sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

디렉토리 구조 및 각 서비스 추가

Browse Source
This commit is contained in:
dsk-minchulahn
2024-01-03 17:29:11 +09:00
parent 98de2a7627
commit d601d0f259
1632 changed files with 207616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
helm/teleport-cluster/.lint/acme-off.yaml Normal file
View File

@@ -0,0 +1,3 @@
clusterName: test-cluster-name
extraArgs:
- "--insecure"

3
helm/teleport-cluster/.lint/acme-on.yaml Normal file
View File

@@ -0,0 +1,3 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com

4
helm/teleport-cluster/.lint/acme-uri-staging.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: test-acme-cluster
acme: true
acmeEmail: test@email.com
acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory

29
helm/teleport-cluster/.lint/affinity.yaml Normal file
View File

@@ -0,0 +1,29 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 2
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- teleport
topologyKey: kubernetes.io/hostname
weight: 1

17
helm/teleport-cluster/.lint/annotations.yaml Normal file
View File

@@ -0,0 +1,17 @@
clusterName: helm-lint
annotations:
config:
kubernetes.io/config: "test-annotation"
kubernetes.io/config-different: 2
deployment:
kubernetes.io/deployment: "test-annotation"
kubernetes.io/deployment-different: 3
pod:
kubernetes.io/pod: "test-annotation"
kubernetes.io/pod-different: 4
service:
kubernetes.io/service: "test-annotation"
kubernetes.io/service-different: 5
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"
kubernetes.io/serviceaccount-different: 6

3
helm/teleport-cluster/.lint/auth-connector-name.yaml Normal file
View File

@@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
connectorName: "okta"

5
helm/teleport-cluster/.lint/auth-disable-local.yaml Normal file
View File

@@ -0,0 +1,5 @@
clusterName: helm-lint
authentication:
type: "github"
localAuth: false
secondFactor: "off"

3
helm/teleport-cluster/.lint/auth-locking-mode.yaml Normal file
View File

@@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
lockingMode: "strict"

4
helm/teleport-cluster/.lint/auth-passwordless.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
connectorName: passwordless
secondFactor: webauthn

4
helm/teleport-cluster/.lint/auth-type-legacy.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: helm-lint
authentication:
type: "this-should-be-ignored"
authenticationType: "github"

3
helm/teleport-cluster/.lint/auth-type.yaml Normal file
View File

@@ -0,0 +1,3 @@
clusterName: helm-lint
authentication:
type: "github"

10
helm/teleport-cluster/.lint/auth-webauthn-legacy.yaml Normal file
View File

@@ -0,0 +1,10 @@
clusterName: helm-lint
authentication:
secondFactor: "off" # this should be overridden
authenticationSecondFactor:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

8
helm/teleport-cluster/.lint/auth-webauthn.yaml Normal file
View File

@@ -0,0 +1,8 @@
clusterName: helm-lint
authentication:
secondFactor: "on"
webauthn:
attestationAllowedCas:
- "/etc/ssl/certs/ca-certificates.crt"
attestationDeniedCas:
- "/etc/ssl/certs/ca-certificates.crt"

14
helm/teleport-cluster/.lint/aws-dynamodb-autoscaling.yaml Normal file
View File

@@ -0,0 +1,14 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
dynamoAutoScaling: true
readMinCapacity: 5
readMaxCapacity: 100
readTargetValue: 50.0
writeMinCapacity: 5
writeMaxCapacity: 100
writeTargetValue: 50.0

14
helm/teleport-cluster/.lint/aws-ha-acme.yaml Normal file
View File

@@ -0,0 +1,14 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

12
helm/teleport-cluster/.lint/aws-ha-antiaffinity.yaml Normal file
View File

@@ -0,0 +1,12 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: aws

17
helm/teleport-cluster/.lint/aws-ha-log.yaml Normal file
View File

@@ -0,0 +1,17 @@
clusterName: test-aws-cluster
chartMode: aws
log:
level: DEBUG
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 2
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: aws

11
helm/teleport-cluster/.lint/aws-ha.yaml Normal file
View File

@@ -0,0 +1,11 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: aws

11
helm/teleport-cluster/.lint/aws.yaml Normal file
View File

@@ -0,0 +1,11 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: aws

11
helm/teleport-cluster/.lint/azure.yaml Normal file
View File

@@ -0,0 +1,11 @@
clusterName: test-azure-cluster
chartMode: azure
azure:
databaseHost: "mypostgresinstance.postgres.database.azure.com"
databaseUser: "teleport"
backendDatabase: "teleport_backend"
auditLogDatabase: "teleport_audit"
auditLogMirrorOnStdout: true
sessionRecordingStorageAccount: "mystorageaccount.blob.core.windows.net"
clientID: "1234"
databasePoolMaxConnections: 100

15
helm/teleport-cluster/.lint/cert-manager.yaml Normal file
View File

@@ -0,0 +1,15 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
addCommonName: true
enabled: true
issuerGroup: custom.cert-manager.io
issuerName: custom
issuerKind: CustomClusterIssuer

15
helm/teleport-cluster/.lint/cert-secret.yaml Normal file
View File

@@ -0,0 +1,15 @@
clusterName: test-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
annotations:
certSecret:
kubernetes.io/cert-secret: value
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt

7
helm/teleport-cluster/.lint/example-minimal-standalone.yaml Normal file
View File

@@ -0,0 +1,7 @@
# This setup is not safe for production because the proxy will self-sign its certificate.
# Use those values for testing only
# The chart should deploy and work only with a clusterName.
# This setup can also cause redirection issues if the proxy is contacted with a hostName instead of an IP address
# as it is not aware of its external hostname and will attempt to perform a redirection.
clusterName: helm-lint

4
helm/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret
existingCASecretName: helm-lint-existing-tls-secret-ca

3
helm/teleport-cluster/.lint/existing-tls-secret.yaml Normal file
View File

@@ -0,0 +1,3 @@
clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret

4
helm/teleport-cluster/.lint/extra-env.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: helm-lint.example.com
extraEnv:
- name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"

14
helm/teleport-cluster/.lint/gcp-ha-acme.yaml Normal file
View File

@@ -0,0 +1,14 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
helm/teleport-cluster/.lint/gcp-ha-antiaffinity.yaml Normal file
View File

@@ -0,0 +1,12 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
requireAntiAffinity: true
labels:
env: gcp

17
helm/teleport-cluster/.lint/gcp-ha-log.yaml Normal file
View File

@@ -0,0 +1,17 @@
clusterName: test-gcp-cluster
chartMode: gcp
log:
level: DEBUG
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
auditLogMirrorOnStdout: true
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
certManager:
enabled: true
issuerName: letsencrypt-production
labels:
env: gcp

12
helm/teleport-cluster/.lint/gcp-ha-workload.yaml Normal file
View File

@@ -0,0 +1,12 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
credentialSecretName: ""
highAvailability:
replicaCount: 3
labels:
env: gcp

11
helm/teleport-cluster/.lint/gcp-ha.yaml Normal file
View File

@@ -0,0 +1,11 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
highAvailability:
replicaCount: 3
labels:
env: gcp

11
helm/teleport-cluster/.lint/gcp.yaml Normal file
View File

@@ -0,0 +1,11 @@
clusterName: test-gcp-cluster
chartMode: gcp
gcp:
projectId: gcpproj-123456
backendTable: test-teleport-firestore-storage-collection
auditLogTable: test-teleport-firestore-auditlog-collection
sessionRecordingBucket: test-gcp-session-storage-bucket
acme: true
acmeEmail: test@email.com
labels:
env: gcp

4
helm/teleport-cluster/.lint/imagepullsecrets.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: test-standalone-cluster
chartMode: standalone
imagePullSecrets:
- name: myRegistryKeySecretName

8
helm/teleport-cluster/.lint/ingress-publicaddr.yaml Normal file
View File

@@ -0,0 +1,8 @@
clusterName: teleport.example.com
publicAddr: ["my-teleport-ingress.example.com:443"]
ingress:
enabled: true
suppressAutomaticWildcards: true
proxyListenerMode: multiplex
service:
type: ClusterIP

