Update Helm release teleport-kube-agent to v16.4.2

helm/teleport-kube-agent/Chart.yaml

@@ -1,17 +1,9 @@
 apiVersion: v2
-name: teleport-kube-agent
-version: [[ .Version ]]
-appVersion: 16.1.7
+appVersion: 16.4.2
 description: Teleport provides a secure SSH, Kubernetes, database and application
   remote access solution that doesn't get in the way.
-icon: https://s.giantswarm.io/app-icons/teleport/1/light.png
-type: application
-sources:
-- https://github.com/gravitational/teleport
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
-annotations:
-  application.giantswarm.io/team: shield
-maintainers:
-  - name: giantswarm/team-shield
-    email: [email protected]
+name: teleport-kube-agent
+version: 16.4.2

helm/teleport-kube-agent/templates/_config.tpl

@@ -128,6 +128,16 @@ discovery_service:
   enabled: false
 {{- end }}
 
+jamf_service:
+  {{- if contains "jamf" (.Values.roles | toString) }}
+  enabled: true
+  api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }}
+  client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }}
+  client_secret_file: "/etc/teleport-jamf-api-credentials/credential"
+  {{- else }}
+  enabled: false
+  {{- end }}
+
 auth_service:
   enabled: false
 ssh_service:

helm/teleport-kube-agent/templates/_helpers.tpl

@@ -33,26 +33,18 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
 {{- if .Values.teleportVersionOverride -}}
   {{- .Values.teleportVersionOverride -}}
 {{- else -}}
-  {{- .Chart.AppVersion -}}
+  {{- .Chart.Version -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "teleport-kube-agent.baseImage" -}}
 {{- if .Values.enterprise -}}
   {{- .Values.enterpriseImage -}}
 {{- else -}}
-  {{- .Values.image.repository -}}
+  {{- .Values.image -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "teleport-kube-agent.image" -}}
 {{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }}
 {{- end -}}
-
-{{- define "registry" }}
-{{- $registry := .Values.image.registry -}}
-{{- if and .Values.global (and .Values.global.image .Values.global.image.registry) -}}
-{{- $registry = .Values.global.image.registry -}}
-{{- end -}}
-{{- printf "%s" $registry -}}
-{{- end -}}

helm/teleport-kube-agent/templates/delete_hook.yaml

@@ -73,6 +73,15 @@ spec:
   template:
     metadata:
       name: {{ .Release.Name }}-delete-hook
+{{- if .Values.annotations.pod }}
+      annotations:
+  {{- toYaml .Values.annotations.pod | nindent 8 }}
+{{- end }}
+      labels:
+        app: {{ .Release.Name }}
+{{- if .Values.extraLabels.pod }}
+  {{- toYaml .Values.extraLabels.pod | nindent 8 }}
+{{- end }}
     spec:
 {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -100,7 +109,7 @@ spec:
                 fieldPath: metadata.namespace
           - name: RELEASE_NAME
             value: {{ .Release.Name }}
-        image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+        image: {{ include "teleport-kube-agent.image" . | quote }}
         {{- if .Values.imagePullPolicy }}
         imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
         {{- end }}

helm/teleport-kube-agent/templates/deployment.yaml

@@ -111,11 +111,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
-        #  {{- if contains "jamf" (.Values.roles | toString) }}
-        #- mountPath: /etc/teleport-jamf-api-credentials
-        #  name: "jamf-api-credentials"
-        #  readOnly: true
-        #  {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
   {{- if .Values.extraVolumeMounts }}
     {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
   {{- end }}
@@ -126,7 +126,7 @@ spec:
       {{- end }}
       containers:
       - name: "teleport"
-        image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+        image: {{ include "teleport-kube-agent.image" . | quote }}
         {{- if .Values.imagePullPolicy }}
         imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
         {{- end }}
@@ -201,11 +201,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
-        #  {{- if contains "jamf" (.Values.roles | toString) }}
-        #- mountPath: /etc/teleport-jamf-api-credentials
-        #  name: "jamf-api-credentials"
-        #  readOnly: true
-        #  {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
 {{- if .Values.extraVolumeMounts }}
   {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
 {{- end }}
@@ -228,11 +228,11 @@ spec:
         secret:
           secretName: {{ .Values.tls.existingCASecretName }}
       {{- end }}
-      #{{- if contains "jamf" (.Values.roles | toString) }}
-      #- name: "jamf-api-credentials"
-      #  secret:
-      #    secretName: {{ .Values.jamfCredentialsSecret.name }}
-      #{{- end }}
+      {{- if contains "jamf" (.Values.roles | toString) }}
+      - name: "jamf-api-credentials"
+        secret:
+          secretName: {{ .Values.jamfCredentialsSecret.name }}
+      {{- end }}
 {{- if .Values.extraVolumes }}
   {{- toYaml .Values.extraVolumes | nindent 6 }}
 {{- end }}

helm/teleport-kube-agent/templates/hook.yaml

@@ -63,6 +63,15 @@ spec:
   template:
     metadata:
       name: {{ .Release.Name }}-hook
+{{- if .Values.annotations.pod }}
+      annotations:
+  {{- toYaml .Values.annotations.pod | nindent 8 }}
+{{- end }}
+      labels:
+        app: {{ .Release.Name }}
+{{- if .Values.extraLabels.pod }}
+  {{- toYaml .Values.extraLabels.pod | nindent 8 }}
+{{- end }}
     spec:
 {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}

