sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Teleport Chart 업데이트

Browse Source
This commit is contained in:
ByeonJungHun
2024-01-22 12:12:36 +09:00
parent fde2f5f8a7
commit 7c1afcf6d7
163 changed files with 15784 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
helm/teleport-cluster/.lint/extra-containers.yaml Normal file
View File

@@ -0,0 +1,12 @@
clusterName: helm-lint.example.com
extraContainers:
- name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false

6
helm/teleport-cluster/Chart.yaml
View File

@@ -1,13 +1,13 @@
apiVersion: v2
appVersion: 13.3.9
appVersion: 14.2.0
dependencies:
- condition: installCRDs,operator.enabled
name: teleport-operator
repository: ""
version: 13.3.9
version: 14.2.0
description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-cluster
version: 13.3.9
version: 14.2.0

4
helm/teleport-cluster/charts/teleport-operator/Chart.yaml
View File

@@ -1,8 +1,8 @@
apiVersion: v2
appVersion: 13.3.9
appVersion: 14.2.0
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-operator
version: 13.3.9
version: 14.2.0

57
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
View File

@@ -192,20 +192,38 @@ spec:
must match one allow rule to use this token.
items:
properties:
ci_config_ref_uri:
type: string
ci_config_sha:
type: string
deployment_tier:
type: string
environment:
type: string
environment_protected:
type: boolean
namespace_path:
type: string
pipeline_source:
type: string
project_path:
type: string
project_visibility:
type: string
ref:
type: string
ref_protected:
type: boolean
ref_type:
type: string
sub:
type: string
user_email:
type: string
user_id:
type: string
user_login:
type: string
type: object
nullable: true
type: array
@@ -235,6 +253,19 @@ spec:
type: object
nullable: true
type: array
static_jwks:
description: StaticJWKS is the configuration specific to the `static_jwks`
type.
nullable: true
properties:
jwks:
type: string
type: object
type:
description: 'Type controls which behavior should be used for
validating the Kubernetes Service Account token. Support values:
- `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
type: string
type: object
roles:
description: Roles is a list of roles associated with the token, that
@@ -244,6 +275,32 @@ spec:
type: string
nullable: true
type: array
spacelift:
description: Spacelift allows the configuration of options specific
to the "spacelift" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
caller_id:
type: string
caller_type:
type: string
scope:
type: string
space_id:
type: string
type: object
nullable: true
type: array
hostname:
description: Hostname is the hostname of the Spacelift tenant
that tokens will originate from. E.g `example.app.spacelift.io`
type: string
type: object
suggested_agent_matcher_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true