6
helm/teleport-cluster/.lint/ingress.yaml Normal file
View File

@@ -0,0 +1,6 @@
clusterName: teleport.example.com
ingress:
enabled: true
proxyListenerMode: multiplex
service:
type: ClusterIP

8
helm/teleport-cluster/.lint/initcontainers.yaml Normal file
View File

@@ -0,0 +1,8 @@
clusterName: helm-lint
initContainers:
- name: "teleport-init"
image: "alpine"
args: ["echo test"]
- name: "teleport-init2"
image: "alpine"
args: ["echo test2"]

2
helm/teleport-cluster/.lint/kube-cluster-name.yaml Normal file
View File

@@ -0,0 +1,2 @@
clusterName: test-aws-cluster
kubeClusterName: test-kube-cluster

4
helm/teleport-cluster/.lint/log-basic.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: test-log-cluster
log:
format: json
level: INFO

6
helm/teleport-cluster/.lint/log-extra.yaml Normal file
View File

@@ -0,0 +1,6 @@
clusterName: test-log-cluster
log:
format: json
level: DEBUG
output: /var/lib/teleport/test.log
extraFields: ["level", "timestamp", "component", "caller"]

2
helm/teleport-cluster/.lint/log-legacy.yaml Normal file
View File

@@ -0,0 +1,2 @@
clusterName: test-log-cluster
logLevel: DEBUG

4
helm/teleport-cluster/.lint/node-selector.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: test-cluster-name
nodeSelector:
role: bastion
environment: security

4
helm/teleport-cluster/.lint/operator.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: test-cluster-name
operator:
enabled: true
installCRDs: true

12
helm/teleport-cluster/.lint/pdb.yaml Normal file
View File

@@ -0,0 +1,12 @@
clusterName: helm-lint
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
podDisruptionBudget:
enabled: true
minAvailable: 2

4
helm/teleport-cluster/.lint/persistence-legacy.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: test-persistence-cluster
standalone:
existingClaimName: ""
volumeSize: 10Gi

6
helm/teleport-cluster/.lint/podmonitor.yaml Normal file
View File

@@ -0,0 +1,6 @@
clusterName: test-kube-cluster-name
podMonitor:
enabled: true
additionalLabels:
prometheus: default
interval: 30s

4
helm/teleport-cluster/.lint/priority-class-name.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
priorityClassName: "system-cluster-critical"

4
helm/teleport-cluster/.lint/probe-timeout-seconds.yaml Normal file
View File

@@ -0,0 +1,4 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
probeTimeoutSeconds: 5

2
helm/teleport-cluster/.lint/proxy-listener-mode-multiplex.yaml Normal file
View File

@@ -0,0 +1,2 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: multiplex

2
helm/teleport-cluster/.lint/proxy-listener-mode-separate.yaml Normal file
View File

@@ -0,0 +1,2 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: separate

11
helm/teleport-cluster/.lint/public-addresses.yaml Normal file
View File

@@ -0,0 +1,11 @@
clusterName: helm-lint
publicAddr: ["loadbalancer.example.com:443"]
sshPublicAddr: ["loadbalancer.example.com:3023"]
tunnelPublicAddr: ["loadbalancer.example.com:3024"]
postgresPublicAddr: ["loadbalancer.example.com:5432"]
mongoPublicAddr: ["loadbalancer.example.com:27017"]
mysqlPublicAddr: ["loadbalancer.example.com:3036"]
kubePublicAddr: ["loadbalancer.example.com:3026"]
separatePostgresListener: true
separateMongoListener: true

10
helm/teleport-cluster/.lint/resources.yaml Normal file
View File

@@ -0,0 +1,10 @@
clusterName: helm-lint
# These are just sample values to test the chart.
# They are not intended to be guidelines or suggestions for running teleport.
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 1
memory: 2Gi

1
helm/teleport-cluster/.lint/security-context-empty.yaml Normal file
View File

@@ -0,0 +1 @@
clusterName: helm-lint

8
helm/teleport-cluster/.lint/security-context.yaml Normal file
View File

@@ -0,0 +1,8 @@
clusterName: helm-lint
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 99
runAsNonRoot: true
runAsUser: 99

2
helm/teleport-cluster/.lint/separate-mongo-listener.yaml Normal file
View File

@@ -0,0 +1,2 @@
clusterName: helm-lint
separateMongoListener: true

2
helm/teleport-cluster/.lint/separate-postgres-listener.yaml Normal file
View File

@@ -0,0 +1,2 @@
clusterName: helm-lint
separatePostgresListener: true

7
helm/teleport-cluster/.lint/service-account.yaml Normal file
View File

@@ -0,0 +1,7 @@
clusterName: helm-lint
serviceAccount:
create: true
name: helm-lint
annotations:
serviceAccount:
kubernetes.io/serviceaccount: "test-annotation"

5
helm/teleport-cluster/.lint/service.yaml Normal file
View File

@@ -0,0 +1,5 @@
clusterName: helm-lint
service:
type: LoadBalancer
spec:
loadBalancerIP: 1.2.3.4

2
helm/teleport-cluster/.lint/session-recording.yaml Normal file
View File

@@ -0,0 +1,2 @@
clusterName: helm-lint
sessionRecording: "node-sync"

9
helm/teleport-cluster/.lint/standalone-custom-storage-class.yaml Normal file
View File

@@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
storageClassName: ebs-ssd
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
helm/teleport-cluster/.lint/standalone-customsize.yaml Normal file
View File

@@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
volumeSize: 50Gi
acme: true
acmeEmail: test@email.com
labels:
env: standalone

9
helm/teleport-cluster/.lint/standalone-existingpvc.yaml Normal file
View File

@@ -0,0 +1,9 @@
clusterName: test-standalone-cluster
chartMode: standalone
persistence:
enabled: true
existingClaimName: teleport-storage
acme: true
acmeEmail: test@email.com
labels:
env: standalone

18
helm/teleport-cluster/.lint/tolerations.yaml Normal file
View File

@@ -0,0 +1,18 @@
clusterName: test-aws-cluster
chartMode: aws
aws:
region: us-west-2
backendTable: test-dynamodb-backend-table
auditLogTable: test-dynamodb-auditlog-table
sessionRecordingBucket: test-s3-session-storage-bucket
highAvailability:
replicaCount: 3
tolerations:
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoExecute"
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoSchedule"

5
helm/teleport-cluster/.lint/version-override.yaml Normal file
View File

@@ -0,0 +1,5 @@
clusterName: test-cluster-name
teleportVersionOverride: 5.2.1
labels:
env: test
version: 5.2.1

8
helm/teleport-cluster/.lint/volumes.yaml Normal file
View File

@@ -0,0 +1,8 @@
clusterName: helm-lint
extraVolumeMounts:
- name: "my-mount"
mountPath: "/path/to/mount"
extraVolumes:
- name: "my-mount"
secret:
secretName: "mySecret"

13
helm/teleport-cluster/Chart.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v2
appVersion: 13.3.9
dependencies:
- condition: installCRDs,operator.enabled
name: teleport-operator
repository: ""
version: 13.3.9
description: Teleport is an access platform for your infrastructure
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-cluster
version: 13.3.9

64
helm/teleport-cluster/README.md Normal file
View File

@@ -0,0 +1,64 @@
# Teleport Cluster
This chart sets up a single node Teleport cluster.
It uses a persistent volume claim for storage.
Great for getting started with Teleport.
## Important Notices
- The chart version follows the Teleport version. e.g. chart v10.x can run Teleport v10.x and v11.x, but is not compatible with Teleport 9.x
- Teleport does mutual TLS to authenticate clients. It currently does not support running behind a L7 LoadBalancer, like a Kubernetes `Ingress`. It requires being exposed through a L4 LoadBalancer (Kubernetes `Service`).
## Getting Started
### Single-node example
To install Teleport in a separate namespace and provision a web certificate using Let's Encrypt, run:
```bash
$ helm install teleport/teleport-cluster \
--set acme=true \
--set acmeEmail=alice@example.com \
--set clusterName=teleport.example.com\
--create-namespace \
--namespace=teleport-cluster \
./teleport-cluster/
```
Finally, configure the DNS for `teleport.example.com` to point to the newly created LoadBalancer.
Note: this guide uses the built-in ACME client to get certificates.
In this setup, Teleport nodes cannot be replicated. If you want to run multiple
Teleport replicas, you must provide a certificate through `tls.existingSecretName`
or by installing [cert-manager](https://cert-manager.io/docs/) and setting the `highAvailability.certManager.*` values.
### Replicated setup guides
- [Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/aws/)
- [Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE cluster](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/gcp/)
- [Running a Teleport cluster in Kubernetes with a custom Teleport config](https://goteleport.com/docs/deploy-a-cluster/helm-deployments/custom/)
### Creating first user
The first user can be created by executing a command in one of the auth pods.
```shell
kubectl exec it -n teleport-cluster statefulset/teleport-cluster-auth -- tctl users add my-username --roles=editor,auditor,access
```
The command should output a registration link to finalize the user creation.
## Uninstalling
```bash
helm uninstall --namespace teleport-cluster teleport-cluster
```
## Documentation
See https://goteleport.com/docs/kubernetes-access/helm/guides/ for guides on setting up HA Teleport clusters
in EKS or GKE, plus a comprehensive chart reference.
## Contributing to the chart
Please read [CONTRIBUTING.md](../CONTRIBUTING.md) before raising a pull request to this chart.

