://github.com/giantswarm/teleport-kube-agent-app/compare/v0.8.0...v0.9.0
diff --git a/CODEOWNERS b/CODEOWNERS
index 7bce3f9..fbfcf99 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,2 +1,2 @@
# generated by giantswarm/github actions - changes will be overwritten
-* @giantswarm/team-bigmac
+* @giantswarm/team-shield
diff --git a/helm/teleport-kube-agent/Chart.yaml b/helm/teleport-kube-agent/Chart.yaml
index b40195e..d93b395 100644
--- a/helm/teleport-kube-agent/Chart.yaml
+++ b/helm/teleport-kube-agent/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
name: teleport-kube-agent
-appVersion: 15.1.9
version: [[ .Version ]]
+appVersion: 16.1.7
description: Teleport provides a secure SSH, Kubernetes, database and application
remote access solution that doesn't get in the way.
icon: https://s.giantswarm.io/app-icons/teleport/1/light.png
@@ -11,7 +11,7 @@ sources:
keywords:
- Teleport
annotations:
- application.giantswarm.io/team: bigmac
+ application.giantswarm.io/team: shield
maintainers:
- - name: giantswarm/team-bigmac
- email: team-bigmac@giantswarm.io
+ - name: giantswarm/team-shield
+ email: team-shield@giantswarm.io
diff --git a/helm/teleport-kube-agent/values.schema.json b/helm/teleport-kube-agent/values.schema.json
index 9326acb..c289698 100644
--- a/helm/teleport-kube-agent/values.schema.json
+++ b/helm/teleport-kube-agent/values.schema.json
@@ -595,6 +595,11 @@
"type": "object",
"default": {}
},
+ "job": {
+ "$id": "#/properties/extraLabels/properties/job",
+ "type": "object",
+ "default": {}
+ },
"pod": {
"$id": "#/properties/extraLabels/properties/pod",
"type": "object",
@@ -777,6 +782,39 @@
"additionalProperties": false
}
},
+ "jamfCredentialsSecret": {
+ "$id": "#/properties/jamfCredentialsSecret",
+ "type": "object",
+ "required": ["create", "name"],
+ "properties": {
+ "create": {
+ "$id": "#/properties/jamfCredentialsSecret/create",
+ "type": "boolean",
+ "default": false
+ },
+ "name": {
+ "$id": "#/properties/jamfCredentialsSecret/name",
+ "type": "string",
+ "default": "teleport-jamf-api-credentials"
+ },
+ "additionalProperties": false
+ }
+ },
+ "jamfApiEndpoint": {
+ "$id": "#/properties/jamfApiEndpoint",
+ "type": "string",
+ "default": ""
+ },
+ "jamfClientId": {
+ "$id": "#/properties/jamfClientId",
+ "type": "string",
+ "default": ""
+ },
+ "jamfClientSecret": {
+ "$id": "#/properties/jamfSecret",
+ "type": "string",
+ "default": ""
+ },
"proxy": {
"$id": "#/properties/proxy",
"type": "object",
@@ -790,7 +828,7 @@
"noProxy": {
"type": ["null", "string"]
}
- }
+ }
},
"cluster": {
"$id": "#/properties/cluster",
diff --git a/helm/teleport-kube-agent/values.yaml b/helm/teleport-kube-agent/values.yaml
index 74f0c5a..0c523fd 100644
--- a/helm/teleport-kube-agent/values.yaml
+++ b/helm/teleport-kube-agent/values.yaml
@@ -17,6 +17,7 @@ global:
# | Teleport Application service | `app` | [`apps`](#apps) or [`appResources`](#appresources) |
# | Teleport Database service | `db` | [`databases`](#databases) or [`databaseResources`](#databaseresources) |
# | Teleport Discovery service | `discovery` | [`kubeClusterName`](#kubeclustername) |
+# | Teleport Jamf service | `jamf` | [`jamfApiEndpoint`](#jamfapiendpoint), [`jamfClientId`](#jamfclientid) |
#
# For example:
# ```yaml
@@ -114,7 +115,7 @@ kubeClusterName: ""
################################################################
# apps(list) -- is a static list of applications that should be proxied by
-# the agent. See [the Teleport Application access documentation](../../../application-access/introduction.mdx)
+# the agent. See [the Teleport Application access documentation](../../../enroll-resources/application-access/introduction.mdx)
# for more details.
#
# Proxied applications can be defined statically (through this value) or dynamically
@@ -139,13 +140,13 @@ kubeClusterName: ""
#
# You can see a list of all the supported values that can be used in a Teleport
# Application Service configuration in the [Application Service Configuration
-# Reference](../../../application-access/reference.mdx#configuration).