64
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
View File

@@ -236,6 +236,13 @@ spec:
description: Namespace is the resource namespace. It supports
wildcards.
type: string
verbs:
description: Verbs are the allowed Kubernetes verbs for
the following resource.
items:
type: string
nullable: true
type: array
type: object
type: array
kubernetes_users:
@@ -690,6 +697,13 @@ spec:
description: Namespace is the resource namespace. It supports
wildcards.
type: string
verbs:
description: Verbs are the allowed Kubernetes verbs for
the following resource.
items:
type: string
nullable: true
type: array
type: object
type: array
kubernetes_users:
@@ -949,8 +963,7 @@ spec:
mode:
description: Mode is the type of extension to be used --
currently critical-option is not supported
format: int32
type: integer
x-kubernetes-int-or-string: true
name:
description: Name specifies the key to be used in the cert
extension.
@@ -958,8 +971,7 @@ spec:
type:
description: Type represents the certificate type being
extended, only ssh is supported at this time.
format: int32
type: integer
x-kubernetes-int-or-string: true
value:
description: Value specifies the value to be used in the
cert extension.
@@ -981,6 +993,10 @@ spec:
description: CreateDatabaseUser enabled automatic database user
creation.
type: boolean
create_db_user_mode:
description: CreateDatabaseUserMode allows users to be automatically
created on a database when not set to off.
x-kubernetes-int-or-string: true
create_desktop_user:
description: CreateDesktopUser allows users to be automatically
created on a Windows desktop
@@ -992,8 +1008,7 @@ spec:
create_host_user_mode:
description: CreateHostUserMode allows users to be automatically
created on a host when not set to off
format: int32
type: integer
x-kubernetes-int-or-string: true
desktop_clipboard:
description: DesktopClipboard indicates whether clipboard sharing
is allowed between the user's workstation and the remote desktop.
@@ -1099,13 +1114,12 @@ spec:
type: string
request_prompt:
description: RequestPrompt is an optional message which tells
users what they aught to
users what they aught to request.
type: string
require_session_mfa:
description: RequireMFAType is the type of MFA requirement enforced
for this user.
format: int32
type: integer
x-kubernetes-int-or-string: true
ssh_file_copy:
description: SSHFileCopy indicates whether remote file operations
via SCP or SFTP are allowed over an SSH session. It defaults
@@ -1419,6 +1433,13 @@ spec:
description: Namespace is the resource namespace. It supports
wildcards.
type: string
verbs:
description: Verbs are the allowed Kubernetes verbs for
the following resource.
items:
type: string
nullable: true
type: array
type: object
type: array
kubernetes_users:
@@ -1873,6 +1894,13 @@ spec:
description: Namespace is the resource namespace. It supports
wildcards.
type: string
verbs:
description: Verbs are the allowed Kubernetes verbs for
the following resource.
items:
type: string
nullable: true
type: array
type: object
type: array
kubernetes_users:
@@ -2132,8 +2160,7 @@ spec:
mode:
description: Mode is the type of extension to be used --
currently critical-option is not supported
format: int32
type: integer
x-kubernetes-int-or-string: true
name:
description: Name specifies the key to be used in the cert
extension.
@@ -2141,8 +2168,7 @@ spec:
type:
description: Type represents the certificate type being
extended, only ssh is supported at this time.
format: int32
type: integer
x-kubernetes-int-or-string: true
value:
description: Value specifies the value to be used in the
cert extension.
@@ -2164,6 +2190,10 @@ spec:
description: CreateDatabaseUser enabled automatic database user
creation.
type: boolean
create_db_user_mode:
description: CreateDatabaseUserMode allows users to be automatically
created on a database when not set to off.
x-kubernetes-int-or-string: true
create_desktop_user:
description: CreateDesktopUser allows users to be automatically
created on a Windows desktop
@@ -2175,8 +2205,7 @@ spec:
create_host_user_mode:
description: CreateHostUserMode allows users to be automatically
created on a host when not set to off
format: int32
type: integer
x-kubernetes-int-or-string: true
desktop_clipboard:
description: DesktopClipboard indicates whether clipboard sharing
is allowed between the user's workstation and the remote desktop.
@@ -2282,13 +2311,12 @@ spec:
type: string
request_prompt:
description: RequestPrompt is an optional message which tells
users what they aught to
users what they aught to request.
type: string
require_session_mfa:
description: RequireMFAType is the type of MFA requirement enforced
for this user.
format: int32
type: integer
x-kubernetes-int-or-string: true
ssh_file_copy:
description: SSHFileCopy indicates whether remote file operations
via SCP or SFTP are allowed over an SSH session. It defaults

1
helm/teleport-cluster/override-values.yaml
View File

@@ -1,6 +1,5 @@
chartMode: standalone
clusterName: teleport.kr.datasaker.io
#teleportVersionOverride: "13.3.8"
auth:
teleportConfig:

44
helm/teleport-cluster/teleport_svc.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: teleport
namespace: teleport
spec:
allocateLoadBalancerNodePorts: true
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: tls
nodePort: 30810
port: 443
protocol: TCP
targetPort: 3080
- name: sshproxy
nodePort: 30811
port: 3023
protocol: TCP
targetPort: 3023
- name: k8s
nodePort: 30812
port: 3026
protocol: TCP
targetPort: 3026
- name: sshtun
nodePort: 30813
port: 3024
protocol: TCP
targetPort: 3024
- name: mysql
nodePort: 30814
port: 3036
protocol: TCP
targetPort: 3036
selector:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: teleport
app.kubernetes.io/name: teleport-cluster
sessionAffinity: None
type: LoadBalancer