8
helm/teleport-cluster/charts/teleport-operator/Chart.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v2
appVersion: 13.3.9
description: Teleport Operator provides management of select Teleport resources.
icon: https://goteleport.com/images/logos/logo-teleport-square.svg
keywords:
- Teleport
name: teleport-operator
version: 13.3.9

168
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml Normal file
View File

@@ -0,0 +1,168 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportgithubconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportGithubConnector
listKind: TeleportGithubConnectorList
plural: teleportgithubconnectors
shortNames:
- githubconnector
- githubconnectors
singular: teleportgithubconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: GithubConnector is the Schema for the githubconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GithubConnector resource definition v3 from Teleport
properties:
api_endpoint_url:
description: APIEndpointURL is the URL of the API endpoint of the
Github instance this connector is for.
type: string
client_id:
description: ClientID is the Github OAuth app client ID.
type: string
client_secret:
description: ClientSecret is the Github OAuth app client secret.
type: string
display:
description: Display is the connector display name.
type: string
endpoint_url:
description: EndpointURL is the URL of the GitHub instance this connector
is for.
type: string
redirect_url:
description: RedirectURL is the authorization callback URL.
type: string
teams_to_roles:
description: TeamsToRoles maps Github team memberships onto allowed
roles.
items:
properties:
organization:
description: Organization is a Github organization a user belongs
to.
type: string
roles:
description: Roles is a list of allowed logins for this org/team.
items:
type: string
nullable: true
type: array
team:
description: Team is a team within the organization a user belongs
to.
type: string
type: object
type: array
type: object
status:
description: TeleportGithubConnectorStatus defines the observed state
of TeleportGithubConnector
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

145
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml Normal file
View File

@@ -0,0 +1,145 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportloginrules.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportLoginRule
listKind: TeleportLoginRuleList
plural: teleportloginrules
shortNames:
- loginrule
- loginrules
singular: teleportloginrule
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: LoginRule is the Schema for the loginrules API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: LoginRule resource definition v1 from Teleport
properties:
priority:
description: Priority is the priority of the login rule relative to
other login rules in the same cluster. Login rules with a lower
numbered priority will be evaluated first.
format: int32
type: integer
traits_expression:
description: TraitsExpression is a predicate expression which should
return the desired traits for the user upon login.
type: string
traits_map:
additionalProperties:
items:
type: string
type: array
description: TraitsMap is a map of trait keys to lists of predicate
expressions which should evaluate to the desired values for that
trait.
nullable: true
type: object
type: object
status:
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

213
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml Normal file
View File

@@ -0,0 +1,213 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportoidcconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOIDCConnector
listKind: TeleportOIDCConnectorList
plural: teleportoidcconnectors
shortNames:
- oidcconnector
- oidcconnectors
singular: teleportoidcconnector
scope: Namespaced
versions:
- name: v3
schema:
openAPIV3Schema:
description: OIDCConnector is the Schema for the oidcconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OIDCConnector resource definition v3 from Teleport
properties:
acr_values:
description: ACR is an Authentication Context Class Reference value.
The meaning of the ACR value is context-specific and varies for
identity providers.
type: string
allow_unverified_email:
description: AllowUnverifiedEmail tells the connector to accept OIDC
users with unverified emails.
type: boolean
claims_to_roles:
description: ClaimsToRoles specifies a dynamic mapping from claims
to roles.
items:
properties:
claim:
description: Claim is a claim name.
type: string
roles:
description: Roles is a list of static teleport roles to match.
items:
type: string
nullable: true
type: array
value:
description: Value is a claim value to match.
type: string
type: object
type: array
client_id:
description: ClientID is the id of the authentication client (Teleport
Auth server).
type: string
client_secret:
description: ClientSecret is used to authenticate the client.
type: string
display:
description: Display is the friendly name for this provider.
type: string
google_admin_email:
description: GoogleAdminEmail is the email of a google admin to impersonate.
type: string
google_service_account:
description: GoogleServiceAccount is a string containing google service
account credentials.
type: string
google_service_account_uri:
description: GoogleServiceAccountURI is a path to a google service
account uri.
type: string
issuer_url:
description: IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
type: string
max_age:
description: MaxAge is the amount of time that user logins are valid
for. If a user logs in, but then does not login again within this
time period, they will be forced to re-authenticate.
format: duration
type: string
prompt:
description: Prompt is an optional OIDC prompt. An empty string omits
prompt. If not specified, it defaults to select_account for backwards
compatibility.
type: string
provider:
description: Provider is the external identity provider.
type: string
redirect_url:
description: RedirectURLs is a list of callback URLs which the identity
provider can use to redirect the client back to the Teleport Proxy
to complete authentication. This list should match the URLs on the
provider's side. The URL used for a given auth request will be chosen
to match the requesting Proxy's public address. If there is no match,
the first url in the list will be used.
items:
type: string
type: array
scope:
description: Scope specifies additional scopes set by provider.
items:
type: string
nullable: true
type: array
username_claim:
description: UsernameClaim specifies the name of the claim from the
OIDC connector to be used as the user's username.
type: string
type: object
status:
description: TeleportOIDCConnectorStatus defines the observed state of
TeleportOIDCConnector
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

183
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml Normal file
View File

@@ -0,0 +1,183 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportoktaimportrules.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportOktaImportRule
listKind: TeleportOktaImportRuleList
plural: teleportoktaimportrules
shortNames:
- oktaimportrule
- oktaimportrules
singular: teleportoktaimportrule
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: OktaImportRule is the Schema for the oktaimportrules API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OktaImportRule resource definition v1 from Teleport
properties:
mappings:
description: Mappings is a list of matches that will map match conditions
to labels.
items:
properties:
add_labels:
description: AddLabels specifies which labels to add if any
of the previous matches match.
nullable: true
properties:
key:
type: string
value:
type: string
type: object
match:
description: Match is a set of matching rules for this mapping.
If any of these match, then the mapping will be applied.
items:
properties:
app_ids:
description: AppIDs is a list of app IDs to match against.
items:
type: string
nullable: true
type: array
app_name_regexes:
description: AppNameRegexes is a list of regexes to match
against app names.
items:
type: string
nullable: true
type: array
group_ids:
description: GroupIDs is a list of group IDs to match
against.
items:
type: string
nullable: true
type: array
group_name_regexes:
description: GroupNameRegexes is a list of regexes to
match against group names.
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
nullable: true
type: array
priority:
description: Priority represents the priority of the rule application.
Lower numbered rules will be applied first.
format: int32
type: integer
type: object
status:
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

353
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml Normal file
View File

