diff --git a/helm/teleport-kube-agent/templates/_config.tpl b/helm/teleport-kube-agent/templates/_config.tpl index adb708d..565e809 100644 --- a/helm/teleport-kube-agent/templates/_config.tpl +++ b/helm/teleport-kube-agent/templates/_config.tpl @@ -128,16 +128,6 @@ discovery_service: enabled: false {{- end }} -jamf_service: - {{- if contains "jamf" (.Values.roles | toString) }} - enabled: true - api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }} - client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }} - client_secret_file: "/etc/teleport-jamf-api-credentials/credential" - {{- else }} - enabled: false - {{- end }} - auth_service: enabled: false ssh_service: diff --git a/helm/teleport-kube-agent/templates/_helpers.tpl b/helm/teleport-kube-agent/templates/_helpers.tpl index 987f574..2ef4c56 100644 --- a/helm/teleport-kube-agent/templates/_helpers.tpl +++ b/helm/teleport-kube-agent/templates/_helpers.tpl @@ -33,7 +33,7 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N {{- if .Values.teleportVersionOverride -}} {{- .Values.teleportVersionOverride -}} {{- else -}} - {{- .Chart.Version -}} + {{- .Chart.AppVersion -}} {{- end -}} {{- end -}} diff --git a/helm/teleport-kube-agent/templates/deployment.yaml b/helm/teleport-kube-agent/templates/deployment.yaml index 97b020d..592ee4e 100644 --- a/helm/teleport-kube-agent/templates/deployment.yaml +++ b/helm/teleport-kube-agent/templates/deployment.yaml @@ -111,11 +111,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} - {{- if contains "jamf" (.Values.roles | toString) }} - - mountPath: /etc/teleport-jamf-api-credentials - name: "jamf-api-credentials" - readOnly: true - {{- end }} + # {{- if contains "jamf" (.Values.roles | toString) }} + #- mountPath: /etc/teleport-jamf-api-credentials + # name: "jamf-api-credentials" + # readOnly: true + # {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -201,11 +201,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} - {{- if contains "jamf" (.Values.roles | toString) }} - - mountPath: /etc/teleport-jamf-api-credentials - name: "jamf-api-credentials" - readOnly: true - {{- end }} + # {{- if contains "jamf" (.Values.roles | toString) }} + #- mountPath: /etc/teleport-jamf-api-credentials + # name: "jamf-api-credentials" + # readOnly: true + # {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -228,11 +228,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} - {{- if contains "jamf" (.Values.roles | toString) }} - - name: "jamf-api-credentials" - secret: - secretName: {{ .Values.jamfCredentialsSecret.name }} - {{- end }} + #{{- if contains "jamf" (.Values.roles | toString) }} + #- name: "jamf-api-credentials" + # secret: + # secretName: {{ .Values.jamfCredentialsSecret.name }} + #{{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/helm/teleport-kube-agent/templates/networkpolicy.yaml b/helm/teleport-kube-agent/templates/networkpolicy.yaml new file mode 100644 index 0000000..9dd8b40 --- /dev/null +++ b/helm/teleport-kube-agent/templates/networkpolicy.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} +spec: + egress: + - {} + ingress: + - {} + podSelector: + matchLabels: + app: {{ .Release.Name }} + policyTypes: + - Egress + - Ingress diff --git a/helm/teleport-kube-agent/templates/secret.yaml b/helm/teleport-kube-agent/templates/secret.yaml index 3489968..615c79c 100644 --- a/helm/teleport-kube-agent/templates/secret.yaml +++ b/helm/teleport-kube-agent/templates/secret.yaml @@ -17,23 +17,22 @@ stringData: auth-token: | {{ coalesce .Values.joinParams.tokenName .Values.authToken }} {{- end}} - -{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.jamfCredentialsSecret.name }} - namespace: {{ .Release.Namespace }} - {{- if .Values.extraLabels.secret }} - labels: - {{- toYaml .Values.extraLabels.secret | nindent 4 }} - {{- end }} - {{- if .Values.annotations.secret }} - annotations: - {{- toYaml .Values.annotations.secret | nindent 4 }} - {{- end }} -type: Opaque -stringData: - credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }} -{{- end}} +#{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }} +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: {{ .Values.jamfCredentialsSecret.name }} +# namespace: {{ .Release.Namespace }} +# {{- if .Values.extraLabels.secret }} +# labels: +# {{- toYaml .Values.extraLabels.secret | nindent 4 }} +# {{- end }} +# {{- if .Values.annotations.secret }} +# annotations: +# {{- toYaml .Values.annotations.secret | nindent 4 }} +# {{- end }} +#type: Opaque +#stringData: +# credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }} +#{{- end}} diff --git a/helm/teleport-kube-agent/templates/statefulset.yaml b/helm/teleport-kube-agent/templates/statefulset.yaml index 34de30b..3935049 100644 --- a/helm/teleport-kube-agent/templates/statefulset.yaml +++ b/helm/teleport-kube-agent/templates/statefulset.yaml @@ -107,11 +107,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} - {{- if contains "jamf" (.Values.roles | toString) }} - - mountPath: /etc/teleport-jamf-api-credentials - name: "jamf-api-credentials" - readOnly: true - {{- end }} + # {{- if contains "jamf" (.Values.roles | toString) }} + #- mountPath: /etc/teleport-jamf-api-credentials + # name: "jamf-api-credentials" + # readOnly: true + # {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -227,11 +227,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} -{{- if contains "jamf" (.Values.roles | toString) }} - - mountPath: /etc/teleport-jamf-api-credentials - name: "jamf-api-credentials" - readOnly: true -{{- end }} +#{{- if contains "jamf" (.Values.roles | toString) }} +# - mountPath: /etc/teleport-jamf-api-credentials +# name: "jamf-api-credentials" +# readOnly: true +#{{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -254,11 +254,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} -{{- if contains "jamf" (.Values.roles | toString) }} - - name: "jamf-api-credentials" - secret: - secretName: {{ .Values.jamfCredentialsSecret.name }} -{{- end }} +#{{- if contains "jamf" (.Values.roles | toString) }} +# - name: "jamf-api-credentials" +# secret: +# secretName: {{ .Values.jamfCredentialsSecret.name }} +#{{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/helm/teleport-kube-agent/values.schema.json b/helm/teleport-kube-agent/values.schema.json index 993a9e2..c289698 100644 --- a/helm/teleport-kube-agent/values.schema.json +++ b/helm/teleport-kube-agent/values.schema.json @@ -790,7 +790,7 @@ "create": { "$id": "#/properties/jamfCredentialsSecret/create", "type": "boolean", - "default": true + "default": false }, "name": { "$id": "#/properties/jamfCredentialsSecret/name", @@ -828,7 +828,7 @@ "noProxy": { "type": ["null", "string"] } - } + } }, "cluster": { "$id": "#/properties/cluster", diff --git a/helm/teleport-kube-agent/values.yaml b/helm/teleport-kube-agent/values.yaml index 35bd198..3ad205e 100644 --- a/helm/teleport-kube-agent/values.yaml +++ b/helm/teleport-kube-agent/values.yaml @@ -448,7 +448,7 @@ jamfCredentialsSecret: # Kubernetes `Secret` containing the Jamf Pro API Client Secret. # If false, you must create a Kubernetes Secret with the configured name in # the Helm release namespace. - create: true + create: false # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret # containing the Jamf Pro API Client Secret used by the chart. #