10
helm/teleport-cluster/templates/auth/deployment.yaml
View File

@@ -248,6 +248,13 @@ spec:
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
ports:
- name: op-metrics
containerPort: 8080
protocol: TCP
- name: op-health
containerPort: 8081
protocol: TCP
{{- if .Values.operator.resources }}
resources: {{- toYaml .Values.operator.resources | nindent 10 }}
{{- end }}
@@ -263,6 +270,9 @@ spec:
readOnly: true
{{- end }}
{{ end }}
{{- if $auth.extraContainers }}
{{- toYaml $auth.extraContainers | nindent 6 }}
{{- end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}

5
helm/teleport-cluster/templates/proxy/_config.common.tpl
View File

@@ -70,7 +70,10 @@ proxy_service:
uri: {{ .Values.acmeURI }}
{{- end }}
{{- end }}
{{- if and .Values.ingress.enabled (semverCompare ">= 13.2.0-0" (include "teleport-cluster.version" .)) }}
{{- if .Values.proxyProtocol }}
proxy_protocol: {{ .Values.proxyProtocol | quote }}
{{- end }}
{{- if and .Values.ingress.enabled (semverCompare ">= 14.0.0-0" (include "teleport-cluster.version" .)) }}
trust_x_forwarded_for: true
{{- end }}
{{- end -}}

28
helm/teleport-cluster/templates/proxy/certificate.yaml
View File

@@ -1,7 +1,22 @@
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- if $proxy.highAvailability.certManager.enabled }}
{{- $domain := (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName) }}
{{- $domainWildcard := printf "*.%s" (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName) }}
{{- if $proxy.highAvailability.certManager.enabled -}}
{{- /* Append clusterName and wildcard version to list of dnsNames on certificate request (original functionality) */ -}}
{{- $domainList := list (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName) -}}
{{- $domainList := append $domainList (printf "*.%s" (required "clusterName is required in chartValues when certManager is enabled" $proxy.clusterName)) -}}
{{- /* If the config option is enabled and at least one publicAddr is set, append all public addresses to the list of dnsNames */ -}}
{{- if and $proxy.highAvailability.certManager.addPublicAddrs (gt (len .Values.publicAddr) 0) -}}
{{- /* Trim ports from all public addresses if present */ -}}
{{- range .Values.publicAddr -}}
{{- $address := . -}}
{{- if (contains ":" $address) -}}
{{- $split := split ":" $address -}}
{{- $address = $split._0 -}}
{{- end -}}
{{- $domainList = append (mustWithout $domainList .) $address -}}
{{- end -}}
{{- end -}}
{{- /* Finally, remove any duplicate entries from the list of domains */ -}}
{{- $domainList := mustUniq $domainList -}}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
@@ -11,11 +26,12 @@ metadata:
spec:
secretName: teleport-tls
{{- if $proxy.highAvailability.certManager.addCommonName }}
commonName: {{ quote $domain }}
commonName: {{ quote $proxy.clusterName }}
{{- end }}
dnsNames:
- {{ quote $domain }}
- {{ quote $domainWildcard }}
{{- range $domainList }}
- {{ quote . }}
{{- end }}
issuerRef:
name: {{ required "highAvailability.certManager.issuerName is required in chart values" $proxy.highAvailability.certManager.issuerName }}
kind: {{ required "highAvailability.certManager.issuerKind is required in chart values" $proxy.highAvailability.certManager.issuerKind }}

3
helm/teleport-cluster/templates/proxy/deployment.yaml
View File

@@ -255,6 +255,9 @@ spec:
{{- if $proxy.extraVolumeMounts }}
{{- toYaml $proxy.extraVolumeMounts | nindent 8 }}
{{- end }}
{{- if $proxy.extraContainers }}
{{- toYaml $proxy.extraContainers | nindent 6 }}
{{- end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}