@@ -0,0 +1,353 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportprovisiontokens.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportProvisionToken
listKind: TeleportProvisionTokenList
plural: teleportprovisiontokens
shortNames:
- provisiontoken
- provisiontokens
singular: teleportprovisiontoken
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: ProvisionToken is the Schema for the provisiontokens API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ProvisionToken resource definition v2 from Teleport
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
aws_account:
description: AWSAccount is the AWS account ID.
type: string
aws_arn:
description: AWSARN is used for the IAM join method, the AWS
identity of joining nodes must match this ARN. Supports wildcards
"*" and "?".
type: string
aws_regions:
description: AWSRegions is used for the EC2 join method and
is a list of AWS regions a node is allowed to join from.
items:
type: string
nullable: true
type: array
aws_role:
description: AWSRole is used for the EC2 join method and is
the the ARN of the AWS role that the auth server will assume
in order to call the ec2 API.
type: string
type: object
nullable: true
type: array
aws_iid_ttl:
description: AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity
Documents used to join the cluster with this token.
format: duration
type: string
azure:
description: Azure allows the configuration of options specific to
the "azure" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
resource_groups:
items:
type: string
nullable: true
type: array
subscription:
type: string
type: object
nullable: true
type: array
type: object
bot_name:
description: BotName is the name of the bot this token grants access
to, if any
type: string
circleci:
description: CircleCI allows the configuration of options specific
to the "circleci" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
context_id:
type: string
project_id:
type: string
type: object
nullable: true
type: array
organization_id:
type: string
type: object
gcp:
description: GCP allows the configuration of options specific to the
"gcp" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
locations:
items:
type: string
nullable: true
type: array
project_ids:
items:
type: string
nullable: true
type: array
service_accounts:
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
type: object
github:
description: GitHub allows the configuration of options specific to
the "github" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
actor:
type: string
environment:
type: string
ref:
type: string
ref_type:
type: string
repository:
type: string
repository_owner:
type: string
sub:
type: string
workflow:
type: string
type: object
nullable: true
type: array
enterprise_server_host:
description: EnterpriseServerHost allows joining from runners
associated with a GitHub Enterprise Server instance. When unconfigured,
tokens will be validated against github.com, but when configured
to the host of a GHES instance, then the tokens will be validated
against host. This value should be the hostname of the GHES
instance, and should not include the scheme or a path. The instance
must be accessible over HTTPS at this hostname and the certificate
must be trusted by the Auth Server.
type: string
type: object
gitlab:
description: GitLab allows the configuration of options specific to
the "gitlab" join method.
nullable: true
properties:
allow:
description: Allow is a list of TokenRules, nodes using this token
must match one allow rule to use this token.
items:
properties:
environment:
type: string
namespace_path:
type: string
pipeline_source:
type: string
project_path:
type: string
ref:
type: string
ref_type:
type: string
sub:
type: string
type: object
nullable: true
type: array
domain:
description: Domain is the domain of your GitLab instance. This
will default to `gitlab.com` - but can be set to the domain
of your self-hosted GitLab e.g `gitlab.example.com`.
type: string
type: object
join_method:
description: JoinMethod is the joining method required in order to
use this token. Supported joining methods include "token", "ec2",
and "iam".
type: string
kubernetes:
description: Kubernetes allows the configuration of options specific
to the "kubernetes" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
service_account:
type: string
type: object
nullable: true
type: array
type: object
roles:
description: Roles is a list of roles associated with the token, that
will be converted to metadata in the SSH and X509 certificates issued
to the user of the token
items:
type: string
nullable: true
type: array
suggested_agent_matcher_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedAgentMatcherLabels is a set of labels to be
used by agents to match on resources. When an agent uses this token,
the agent should monitor resources that match those labels. For
databases, this means adding the labels to `db_service.resources.labels`.
Currently, only node-join scripts create a configuration according
to the suggestion.
type: object
suggested_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
description: SuggestedLabels is a set of labels that resources should
set when using this token to enroll themselves in the cluster. Currently,
only node-join scripts create a configuration according to the suggestion.
type: object
type: object
status:
description: TeleportProvisionTokenStatus defines the observed state of
TeleportProvisionToken
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

2386
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

210
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml Normal file
View File

@@ -0,0 +1,210 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportsamlconnectors.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportSAMLConnector
listKind: TeleportSAMLConnectorList
plural: teleportsamlconnectors
shortNames:
- samlconnector
- samlconnectors
singular: teleportsamlconnector
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: SAMLConnector is the Schema for the samlconnectors API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SAMLConnector resource definition v2 from Teleport
properties:
acs:
description: AssertionConsumerService is a URL for assertion consumer
service on the service provider (Teleport's side).
type: string
allow_idp_initiated:
description: AllowIDPInitiated is a flag that indicates if the connector
can be used for IdP-initiated logins.
type: boolean
assertion_key_pair:
description: EncryptionKeyPair is a key pair used for decrypting SAML
assertions.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
attributes_to_roles:
description: AttributesToRoles is a list of mappings of attribute
statements to roles.
items:
properties:
name:
description: Name is an attribute statement name.
type: string
roles:
description: Roles is a list of static teleport roles to map
to.
items:
type: string
nullable: true
type: array
value:
description: Value is an attribute statement value to match.
type: string
type: object
type: array
audience:
description: Audience uniquely identifies our service provider.
type: string
cert:
description: Cert is the identity provider certificate PEM. IDP signs
<Response> responses using this certificate.
type: string
display:
description: Display controls how this connector is displayed.
type: string
entity_descriptor:
description: EntityDescriptor is XML with descriptor. It can be used
to supply configuration parameters in one XML file rather than supplying
them in the individual elements.
type: string
entity_descriptor_url:
description: EntityDescriptorURL is a URL that supplies a configuration
XML.
type: string
issuer:
description: Issuer is the identity provider issuer.
type: string
provider:
description: Provider is the external identity provider.
type: string
service_provider_issuer:
description: ServiceProviderIssuer is the issuer of the service provider
(Teleport).
type: string
signing_key_pair:
description: SigningKeyPair is an x509 key pair used to sign AuthnRequest.
nullable: true
properties:
cert:
description: Cert is a PEM-encoded x509 certificate.
type: string
private_key:
description: PrivateKey is a PEM encoded x509 private key.
type: string
type: object
sso:
description: SSO is the URL of the identity provider's SSO service.
type: string
type: object
status:
description: TeleportSAMLConnectorStatus defines the observed state of
TeleportSAMLConnector
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

195
helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml Normal file
View File

@@ -0,0 +1,195 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: teleportusers.resources.teleport.dev
spec:
group: resources.teleport.dev
names:
kind: TeleportUser
listKind: TeleportUserList
plural: teleportusers
shortNames:
- user
- users
singular: teleportuser
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: User is the Schema for the users API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: User resource definition v2 from Teleport
properties:
github_identities:
description: GithubIdentities list associated Github OAuth2 identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
oidc_identities:
description: OIDCIdentities lists associated OpenID Connect identities
that let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
roles:
description: Roles is a list of roles assigned to user
items:
type: string
nullable: true
type: array
saml_identities:
description: SAMLIdentities lists associated SAML identities that
let user log in using externally verified identity
items:
properties:
connector_id:
description: ConnectorID is id of registered OIDC connector,
e.g. 'google-example.com'
type: string
username:
description: Username is username supplied by external identity
provider
type: string
type: object
type: array
traits:
additionalProperties:
items:
type: string
type: array
description: Traits are key/value pairs received from an identity
provider (through OIDC claims or SAML assertions) or from a system
administrator for local accounts. Traits are used to populate role
variables.
type: object
trusted_device_ids:
description: TrustedDeviceIDs contains the IDs of trusted devices
enrolled by the user. Managed by the Device Trust subsystem, avoid
manual edits.
items:
type: string
nullable: true
type: array
type: object
status:
description: TeleportUserStatus defines the observed state of TeleportUser
properties:
conditions:
description: Conditions represent the latest available observations
of an object's state
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
teleportResourceID:
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

45
helm/teleport-cluster/override_values.yaml Normal file
View File

@@ -0,0 +1,45 @@
chartMode: standalone
clusterName: teleport.kr.datasaker.io
#teleportVersionOverride: "13.3.8"
auth:
teleportConfig:
# put any teleport.yaml auth configuration overrides here
teleport:
log:
output: stderr
severity: INFO
auth_service:
enabled: true
web_idle_timeout: 1h
authentication:
locking_mode: best_effort
persistence:
storageClassName: openebs-hostpath
proxy:
teleportConfig:
# put any teleport.yaml proxy configuration overrides here
teleport:
log:
output: stderr
severity: INFO
proxy_service:
https_keypairs_reload_interval: 12h
podSecurityPolicy:
enabled: false
proxy_service:
web_listen_addr: 0.0.0.0:3080
public_addr: teleport.kr.datasaker.io:443
resources:
requests:
cpu: "1"
memory: "2Gi"
highAvailability:
replicaCount: 1

