Teleport - version 업그레이드

2024-01-22 13:22:46 +09:00
parent f331ea9bc4
commit d85af16c93
6 changed files with 39 additions and 24 deletions
--- a/helm/teleport-cluster/Chart.yaml
+++ b/helm/teleport-cluster/Chart.yaml
@@ -1,13 +1,13 @@
 apiVersion: v2
-appVersion: 14.2.0
+appVersion: 14.3.0
 dependencies:
 - condition: installCRDs,operator.enabled
  name: teleport-operator
  repository: ""
-  version: 14.2.0
+  version: 14.3.0
 description: Teleport is an access platform for your infrastructure
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords:
 - Teleport
 name: teleport-cluster
-version: 14.2.0
+version: 14.3.0
--- a/helm/teleport-cluster/charts/teleport-operator/Chart.yaml
+++ b/helm/teleport-cluster/charts/teleport-operator/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 14.2.0
+appVersion: 14.3.0
 description: Teleport Operator provides management of select Teleport resources.
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords:
 - Teleport
 name: teleport-operator
-version: 14.2.0
+version: 14.3.0
--- a/helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
+++ b/helm/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
@@ -181,6 +181,16 @@ spec:
                      must be accessible over HTTPS at this hostname and the certificate
                      must be trusted by the Auth Server.
                    type: string
+                  enterprise_slug:
+                    description: EnterpriseSlug allows the slug of a GitHub Enterprise
+                      organisation to be included in the expected issuer of the OIDC
+                      tokens. This is for compatibility with the `include_enterprise_slug`
+                      option in GHE.  This field should be set to the slug of your
+                      enterprise if this is enabled. If this is not enabled, then
+                      this field must be left empty. This field cannot be specified
+                      if `enterprise_server_host` is specified.  See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise
+                      for more information about customised issuer values.
+                    type: string
                type: object
              gitlab:
                description: GitLab allows the configuration of options specific to
--- a/helm/teleport-cluster/tests/snapshot/auth_deployment_test.yaml.snap
+++ b/helm/teleport-cluster/tests/snapshot/auth_deployment_test.yaml.snap
@@ -1,6 +1,6 @@
 should add an operator side-car when operator is enabled:
  1: |
-    image: public.ecr.aws/gravitational/teleport-operator:14.2.0
+    image: public.ecr.aws/gravitational/teleport-operator:14.3.0
    imagePullPolicy: IfNotPresent
    livenessProbe:
      httpGet:
@@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled:
    - args:
      - --diag-addr=0.0.0.0:3000
      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
@@ -174,7 +174,7 @@ should set nodeSelector when set in values:
    - args:
      - --diag-addr=0.0.0.0:3000
      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
@@ -271,7 +271,7 @@ should set resources when set in values:
    - args:
      - --diag-addr=0.0.0.0:3000
      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
@@ -357,7 +357,7 @@ should set securityContext when set in values:
    - args:
      - --diag-addr=0.0.0.0:3000
      - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
--- a/helm/teleport-cluster/tests/snapshot/proxy_deployment_test.yaml.snap
+++ b/helm/teleport-cluster/tests/snapshot/proxy_deployment_test.yaml.snap
@@ -5,7 +5,7 @@ should provision initContainer correctly when set in values:
      - wait
      - no-resolve
      - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      name: wait-auth-update
    - args:
      - echo test
@@ -62,7 +62,7 @@ should set nodeSelector when set in values:
    containers:
    - args:
      - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
@@ -123,7 +123,7 @@ should set nodeSelector when set in values:
      - wait
      - no-resolve
      - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      name: wait-auth-update
    nodeSelector:
      environment: security
@@ -174,7 +174,7 @@ should set resources when set in values:
    containers:
    - args:
      - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
@@ -242,7 +242,7 @@ should set resources when set in values:
      - wait
      - no-resolve
      - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      name: wait-auth-update
    serviceAccountName: RELEASE-NAME-proxy
    terminationGracePeriodSeconds: 60
@@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values:
    containers:
    - args:
      - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
@@ -343,7 +343,7 @@ should set securityContext for initContainers when set in values:
      - wait
      - no-resolve
      - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      name: wait-auth-update
      securityContext:
        allowPrivilegeEscalation: false
@@ -383,7 +383,7 @@ should set securityContext when set in values:
    containers:
    - args:
      - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      imagePullPolicy: IfNotPresent
      lifecycle:
        preStop:
@@ -451,7 +451,7 @@ should set securityContext when set in values:
      - wait
      - no-resolve
      - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.0
      name: wait-auth-update
      securityContext:
        allowPrivilegeEscalation: false
--- a/helm/teleport-cluster/values.yaml
+++ b/helm/teleport-cluster/values.yaml
@@ -55,9 +55,10 @@ teleportVersionOverride: ""
 # proxyProtocol: on

 # The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
-# `auth` contains values specific for the auth pods. You can use it to
-#  set specific values for auth pods, taking precedence over chart-scoped values.
-# For example, to override the [`postStart`](#postStart) value only for auth pods:
+#
+# `auth` allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service.
+# This is merged with chart-scoped values and takes precedence in case of conflict.
+# For example:
 #
 # auth:
 #  postStart: ["curl", "http://hook"]
@@ -79,11 +80,15 @@ auth:
  #     client_idle_timeout_message: "Connection closed after 2hours without activity"
  teleportConfig: {}

-# proxy contains values specific for the proxy pods
-# You can override chart-scoped values, for example
+# `proxy` allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service. 
+# This is merged with chart-scoped values and takes precedence in case of conflict.
+# For example:
 # proxy:
 #   postStart: ["curl", "http://hook"]
 #   imagePullPolicy: Always
+#   annotations:
+#     service:
+#       external-dns.alpha.kubernetes.io/hostname: "teleport.example.com"
 proxy:
  # proxy.teleportConfig contains YAML teleport configuration for proxy pods
  # The configuration will be merged with the chart-generated configuration