17
helm/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
View File

@@ -1,6 +1,6 @@
should add an operator side-car when operator is enabled:
1: |
image: public.ecr.aws/gravitational/teleport-operator:13.3.9
image: public.ecr.aws/gravitational/teleport-operator:14.2.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -9,6 +9,13 @@ should add an operator side-car when operator is enabled:
initialDelaySeconds: 15
periodSeconds: 20
name: operator
ports:
- containerPort: 8080
name: op-metrics
protocol: TCP
- containerPort: 8081
name: op-health
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
@@ -34,7 +41,7 @@ should add an operator side-car when operator is enabled:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -167,7 +174,7 @@ should set nodeSelector when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -264,7 +271,7 @@ should set resources when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -350,7 +357,7 @@ should set securityContext when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:

52
helm/teleport-cluster/tests/__snapshot__/proxy_certificate_test.yaml.snap
View File

@@ -1,3 +1,55 @@
? should not request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-manager.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
2: |
group: custom.cert-manager.io
kind: CustomClusterIssuer
name: custom
? should not request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-secret.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
2: |
group: cert-manager.io
kind: Issuer
name: letsencrypt
? should request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-manager.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
- teleport.test.com
- teleport.shared-services.old-domain.com
2: |
group: custom.cert-manager.io
kind: CustomClusterIssuer
name: custom
? should request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-secret.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
- teleport.test.com
- teleport.shared-services.old-domain.com
2: |
group: cert-manager.io
kind: Issuer
name: letsencrypt
? should request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is set, removing
duplicates
: 1: |
- test-cluster
- '*.test-cluster'
- teleport.test.com
- teleport.shared-services.old-domain.com
2: |
group: custom.cert-manager.io
kind: CustomClusterIssuer
name: custom
should request a certificate for cluster name when cert-manager is enabled (cert-manager.yaml):
1: |
- test-cluster

8
helm/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
View File

@@ -1,4 +1,4 @@
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled is not set:
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set:
1: |
|-
auth_service:
@@ -28,7 +28,7 @@ generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version
output: stderr
severity: INFO
version: v3
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled=true:
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true:
1: |
|-
auth_service:
@@ -54,7 +54,7 @@ generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version
output: stderr
severity: INFO
version: v3
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled is not set:
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set:
1: |
|-
auth_service:
@@ -141,7 +141,7 @@ generates a config with proxy_service.trust_x_forwarded_for=true when version =
output: stderr
severity: INFO
version: v3
generates a config with proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled=true:
generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true:
1: |
|-
auth_service:

28
helm/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
View File

@@ -4,8 +4,8 @@ should provision initContainer correctly when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
- args:
- echo test
@@ -62,7 +62,7 @@ should set nodeSelector when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -122,8 +122,8 @@ should set nodeSelector when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
nodeSelector:
environment: security
@@ -174,7 +174,7 @@ should set resources when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -241,8 +241,8 @@ should set resources when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
@@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -342,8 +342,8 @@ should set securityContext for initContainers when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
@@ -383,7 +383,7 @@ should set securityContext when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -450,8 +450,8 @@ should set securityContext when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false

31
helm/teleport-cluster/tests/auth_deployment_test.yaml
View File

@@ -304,6 +304,7 @@ tests:
name: my-mount
secret:
secretName: mySecret
- it: should set imagePullPolicy when set in values
template: auth/deployment.yaml
set:
@@ -314,6 +315,36 @@ tests:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should have only one container when no `extraContainers` is set in values
template: auth/deployment.yaml
set:
extraContainers: []
clusterName: helm-lint.example.com
asserts:
- isNotNull:
path: spec.template.spec.containers[0]
- isNull:
path: spec.template.spec.containers[1]
- it: should add one more container when `extraContainers` is set in values
template: auth/deployment.yaml
values:
- ../.lint/extra-containers.yaml
asserts:
- equal:
path: spec.template.spec.containers[1]
value:
name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false
- it: should set environment when extraEnv set in values
template: auth/deployment.yaml
values:

165
helm/teleport-cluster/tests/proxy_certificate_test.yaml
View File

@@ -14,6 +14,9 @@ tests:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- it: should request a certificate for cluster name when cert-manager is enabled (cert-secret.yaml)
values:
@@ -27,3 +30,165 @@ tests:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-manager.yaml)
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-manager.yaml)
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: false
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "teleport.test.com"
- notEqual:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-secret.yaml)
values:
- ../.lint/cert-secret.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-secret.yaml)
values:
- ../.lint/cert-secret.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- notEqual:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "teleport.test.com"
- notEqual:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set, removing duplicates
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['test-cluster:443', 'teleport.test.com:443', 'teleport.shared-services.old-domain.com:443', 'teleport.test.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- notEqual:
path: spec.dnsNames[4]
value: "teleport.test.com"

37
helm/teleport-cluster/tests/proxy_config_test.yaml
View File

@@ -163,9 +163,9 @@ tests:
- failedTemplate:
errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr"
- it: generates a config with proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled=true
- it: generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true
chart:
version: 13.2.0
version: 14.0.0
values:
- ../.lint/ingress.yaml
set:
@@ -193,9 +193,9 @@ tests:
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled is not set
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set
chart:
version: 13.2.0
version: 14.0.0
set:
clusterName: "helm-test.example.com"
asserts:
@@ -206,7 +206,7 @@ tests:
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled=true
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true
chart:
version: 13.1.5
values:
@@ -221,9 +221,9 @@ tests:
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled is not set
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set
chart:
version: 13.1.5
version: 14.0.0
set:
clusterName: "helm-test.example.com"
asserts:
@@ -233,3 +233,26 @@ tests:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: sets "proxy_protocol" to "on"
set:
proxyProtocol: "on"
clusterName: teleport.example.com
asserts:
- matchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol: "on"'
- it: sets "proxy_protocol" to "off"
set:
proxyProtocol: "off"
clusterName: teleport.example.com
asserts:
- matchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol: "off"'
- it: does not set "proxy_protocol"
set:
clusterName: teleport.example.com
asserts:
- notMatchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol:'

30
helm/teleport-cluster/tests/proxy_deployment_test.yaml
View File

@@ -332,6 +332,36 @@ tests:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should have only one container when no `extraContainers` is set in values
template: proxy/deployment.yaml
set:
extraContainers: []
clusterName: helm-lint.example.com
asserts:
- isNotNull:
path: spec.template.spec.containers[0]
- isNull:
path: spec.template.spec.containers[1]
- it: should add one more container when `extraContainers` is set in values
template: proxy/deployment.yaml
values:
- ../.lint/extra-containers.yaml
asserts:
- equal:
path: spec.template.spec.containers[1]
value:
name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false
- it: should set environment when extraEnv set in values
template: proxy/deployment.yaml
values:

65
helm/teleport-cluster/values.schema.json
View File

@@ -19,6 +19,7 @@
"affinity",
"nodeSelector",
"annotations",
"extraContainers",
"extraVolumes",
"extraVolumeMounts",
"imagePullPolicy",
@@ -33,6 +34,15 @@
"type": "string",
"default": ""
},
"proxyProtocol": {
"$id": "#/properties/proxyProtocol",
"type": "string",
"default": "",
"enum": [
"off",
"on"
]
},
"auth": {
"$id": "#/properties/auth",
"type": "object"
@@ -49,7 +59,9 @@
"podMonitor": {
"$id": "#/properties/podMonitor",
"type": "object",
"required": ["enabled"],
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/podMonitor/enabled",
@@ -59,8 +71,12 @@
"additionalLabels": {
"$id": "#/properties/podMonitor/additionalLabels",
"type": "object",
"default": {"prometheus": "default"},
"additionalProperties": {"type": "string"}
"default": {
"prometheus": "default"
},
"additionalProperties": {
"type": "string"
}
},
"interval": {
"$id": "#/properties/podMonitor/interval",
@@ -72,7 +88,10 @@
"authentication": {
"$id": "#/properties/authentication",
"type": "object",
"required": ["type", "localAuth"],
"required": [
"type",
"localAuth"
],
"properties": {
"type": {
"$id": "#/properties/authentication/properties/type",
@@ -97,7 +116,13 @@
"secondFactor": {
"$id": "#/properties/authentication/properties/secondFactor",
"type": "string",
"enum": ["off", "on", "otp", "optional", "webauthn"],
"enum": [
"off",
"on",
"otp",
"optional",
"webauthn"
],
"default": "otp"
},
"webauthn": {
@@ -131,7 +156,13 @@
"secondFactor": {
"$id": "#/properties/authenticationSecondFactor/properties/secondFactor",
"type": "string",
"enum": ["off", "on", "otp", "optional", "webauthn"],
"enum": [
"off",
"on",
"otp",
"optional",
"webauthn"
],
"default": "otp"
},
"webauthn": {
@@ -261,7 +292,9 @@
"operator": {
"$id": "#/properties/operator",
"type": "object",
"required": ["enabled"],
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/operator/properties/enabled",
@@ -587,6 +620,11 @@
"type": "boolean",
"default": "false"
},
"addPublicAddrs": {
"$id": "#/properties/highAvailability/properties/certManager/properties/addPublicAddrs",
"type": "boolean",
"default": "false"
},
"enabled": {
"$id": "#/properties/highAvailability/properties/certManager/properties/enabled",
"type": "boolean",
@@ -695,7 +733,13 @@
"level": {
"$id": "#/properties/log/properties/level",
"type": "string",
"enum": ["DEBUG", "INFO", "WARN", "WARNING", "ERROR"],
"enum": [
"DEBUG",
"INFO",
"WARN",
"WARNING",
"ERROR"
],
"default": "INFO"
},
"deployment": {
@@ -845,6 +889,11 @@
"type": "array",
"default": []
},
"extraContainers": {
"$id": "#/properties/extraContainers",
"type": "array",
"default": []
},
"extraVolumes": {
"$id": "#/properties/extraVolumes",
"type": "array",

44
helm/teleport-cluster/values.yaml
View File

@@ -30,6 +30,30 @@ kubeClusterName: ""
# If you want to run Teleport version X, you should use `helm --version X` instead.
teleportVersionOverride: ""
# The `proxyProtocol` value controls whether the Proxy pods will
# accept PROXY lines with the client's IP address when they are
# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
# required to ensure that Teleport can properly audit the client's IP address.
#
# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
# value should be set to "off" to prevent Teleport from accepting PROXY headers
# from untrusted sources.
# Possible values are "on" and "off".
# - "on" will enable the PROXY protocol for all connections and will require the
# L4 LB to send a PROXY header.
# - "off" will disable the PROXY protocol for all connections and denies all
# connections prefixed with a PROXY header.
#
# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
# connection, but will accept it if present. This mode is considered insecure
# and should only be used for testing purposes.
#
# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/
# for more information.
#
# proxyProtocol: on
# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
# `auth` contains values specific for the auth pods. You can use it to
# set specific values for auth pods, taking precedence over chart-scoped values.
@@ -437,10 +461,13 @@ highAvailability:
# Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
# These settings are mutually exclusive with the "tls" value below.
certManager:
# If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
addCommonName: false
# If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
enabled: false
# If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
addCommonName: false
# If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
# This setting is not enabled by default to preserve backward compatibility.
addPublicAddrs: false
# Name of the Issuer/ClusterIssuer to use for certs
# NOTE: You will always need to create this yourself when certManager.enabled is true.
issuerName: ""
@@ -582,6 +609,19 @@ extraArgs: []
# Extra environment to be configured on the Teleport pod
extraEnv: []
# Extra containers to be added to the Teleport pod
extraContainers: []
# - name: nscenter
# command:
# - /bin/bash
# - -c
# - sleep infinity & wait
# image: praqma/network-multitool
# imagePullPolicy: IfNotPresent
# securityContext:
# privileged: true
# runAsNonRoot: false
# Extra volumes to mount into the Teleport pods
# https://kubernetes.io/docs/concepts/storage/volumes/
extraVolumes: []