44
helm/teleport-cluster/teleport_svc.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: v1
kind: Service
metadata:
name: teleport
namespace: teleport
spec:
allocateLoadBalancerNodePorts: true
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: tls
nodePort: 30810
port: 443
protocol: TCP
targetPort: 3080
- name: sshproxy
nodePort: 30811
port: 3023
protocol: TCP
targetPort: 3023
- name: k8s
nodePort: 30812
port: 3026
protocol: TCP
targetPort: 3026
- name: sshtun
nodePort: 30813
port: 3024
protocol: TCP
targetPort: 3024
- name: mysql
nodePort: 30814
port: 3036
protocol: TCP
targetPort: 3036
selector:
app.kubernetes.io/component: proxy
app.kubernetes.io/instance: teleport
app.kubernetes.io/name: teleport-cluster
sessionAffinity: None
type: LoadBalancer

35
helm/teleport-cluster/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,35 @@
{{- if .Values.highAvailability.certManager.enabled }}
You have enabled cert-manager support in high availability mode.
There may be a short delay before Teleport pods start while an ACME certificate is issued.
You can check the status of the certificate with `kubectl -n {{ .Release.Namespace }} describe certificate/{{ .Release.Name }}`
NOTE: For certificates to be provisioned, you must also install cert-manager (https://cert-manager.io/docs/) and configure an appropriate
Issuer with access to your DNS provider to handle DNS01 challenges (https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers)
For more information, please see the Helm guides in the Teleport docs (https://goteleport.com/docs/kubernetes-access/helm/guides/)
{{- end }}
{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }}
SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm
doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12
the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older.
Instead, we recommend you to configure Pod Security AdmissionControllers for
the namespace "{{.Release.Namespace}}" by adding the label
`pod-security.kubernetes.io/enforce: baseline` on the namespace resource.
See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
To remove this warning, explicitly set "podSecurityPolicy.enabled=false".
{{- end }}
{{- if .Values.teleportVersionOverride }}
DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
This chart is designed to run Teleport version {{ .Chart.AppVersion }}.
You will face compatibility issues trying to run a different Teleport version with it.
If you want to run Teleport version {{.Values.teleportVersionOverride}},
you should use `helm --version {{.Values.teleportVersionOverride}}` instead.
{{- end }}

91
helm/teleport-cluster/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,91 @@
{{/*
Create the name of the service account to use
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
*/}}
{{- define "teleport-cluster.auth.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Release.Name -}}
{{- end -}}
{{- define "teleport-cluster.proxy.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Release.Name -}}-proxy
{{- end -}}
{{- define "teleport-cluster.version" -}}
{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
{{- end -}}
{{- define "teleport-cluster.majorVersion" -}}
{{- (semver (include "teleport-cluster.version" .)).Major -}}
{{- end -}}
{{- define "teleport-cluster.previousMajorVersion" -}}
{{- sub (include "teleport-cluster.majorVersion" . | atoi ) 1 -}}
{{- end -}}
{{/* Proxy selector labels */}}
{{- define "teleport-cluster.proxy.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'proxy'
{{- end -}}
{{/* Proxy all labels */}}
{{- define "teleport-cluster.proxy.labels" -}}
{{ include "teleport-cluster.proxy.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* Auth pods selector labels */}}
{{- define "teleport-cluster.auth.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/component: 'auth'
{{- end -}}
{{/* All pods all labels */}}
{{- define "teleport-cluster.labels" -}}
{{ include "teleport-cluster.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* All pods selector labels */}}
{{- define "teleport-cluster.selectorLabels" -}}
app.kubernetes.io/name: '{{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
{{- end -}}
{{/* Auth pods all labels */}}
{{- define "teleport-cluster.auth.labels" -}}
{{ include "teleport-cluster.auth.selectorLabels" . }}
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/version: '{{ include "teleport-cluster.version" . }}'
teleport.dev/majorVersion: '{{ include "teleport-cluster.majorVersion" . }}'
{{- end -}}
{{/* ServiceNames are limited to 63 characters, we might have to truncate the ReleaseName
to make sure the auth serviceName won't exceed this limit */}}
{{- define "teleport-cluster.auth.serviceName" -}}
{{- .Release.Name | trunc 58 | trimSuffix "-" -}}-auth
{{- end -}}
{{- define "teleport-cluster.auth.currentVersionServiceName" -}}
{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.majorVersion" . }}
{{- end -}}
{{- define "teleport-cluster.auth.previousVersionServiceName" -}}
{{- .Release.Name | trunc 54 | trimSuffix "-" -}}-auth-v{{ include "teleport-cluster.previousMajorVersion" . }}
{{- end -}}
{{/* In most places we want to use the FQDN instead of relying on Kubernetes ndots behaviour
for performance reasons */}}
{{- define "teleport-cluster.auth.serviceFQDN" -}}
{{ include "teleport-cluster.auth.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end -}}

26
helm/teleport-cluster/templates/auth/_config.aws.tpl Normal file
View File

@@ -0,0 +1,26 @@
{{- define "teleport-cluster.auth.config.aws" -}}
{{ include "teleport-cluster.auth.config.common" . }}
storage:
type: dynamodb
region: {{ required "aws.region is required in chart values" .Values.aws.region }}
table_name: {{ required "aws.backendTable is required in chart values" .Values.aws.backendTable }}
{{- if .Values.aws.auditLogMirrorOnStdout }}
audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}', 'stdout://']
{{- else }}
audit_events_uri: ['dynamodb://{{ required "aws.auditLogTable is required in chart values" .Values.aws.auditLogTable }}']
{{- end }}
audit_sessions_uri: s3://{{ required "aws.sessionRecordingBucket is required in chart values" .Values.aws.sessionRecordingBucket }}
continuous_backups: {{ required "aws.backups is required in chart values" .Values.aws.backups }}
{{- if .Values.aws.dynamoAutoScaling }}
auto_scaling: true
billing_mode: provisioned
read_min_capacity: {{ required "aws.readMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMinCapacity }}
read_max_capacity: {{ required "aws.readMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.readMaxCapacity }}
read_target_value: {{ required "aws.readTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.readTargetValue }}
write_min_capacity: {{ required "aws.writeMinCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMinCapacity }}
write_max_capacity: {{ required "aws.writeMaxCapacity is required when aws.dynamoAutoScaling is true" .Values.aws.writeMaxCapacity }}
write_target_value: {{ required "aws.writeTargetValue is required when aws.dynamoAutoScaling is true" .Values.aws.writeTargetValue }}
{{- else }}
auto_scaling: false
{{- end }}
{{- end -}}

38
helm/teleport-cluster/templates/auth/_config.azure.tpl Normal file
View File

@@ -0,0 +1,38 @@
{{/* Helper to build the database connection string, adds paraneters if needed */}}
{{- define "teleport-cluster.auth.config.azure.conn_string.query" }}
{{- if .Values.azure.databasePoolMaxConnections -}}
{{- printf "sslmode=verify-full&pool_max_conns=%v" .Values.azure.databasePoolMaxConnections -}}
{{- else -}}
sslmode=verify-full
{{- end -}}
{{- end -}}
{{- define "teleport-cluster.auth.config.azure" -}}
{{ include "teleport-cluster.auth.config.common" . }}
storage:
type: postgresql
auth_mode: azure
conn_string: {{ urlJoin (dict
"scheme" "postgresql"
"userinfo" .Values.azure.databaseUser
"host" .Values.azure.databaseHost
"path" .Values.azure.backendDatabase
"query" (include "teleport-cluster.auth.config.azure.conn_string.query" .)
) | toYaml }}
audit_sessions_uri: {{ urlJoin (dict
"scheme" "azblob"
"host" .Values.azure.sessionRecordingStorageAccount
) | toYaml }}
audit_events_uri:
- {{ urlJoin (dict
"scheme" "postgresql"
"userinfo" .Values.azure.databaseUser
"host" .Values.azure.databaseHost
"path" .Values.azure.auditLogDatabase
"query" "sslmode=verify-full"
"fragment" "auth_mode=azure"
) | toYaml }}
{{- if .Values.azure.auditLogMirrorOnStdout }}
- "stdout://"
{{- end }}
{{- end -}}