+# Reference](../../../enroll-resources/application-access/reference.mdx#configuration).
#
apps: []
# appResources(list) -- is a set of labels the agent will monitor. Any application
# matching those labels will be proxied by the agent. See [the Teleport
-# Application access documentation](../../../application-access/introduction.mdx)
+# Application access documentation](../../../enroll-resources/application-access/introduction.mdx)
# for more details.
#
# Proxied applications can be defined statically (through [`apps`](#apps)) or
@@ -164,10 +165,16 @@ apps: []
#
#
# Once `appResources` is set, you can dynamically register application with
-# `tsh` by following [the Dynamic App Registration guide](../../../application-access/guides/dynamic-registration.mdx).
+# `tsh` by following [the Dynamic App Registration guide](../../../enroll-resources/application-access/guides/dynamic-registration.mdx).
#
appResources: []
+# clusterDomain(string) -- sets the domain name used by the Kubernetes cluster. This value is used to build the
+# FQDN application URIs. For example, if the cluster domain is `anything.local`, the agent will proxy the application
+# `myapp` running in the `default` namespace at `http://myapp.default.svc.anything.local`. You must manually set this value
+# to match your cluster domain if it is different from the default value `cluster.local`.
+clusterDomain: "cluster.local"
+
################################################################
# Values that must be provided if Database access is enabled.
################################################################
@@ -178,7 +185,7 @@ appResources: []
# awsDatabases(list) -- configures AWS database auto-discovery.
#
#
-# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../database-access/guides/rds.mdx#step-36-create-iam-policies-for-teleport).
+# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport).
# After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions:
#
# ```yaml
@@ -218,7 +225,7 @@ awsDatabases: []
# azureDatabases(list) -- configures Azure database auto-discovery.
#
-# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../database-access/guides/azure-postgres-mysql.mdx#step-46-configure-iam-permissions-for-teleport).
+# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport).
#
# After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods.
# The easiest way is to use an Azure client secret.
@@ -290,7 +297,7 @@ awsDatabases: []
azureDatabases: []
# databases(list) -- is a static list of databases that should be proxied by
-# the agent. See [the Teleport Database access documentation](../../../database-access/introduction.mdx)
+# the agent. See [the Teleport Database access documentation](../../../enroll-resources/database-access/database-access.mdx)
# for more details.
#
# Proxied applications can be defined statically (through this value) or dynamically
@@ -319,7 +326,7 @@ azureDatabases: []
# ```
#
#
-# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../database-access/reference/configuration.mdx).
+# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../enroll-resources/database-access/reference/configuration.mdx).
#
#
#
@@ -353,7 +360,8 @@ databases: []
# databaseResources(list) -- is a set of labels the agent will monitor.
# Any database matching those labels will be proxied by the agent. See [the Teleport
-# Database access documentation](../../../database-access/introduction.mdx)
+# Database access
+# documentation](../../../enroll-resources/database-access/database-access.mdx)
# for more details.
#
# Proxied databases can be defined statically (through [`databases`](#databases)) or
@@ -373,7 +381,7 @@ databases: []
#
#
# Once `databaseResources` is set, you can dynamically register database with
-# `tsh` by following [this guide](../../../database-access/guides/dynamic-registration.mdx).
+# `tsh` by following [this guide](../../../enroll-resources/database-access/guides/dynamic-registration.mdx).
#
databaseResources: []
@@ -387,9 +395,13 @@ databaseResources: []
# The Discovery Service is enabled when the agent `roles` contains "discovery".
# The Discovery service automatically detects Kubernetes Services and configures
# the agent to provide access to them. See [the Kubernetes App Discovery
-# documentation](../../../auto-discovery/kubernetes-applications/architecture.mdx)
+# documentation](../../../enroll-resources/auto-discovery/kubernetes-applications/architecture.mdx)
# for more details.
#
+#
+# The Discovery mechanism ignores Kubernetes services running in the `kube-system` and
+# `kube-public` namespaces.
+#
# The default value will try to discover all apps running in Kubernetes.
# The discovery can be restricted through this value. For example:
#
@@ -410,6 +422,61 @@ kubernetesDiscovery:
labels:
"*": "*"
+################################################################
+# Values that must be provided if Jamf service is enabled.
+################################################################
+
+# jamfApiEndpoint(string) -- sets the Jamf Pro API endpoint used for Jamf service.
+# Example: "https://yourtenant.jamfcloud.com/api".
+#
+# This setting is required if the chart `roles` contains `jamf`.
+jamfApiEndpoint: ""
+
+# jamfClientId(string) -- sets the Jamf Pro API Client ID used for Jamf service.