helm/teleport-kube-agent/templates/psp.yaml

@@ -2,7 +2,7 @@
   We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this
   only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt.
   Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}}
-{{- if and (not .Values.global.podSecurityStandards.enforced) .Values.podSecurityPolicy.enabled (semverCompare "<1.25.0" .Capabilities.KubeVersion.Version) -}}
+{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

helm/teleport-kube-agent/templates/secret.yaml

@@ -17,22 +17,23 @@ stringData:
   auth-token: |
     {{ coalesce .Values.joinParams.tokenName .Values.authToken }}
 {{- end}}
-#{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }}
-#---
-#apiVersion: v1
-#kind: Secret
-#metadata:
-#  name: {{ .Values.jamfCredentialsSecret.name }}
-#  namespace: {{ .Release.Namespace }}
-#  {{- if .Values.extraLabels.secret }}
-#  labels:
-#  {{- toYaml .Values.extraLabels.secret | nindent 4 }}
-#  {{- end }}
-#  {{- if .Values.annotations.secret }}
-#  annotations:
-#  {{- toYaml .Values.annotations.secret | nindent 4 }}
-#  {{- end }}
-#type: Opaque
-#stringData:
-#  credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }}
-#{{- end}}
+
+{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.jamfCredentialsSecret.name }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.extraLabels.secret }}
+  labels:
+  {{- toYaml .Values.extraLabels.secret | nindent 4 }}
+  {{- end }}
+  {{- if .Values.annotations.secret }}
+  annotations:
+  {{- toYaml .Values.annotations.secret | nindent 4 }}
+  {{- end }}
+type: Opaque
+stringData:
+  credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }}
+{{- end}}

helm/teleport-kube-agent/templates/statefulset.yaml

@@ -13,6 +13,10 @@ metadata:
   {{- if .Values.extraLabels.deployment }}
     {{- toYaml .Values.extraLabels.deployment | nindent 4 }}
   {{- end }}
+  {{- if .Values.annotations.deployment }}
+  annotations:
+    {{- toYaml .Values.annotations.deployment | nindent 4 }}
+  {{- end }}
 spec:
   serviceName: {{ .Release.Name }}
   replicas: {{ $replicaCount }}
@@ -107,11 +111,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
-        #  {{- if contains "jamf" (.Values.roles | toString) }}
-        #- mountPath: /etc/teleport-jamf-api-credentials
-        #  name: "jamf-api-credentials"
-        #  readOnly: true
-        #  {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
   {{- if .Values.extraVolumeMounts }}
     {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
   {{- end }}
@@ -126,26 +130,11 @@ spec:
       {{- end }}
       containers:
       - name: "teleport"
-        image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+        image: {{ include "teleport-kube-agent.image" . | quote }}
         {{- if .Values.imagePullPolicy }}
         imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
         {{- end }}
         env:
-          {{- $proxy := deepCopy .Values.cluster.proxy |  mustMerge .Values.proxy }}
-          {{- if and $proxy.noProxy $proxy.http $proxy.https }}
-          - name: NO_PROXY
-            value: {{ $proxy.noProxy }}
-          - name: no_proxy
-            value: {{ $proxy.noProxy }}
-          - name: HTTP_PROXY
-            value: {{ $proxy.http }}
-          - name: http_proxy
-            value: {{ $proxy.http }}
-          - name: HTTPS_PROXY
-            value: {{ $proxy.https }}
-          - name: https_proxy
-            value: {{ $proxy.https }}
-          {{- end }}
           # This variable is set for telemetry purposes.
           # Telemetry is opt-in and controlled at the auth level.
           - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
@@ -166,6 +155,10 @@ spec:
           - name: TELEPORT_EXT_UPGRADER_VERSION
             value: {{ include "teleport-kube-agent.version" . }}
           {{- end }}
+          {{- if .Values.clusterDomain }}
+          - name: TELEPORT_KUBE_CLUSTER_DOMAIN
+            value: {{ .Values.clusterDomain | quote }}
+          {{- end }}
           {{- if .Values.tls.existingCASecretName }}
           - name: SSL_CERT_FILE
             value: /etc/teleport-tls-ca/ca.pem
@@ -227,11 +220,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
 {{- end }}
-#{{- if contains "jamf" (.Values.roles | toString) }}
-#        - mountPath: /etc/teleport-jamf-api-credentials
-#          name: "jamf-api-credentials"
-#          readOnly: true
-#{{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+{{- end }}
 {{- if .Values.extraVolumeMounts }}
   {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
 {{- end }}
@@ -254,11 +247,11 @@ spec:
         secret:
           secretName: {{ .Values.tls.existingCASecretName }}
 {{- end }}
-#{{- if contains "jamf" (.Values.roles | toString) }}
-#      - name: "jamf-api-credentials"
-#        secret:
-#          secretName: {{ .Values.jamfCredentialsSecret.name }}
-#{{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+      - name: "jamf-api-credentials"
+        secret:
+          secretName: {{ .Values.jamfCredentialsSecret.name }}
+{{- end }}
 {{- if .Values.extraVolumes }}
   {{- toYaml .Values.extraVolumes | nindent 6 }}
 {{- end }}