65
helm/teleport-cluster/templates/auth/_config.common.tpl Normal file
View File

@@ -0,0 +1,65 @@
{{- define "teleport-cluster.auth.config.common" -}}
{{- $authentication := mustMergeOverwrite .Values.authentication (default dict .Values.authenticationSecondFactor) -}}
{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}}
version: v3
kubernetes_service:
enabled: true
listen_addr: 0.0.0.0:3026
public_addr: "{{ include "teleport-cluster.auth.serviceFQDN" . }}:3026"
{{- if .Values.kubeClusterName }}
kube_cluster_name: {{ .Values.kubeClusterName }}
{{- else }}
kube_cluster_name: {{ .Values.clusterName }}
{{- end }}
{{- if .Values.labels }}
labels: {{- toYaml .Values.labels | nindent 8 }}
{{- end }}
proxy_service:
enabled: false
ssh_service:
enabled: false
auth_service:
enabled: true
cluster_name: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if .Values.enterprise }}
license_file: '/var/lib/license/license.pem'
{{- end }}
authentication:
type: "{{ required "authentication.type is required in chart values" (coalesce .Values.authenticationType $authentication.type) }}"
local_auth: {{ $authentication.localAuth }}
{{- if $authentication.connectorName }}
connector_name: "{{ $authentication.connectorName }}"
{{- end }}
{{- if $authentication.lockingMode }}
locking_mode: "{{ $authentication.lockingMode }}"
{{- end }}
{{- if $authentication.secondFactor }}
second_factor: "{{ $authentication.secondFactor }}"
{{- if not (or (eq $authentication.secondFactor "off") (eq $authentication.secondFactor "otp")) }}
webauthn:
rp_id: {{ required "clusterName is required in chart values" .Values.clusterName }}
{{- if $authentication.webauthn }}
{{- if $authentication.webauthn.attestationAllowedCas }}
attestation_allowed_cas: {{- toYaml $authentication.webauthn.attestationAllowedCas | nindent 12 }}
{{- end }}
{{- if $authentication.webauthn.attestationDeniedCas }}
attestation_denied_cas: {{- toYaml $authentication.webauthn.attestationDeniedCas | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.sessionRecording }}
session_recording: {{ .Values.sessionRecording }}
{{- end }}
{{- if .Values.proxyListenerMode }}
proxy_listener_mode: {{ .Values.proxyListenerMode }}
{{- end }}
teleport:
auth_server: 127.0.0.1:3025
log:
severity: {{ $logLevel }}
output: {{ .Values.log.output }}
format:
output: {{ .Values.log.format }}
extra_fields: {{ .Values.log.extraFields | toJson }}
{{- end -}}

16
helm/teleport-cluster/templates/auth/_config.gcp.tpl Normal file
View File

@@ -0,0 +1,16 @@
{{- define "teleport-cluster.auth.config.gcp" -}}
{{ include "teleport-cluster.auth.config.common" . }}
storage:
type: firestore
project_id: {{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}
collection_name: {{ required "gcp.backendTable is required in chart values" .Values.gcp.backendTable }}
{{- if .Values.gcp.credentialSecretName }}
credentials_path: /etc/teleport-secrets/gcp-credentials.json
{{- end }}
{{- if .Values.gcp.auditLogMirrorOnStdout }}
audit_events_uri: ['firestore://{{ required "gcp.auditLogTable is required in chart values" .Values.gcp.auditLogTable }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}', 'stdout://']
{{- else }}
audit_events_uri: ['firestore://{{ required "gcp.auditLogTable is required in chart values" .Values.gcp.auditLogTable }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}']
{{- end }}
audit_sessions_uri: "gs://{{ required "gcp.sessionRecordingBucket is required in chart values" .Values.gcp.sessionRecordingBucket }}?projectID={{ required "gcp.projectId is required in chart values" .Values.gcp.projectId }}{{ empty .Values.gcp.credentialSecretName | ternary "" "&credentialsPath=/etc/teleport-secrets/gcp-credentials.json"}}"
{{- end -}}

12
helm/teleport-cluster/templates/auth/_config.scratch.tpl Normal file
View File

@@ -0,0 +1,12 @@
{{- define "teleport-cluster.auth.config.scratch" -}}
proxy_service:
enabled: false
ssh_service:
enabled: false
auth_service:
enabled: true
{{- end -}}
{{- define "teleport-cluster.auth.config.custom" -}}
{{ fail "'custom' mode has been removed with chart v12 because of the proxy/auth split breaking change, see https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-v12/" }}
{{- end -}}

3
helm/teleport-cluster/templates/auth/_config.standalone.tpl Normal file
View File

@@ -0,0 +1,3 @@
{{- define "teleport-cluster.auth.config.standalone" -}}
{{ include "teleport-cluster.auth.config.common" . }}
{{- end -}}

71
helm/teleport-cluster/templates/auth/clusterrole.yaml Normal file
View File

@@ -0,0 +1,71 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}
rules:
- apiGroups:
- ""
resources:
- users
- groups
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- "authorization.k8s.io"
resources:
- selfsubjectaccessreviews
verbs:
- create
{{ if .Values.operator.enabled }}
- apiGroups:
- "resources.teleport.dev"
resources:
- teleportroles
- teleportroles/status
- teleportusers
- teleportusers/status
- teleportgithubconnectors
- teleportgithubconnectors/status
- teleportoidcconnectors
- teleportoidcconnectors/status
- teleportsamlconnectors
- teleportsamlconnectors/status
- teleportloginrules
- teleportloginrules/status
- teleportprovisiontokens
- teleportprovisiontokens/status
- teleportoktaimportrules
- teleportoktaimportrules/status
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
{{- end -}}
{{- end -}}

31
helm/teleport-cluster/templates/auth/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
# This ClusterRoleBinding allows the auth service-account to validate Kubernetes tokens
# This is required for proxies to join using their Kubernetes tokens
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-auth
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

28
helm/teleport-cluster/templates/auth/config.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
{{- if $auth.annotations.config }}
annotations: {{- toYaml $auth.annotations.config | nindent 4 }}
{{- end }}
data:
{{- if $auth.createProxyToken }}
apply-on-startup.yaml: |2
kind: token
version: v2
metadata:
name: {{ .Release.Name }}-proxy
expires: "2050-01-01T00:00:00Z"
spec:
roles: [Proxy]
join_method: kubernetes
kubernetes:
allow:
- service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}"
{{- end }}
teleport.yaml: |2
{{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}}