+#
+# This setting is required if the chart `roles` contains `jamf`.
+jamfClientId: ""
+
+# jamfClientSecret(string) -- sets the Jamf Pro API client secret used for Jamf service.
+#
+# This setting is required if the chart `roles` contains `jamf` and `jamfCredentialsSecret.create` is set to `true`.
+# If you provide your own Kubernetes Secret, this setting can remain unset.
+jamfClientSecret: ""
+
+# jamfCredentialsSecret -- manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password).
+jamfCredentialsSecret:
+ # jamfCredentialsSecret.create(bool) -- controls whether the chart creates the
+ # Kubernetes `Secret` containing the Jamf Pro API Client Secret.
+ # If false, you must create a Kubernetes Secret with the configured name in
+ # the Helm release namespace.
+ create: true
+ # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret
+ # containing the Jamf Pro API Client Secret used by the chart.
+ #
+ # If `jamfCredentialsSecret.create` is `false`, the chart will not attempt to create the secret itself.
+ # Instead, it will read the value from an existing Kubernetes Secret. `jamfCredentialsSecret.name`
+ # configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext
+ # Jamf Pro API Client Secret stored in your Teleport chart values.
+ #
+ # To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command:
+ #
+ # ```code
+ # $ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential=
+ # ```
+ #
+ #
+ # The key used for the Jamf Pro API Client Secret inside the secret must be `credential`, as in the command above.
+ #
+ #
+ # For example:
+ #
+ # ```yaml
+ # jamfCredentialsSecret:
+ # create: false
+ # name: my-jamf-secret
+ # ```
+ name: teleport-jamf-api-credentials
+
################################################################
# Values that you may need to change.
################################################################
@@ -598,6 +665,33 @@ updater:
# binary.
extraArgs: []
+ # updater.extraVolumes(list) -- contains extra volumes to mount into the Updater pods.
+ # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
+ # for more details.
+ #
+ # For example:
+ # ```yaml
+ # updater:
+ # extraVolumes:
+ # - name: myvolume
+ # secret:
+ # secretName: testSecret
+ # ```
+ extraVolumes: []
+
+ # updater.extraVolumeMounts(list) -- contains extra volumes mounts for the updater.
+ # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
+ # for more details.
+ #
+ # For example:
+ # ```yaml
+ # updater:
+ # extraVolumesMounts:
+ # - name: myvolume
+ # mountPath: /path/on/host
+ # ```
+ extraVolumeMounts: []
+
# existingDataVolume(string) -- is the name of an existing Kubernetes Persistent
# Volume that should be mounted at `/var/lib/teleport`.
#
@@ -1046,6 +1140,8 @@ extraLabels:
config: {}
# extraLabels.deployment(object) -- are labels to set on the Deployment or StatefulSet.
deployment: {}
+ # extraLabels.job(object) -- are labels to set on the post-delete Job created by the chart.
+ job: {}
# extraLabels.pod(object) -- are labels to set on the Pods created by the
# Deployment or StatefulSet.
pod: {}
@@ -1186,29 +1282,37 @@ resources: {}
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
# for more details.
#
+# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
+#
# To unset the security context, set it to `null` or `~`.
initSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- - all
+ - ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
+ seccompProfile:
+ type: RuntimeDefault
# securityContext(object) -- sets the container security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
# for more details.
#
+# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
+#
# To unset the security context, set it to `null` or `~`.
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- - all
+ - ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
+ seccompProfile:
+ type: RuntimeDefault
# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
@@ -1217,6 +1321,8 @@ securityContext:
# To unset the security context, set it to `null` or `~`.
podSecurityContext:
fsGroup: 9807
+ seccompProfile:
+ type: RuntimeDefault
# priorityClassName(string) -- sets the priority class used by any pods created by the chart.
# The user is responsible for creating the `PriorityClass` resource before deploying the chart.
diff --git a/vendir.lock.yml b/vendir.lock.yml
index f8f15d5..f2f421c 100644
--- a/vendir.lock.yml
+++ b/vendir.lock.yml
@@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- helmChart:
- appVersion: 15.1.9
- version: 15.1.9
+ appVersion: 16.1.7
+ version: 16.1.7
path: teleport-kube-agent
path: helm
kind: LockConfig
diff --git a/vendir.yml b/vendir.yml
index 9ec0548..f28769e 100644
--- a/vendir.yml
+++ b/vendir.yml
@@ -6,7 +6,7 @@ directories:
- path: teleport-kube-agent
helmChart:
name: "teleport-kube-agent"
- version: "15.1.9"
+ version: "16.1.7"
repository:
url: https://charts.releases.teleport.dev
newRootPath: .