321
helm/teleport-cluster/templates/auth/deployment.yaml Normal file
View File

@@ -0,0 +1,321 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- $replicated := gt (int $auth.highAvailability.replicaCount) 1 -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
labels:
{{- include "teleport-cluster.auth.labels" . | nindent 4 }}
app: {{ .Release.Name }}
{{- if $auth.annotations.deployment }}
annotations: {{- toYaml $auth.annotations.deployment | nindent 4 }}
{{- end }}
spec:
replicas: {{ $auth.highAvailability.replicaCount }}
{{- if and $replicated $auth.highAvailability.minReadySeconds }}
minReadySeconds: {{ $auth.highAvailability.minReadySeconds }}
{{- end }}
strategy:
{{- if $replicated }}
# some backends support a maximum amount of auth pods (e.g. DynamoDB),
# we don't want to exceed this during a rollout.
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
{{- else }}
# using a single replica can be because of a non-replicable storage or when applying upgrade migrations.
# In those cases, we don't want a rolling update.
type: Recreate
{{- end }}
selector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
# ConfigMap checksum, to recreate the pod on config changes.
checksum/config: {{ include (print $.Template.BasePath "/auth/config.yaml") . | sha256sum }}
{{- if $auth.annotations.pod }}
{{- toYaml $auth.annotations.pod | nindent 8 }}
{{- end }}
labels:
{{- include "teleport-cluster.auth.labels" . | nindent 8 }}
app: {{ .Release.Name }}
{{- if eq $auth.chartMode "azure"}}
azure.workload.identity/use: "true"
{{- end }}
spec:
{{- if $auth.nodeSelector }}
nodeSelector: {{- toYaml $auth.nodeSelector | nindent 8 }}
{{- end }}
affinity:
{{- if $auth.affinity }}
{{- if $auth.highAvailability.requireAntiAffinity }}
{{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }}
{{- end }}
{{- toYaml $auth.affinity | nindent 8 }}
{{- else }}
podAntiAffinity:
{{- if $auth.highAvailability.requireAntiAffinity }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- auth
topologyKey: "kubernetes.io/hostname"
{{- else if $replicated }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
- key: app.kubernetes.io/component
operator: In
values:
- auth
topologyKey: "kubernetes.io/hostname"
{{- end }}
{{- end }}
{{- if $auth.tolerations }}
tolerations: {{- toYaml $auth.tolerations | nindent 6 }}
{{- end }}
{{- if $auth.imagePullSecrets }}
imagePullSecrets:
{{- toYaml $auth.imagePullSecrets | nindent 6 }}
{{- end }}
{{- if $auth.initContainers }}
initContainers:
{{- range $initContainer := $auth.initContainers }}
{{- if and (not $initContainer.resources) $auth.resources }}
{{- $_ := set $initContainer "resources" $auth.resources }}
{{- end }}
{{- list $initContainer | toYaml | nindent 8 }}
{{- /* Note: this will break if the user sets volumeMounts to its initContainer */}}
volumeMounts:
{{- if $auth.enterprise }}
- mountPath: /var/lib/license
name: "license"
readOnly: true
{{- end }}
{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
- mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $projectedServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
{{- end }}
{{- if $auth.extraVolumeMounts }}
{{- toYaml $auth.extraVolumeMounts | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
containers:
- name: "teleport"
image: '{{ if $auth.enterprise }}{{ $auth.enterpriseImage }}{{ else }}{{ $auth.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ $auth.imagePullPolicy }}
{{- if or $auth.extraEnv $auth.tls.existingCASecretName }}
env:
{{- if (gt (len $auth.extraEnv) 0) }}
{{- toYaml $auth.extraEnv | nindent 8 }}
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- end }}
args:
- "--diag-addr=0.0.0.0:3000"
{{- if $auth.insecureSkipProxyTLSVerify }}
- "--insecure"
{{- end }}
{{- if $auth.createProxyToken }}
- "--apply-on-startup=/etc/teleport/apply-on-startup.yaml"
{{- end }}
{{- if $auth.extraArgs }}
{{- toYaml $auth.extraArgs | nindent 8 }}
{{- end }}
ports:
- name: diag
containerPort: 3000
protocol: TCP
- name: auth
containerPort: 3025
protocol: TCP
- name: kube
containerPort: 3026
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to start
periodSeconds: 5 # poll health every 5s
failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
timeoutSeconds: {{ .Values.probeTimeoutSeconds }}
readinessProbe:
httpGet:
path: /readyz
port: diag
initialDelaySeconds: 5 # wait 5s for agent to register
periodSeconds: 5 # poll health every 5s
failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s)
timeoutSeconds: {{ .Values.probeTimeoutSeconds }}
lifecycle:
# waiting during preStop ensures no new request will hit the Terminating pod
# on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s)
preStop:
exec:
command:
- teleport
- wait
- duration
- 30s
{{- if $auth.postStart.command }}
postStart:
exec:
command: {{ toYaml $auth.postStart.command | nindent 14 }}
{{- end }}
{{- if $auth.resources }}
resources:
{{- toYaml $auth.resources | nindent 10 }}
{{- end }}
{{- if $auth.securityContext }}
securityContext: {{- toYaml $auth.securityContext | nindent 10 }}
{{- end }}
volumeMounts:
{{- if $auth.enterprise }}
- mountPath: /var/lib/license
name: "license"
readOnly: true
{{- end }}
{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
- mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $projectedServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
{{- end }}
{{- if $auth.extraVolumeMounts }}
{{- toYaml $auth.extraVolumeMounts | nindent 8 }}
{{- end }}
{{- /* Operator uses '.Values' instead of '$auth' as it will likely be moved out of the auth pods */}}
{{- if .Values.operator.enabled }}
- name: "operator"
image: '{{ .Values.operator.image }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ .Values.imagePullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
{{- if .Values.operator.resources }}
resources: {{- toYaml .Values.operator.resources | nindent 10 }}
{{- end }}
volumeMounts:
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if $projectedServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: auth-serviceaccount-token
readOnly: true
{{- end }}
{{ end }}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
volumes:
{{- if $projectedServiceAccountToken }}
# This projected token volume mimics the `automountServiceAccountToken`
# behaviour but defaults to a 1h TTL instead of 1y.
- name: auth-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
{{- end }}
{{- if $auth.enterprise }}
- name: license
secret:
secretName: "license"
{{- end }}
{{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
- name: gcp-credentials
secret:
secretName: {{ $auth.gcp.credentialSecretName | quote }}
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ $auth.tls.existingCASecretName }}
{{- end }}
- name: "config"
configMap:
name: {{ .Release.Name }}-auth
- name: "data"
{{- if and ($auth.persistence.enabled) ( and (not (eq $auth.chartMode "gcp")) (not (eq $auth.chartMode "aws")) (not (eq $auth.chartMode "azure"))) }}
persistentVolumeClaim:
claimName: {{ if $auth.persistence.existingClaimName }}{{ $auth.persistence.existingClaimName }}{{ else }}{{ .Release.Name }}{{ end }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if $auth.extraVolumes }}
{{- toYaml $auth.extraVolumes | nindent 6 }}
{{- end }}
{{- if $auth.priorityClassName }}
priorityClassName: {{ $auth.priorityClassName }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.auth.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ $auth.terminationGracePeriodSeconds }}

17
helm/teleport-cluster/templates/auth/pdb.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.highAvailability.podDisruptionBudget.enabled }}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ .Release.Name }}-auth
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
minAvailable: {{ $auth.highAvailability.podDisruptionBudget.minAvailable }}
selector:
matchLabels: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 6 }}
{{- end }}

31
helm/teleport-cluster/templates/auth/predeploy_config.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.validateConfigOnDeploy }}
{{- $configTemplate := printf "teleport-cluster.auth.config.%s" $auth.chartMode -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-auth-test
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
data:
{{- if $auth.createProxyToken }}
apply-on-startup.yaml: |2
kind: token
version: v2
metadata:
name: {{ .Release.Name }}-proxy
expires: "3000-01-01T00:00:00Z"
spec:
roles: [Proxy]
join_method: kubernetes
kubernetes:
allow:
- service_account: "{{ .Release.Namespace }}:{{ include "teleport-cluster.proxy.serviceAccountName" . }}"
{{- end }}
teleport.yaml: |2
{{- mustMergeOverwrite (include $configTemplate . | fromYaml) $auth.teleportConfig | toYaml | nindent 4 -}}
{{- end }}

103
helm/teleport-cluster/templates/auth/predeploy_job.yaml Normal file
View File

@@ -0,0 +1,103 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.validateConfigOnDeploy }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-auth-test
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 1
template:
spec:
{{- if $auth.affinity }}
affinity: {{- toYaml $auth.affinity | nindent 8 }}
{{- end }}
{{- if $auth.tolerations }}
tolerations: {{- toYaml $auth.tolerations | nindent 6 }}
{{- end }}
{{- if $auth.imagePullSecrets }}
imagePullSecrets:
{{- toYaml $auth.imagePullSecrets | nindent 6 }}
{{- end }}
restartPolicy: Never
containers:
- name: "teleport-config-check"
image: '{{ if $auth.enterprise }}{{ $auth.enterpriseImage }}{{ else }}{{ $auth.image }}{{ end }}:{{ include "teleport-cluster.version" . }}'
imagePullPolicy: {{ $auth.imagePullPolicy }}
{{- if $auth.resources }}
resources:
{{- toYaml $auth.resources | nindent 10 }}
{{- end }}
{{- if or $auth.extraEnv $auth.tls.existingCASecretName }}
env:
{{- if (gt (len $auth.extraEnv) 0) }}
{{- toYaml $auth.extraEnv | nindent 8 }}
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
{{- end }}
{{- end }}
command:
- "teleport"
- "configure"
args:
- "--test"
- "/etc/teleport/teleport.yaml"
{{- if .Values.securityContext }}
securityContext: {{- toYaml .Values.securityContext | nindent 10 }}
{{- end }}
volumeMounts:
{{- if .Values.enterprise }}
- mountPath: /var/lib/license
name: "license"
readOnly: true
{{- end }}
{{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }}
- mountPath: /etc/teleport-secrets
name: "gcp-credentials"
readOnly: true
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
{{- end }}
- mountPath: /etc/teleport
name: "config"
readOnly: true
- mountPath: /var/lib/teleport
name: "data"
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.enterprise }}
- name: license
secret:
secretName: "license"
{{- end }}
{{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }}
- name: gcp-credentials
secret:
secretName: {{ .Values.gcp.credentialSecretName | quote }}
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- name: teleport-tls-ca
secret:
secretName: {{ .Values.tls.existingCASecretName }}
{{- end }}
- name: "config"
configMap:
name: {{ .Release.Name }}-auth-test
- name: "data"
emptyDir: {}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 6 }}
{{- end }}
{{- end }}

24
helm/teleport-cluster/templates/auth/pvc.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.persistence.enabled }}
{{/* Disable persistence for cloud modes */}}
{{- if and (not (eq $auth.chartMode "aws")) (not (eq $auth.chartMode "gcp")) (not (eq $auth.chartMode "azure")) }}
{{/* No need to create a PVC if we reuse an existing claim */}}
{{- if not $auth.persistence.existingClaimName }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
accessModes:
- ReadWriteOnce
{{- if $auth.persistence.storageClassName }}
storageClassName: {{ $auth.persistence.storageClassName }}
{{- end }}
resources:
requests:
storage: {{ required "persistence.volumeSize is required in chart values" $auth.persistence.volumeSize }}
{{- end }}
{{- end }}
{{- end }}

31
helm/teleport-cluster/templates/auth/service-previous-version.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "teleport-cluster.auth.previousVersionServiceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
# This is a headless service. Resolving it will return the list of all auth pods running the previous major version
# Proxies should not connect to auth pods from the previous major version
# Proxy rollout should be held until this headLessService does not match pods anymore.
clusterIP: "None"
# Publishing not ready addresses ensures that unhealthy or terminating pods are still accounted for
publishNotReadyAddresses: true
selector:
{{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}
teleport.dev/majorVersion: {{ include "teleport-cluster.previousMajorVersion" . | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "teleport-cluster.auth.currentVersionServiceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
spec:
# This is a headless service. Resolving it will return the list of all auth pods running the current major version
clusterIP: "None"
# Publishing not ready addresses ensures that unhealthy or terminating pods are still accounted for
publishNotReadyAddresses: true
selector:
{{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}
teleport.dev/majorVersion: {{ include "teleport-cluster.majorVersion" . | quote }}

21
helm/teleport-cluster/templates/auth/service.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "teleport-cluster.auth.serviceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
{{- if $auth.annotations.service }}
annotations: {{- toYaml $auth.annotations.service | nindent 4 }}
{{- end }}
spec:
ports:
- name: auth
port: 3025
targetPort: 3025
protocol: TCP
- name: kube
port: 3026
targetPort: 3026
protocol: TCP
selector: {{- include "teleport-cluster.auth.selectorLabels" . | nindent 4 }}

17
helm/teleport-cluster/templates/auth/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "teleport-cluster.auth.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
annotations:
{{- if $auth.annotations.serviceAccount }}
{{- toYaml $auth.annotations.serviceAccount | nindent 4 }}
{{- end }}
{{- if $auth.azure.clientID }}
azure.workload.identity/client-id: "{{ $auth.azure.clientID }}"
{{- end }}
{{- end -}}
{{- end }}

31
helm/teleport-cluster/templates/podmonitor.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if.Values.podMonitor.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "teleport-cluster.labels" . | nindent 4 }}
{{- with .Values.podMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Release.Name }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels: {{- include "teleport-cluster.selectorLabels" . | nindent 6 }}
podMetricsEndpoints:
- port: diag
path: /metrics
{{- with .Values.podMonitor.interval }}
interval: {{ . | quote }}
{{- end }}
podTargetLabels:
- "app.kubernetes.io/name"
- "app.kubernetes.io/instance"
- "app.kubernetes.io/component"
- "app.kubernetes.io/version"
- "teleport.dev/majorVersion"
{{- end }}

3
helm/teleport-cluster/templates/proxy/_config.aws.tpl Normal file
View File

@@ -0,0 +1,3 @@
{{- define "teleport-cluster.proxy.config.aws" -}}
{{ include "teleport-cluster.proxy.config.common" . }}
{{- end -}}

3
helm/teleport-cluster/templates/proxy/_config.azure.tpl Normal file
View File

@@ -0,0 +1,3 @@
{{- define "teleport-cluster.proxy.config.azure" -}}
{{ include "teleport-cluster.proxy.config.common" . }}
{{- end -}}

76
helm/teleport-cluster/templates/proxy/_config.common.tpl Normal file
View File

@@ -0,0 +1,76 @@
{{- define "teleport-cluster.proxy.config.common" -}}
{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}}
version: v3
teleport:
join_params:
method: kubernetes
token_name: "{{.Release.Name}}-proxy"
auth_server: "{{ include "teleport-cluster.auth.serviceFQDN" . }}:3025"
log:
severity: {{ $logLevel }}
output: {{ .Values.log.output }}
format:
output: {{ .Values.log.format }}
extra_fields: {{ .Values.log.extraFields | toJson }}
ssh_service:
enabled: false
auth_service:
enabled: false
proxy_service:
enabled: true
{{- if .Values.publicAddr }}
public_addr: {{- toYaml .Values.publicAddr | nindent 8 }}
{{- else }}
public_addr: '{{ required "clusterName is required in chart values" .Values.clusterName }}:443'
{{- end }}
{{- if ne .Values.proxyListenerMode "multiplex" }}
listen_addr: 0.0.0.0:3023
{{- if .Values.sshPublicAddr }}
ssh_public_addr: {{- toYaml .Values.sshPublicAddr | nindent 8 }}
{{- end }}
tunnel_listen_addr: 0.0.0.0:3024
{{- if .Values.tunnelPublicAddr }}
tunnel_public_addr: {{- toYaml .Values.tunnelPublicAddr | nindent 8 }}
{{- end }}
kube_listen_addr: 0.0.0.0:3026
{{- if .Values.kubePublicAddr }}
kube_public_addr: {{- toYaml .Values.kubePublicAddr | nindent 8 }}
{{- end }}
mysql_listen_addr: 0.0.0.0:3036
{{- if .Values.mysqlPublicAddr }}
mysql_public_addr: {{- toYaml .Values.mysqlPublicAddr | nindent 8 }}
{{- end }}
{{- if .Values.separatePostgresListener }}
postgres_listen_addr: 0.0.0.0:5432
{{- if .Values.postgresPublicAddr }}
postgres_public_addr: {{- toYaml .Values.postgresPublicAddr | nindent 8 }}
{{- else }}
postgres_public_addr: {{ .Values.clusterName }}:5432
{{- end }}
{{- end }}
{{- if .Values.separateMongoListener }}
mongo_listen_addr: 0.0.0.0:27017
{{- if .Values.mongoPublicAddr }}
mongo_public_addr: {{- toYaml .Values.mongoPublicAddr | nindent 8 }}
{{- else }}
mongo_public_addr: {{ .Values.clusterName }}:27017
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.highAvailability.certManager.enabled .Values.tls.existingSecretName }}
https_keypairs:
- key_file: /etc/teleport-tls/tls.key
cert_file: /etc/teleport-tls/tls.crt
https_keypairs_reload_interval: 12h
{{- else if .Values.acme }}
acme:
enabled: {{ .Values.acme }}
email: {{ required "acmeEmail is required in chart values" .Values.acmeEmail }}
{{- if .Values.acmeURI }}
uri: {{ .Values.acmeURI }}
{{- end }}
{{- end }}
{{- if and .Values.ingress.enabled (semverCompare ">= 13.2.0-0" (include "teleport-cluster.version" .)) }}
trust_x_forwarded_for: true
{{- end }}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More